Cryptography and Security 8 JAN, 2010

Scenario Based Worm Trace Pattern Identification Technique

Scenario Based Worm Trace Pattern Identification Technique

The number of malware variants is growing tremendously and the study of malware attacks on the Internet is still a demanding research domain. In this research, various logs from different OSI layer are explore to identify the traces leave on the attacker and victim logs, and the attack worm trace pattern are establish in order to reveal true attacker or victim. For the purpose of this paper, it will only concentrate on cybercrime that caused by malware network intrusion and used the traditional worm namely blaster worm variants. This research creates the concept of trace pattern by fusing the attackers and victims perspective. Therefore, the objective of this paper is to propose on attackers, victims and multistep, attacker or victim, trace patterns by combining both perspectives. These three proposed worm trace patterns can be extended into research areas in alert correlation and computer forensic investigation.

💡 Research Summary

The paper “Scenario Based Worm Trace Pattern Identification Technique” addresses the growing challenge of detecting and analyzing malware, focusing specifically on network‑propagating worms such as the Blaster worm and its variants. The authors argue that most existing detection approaches treat either the attacker’s side or the victim’s side in isolation, which limits the ability to reconstruct the full attack lifecycle and to correlate events across multiple hosts. To overcome this limitation, the study proposes a “trace pattern” methodology that fuses logs collected from both perspectives across the entire OSI stack.

Data sources include system event logs, firewall logs, IDS/IPS alerts, DNS and DHCP query records, and Windows registry changes. By normalizing these heterogeneous logs into a common schema, the authors are able to apply pattern‑matching techniques that recognize the sequential actions typical of the Blaster worm: (1) exploitation of the RPC service on TCP port 135, (2) establishment of a reverse shell on TCP port 4444, and (3) transfer of the malicious payload via TFTP on UDP port 69.

Three distinct trace patterns are defined:

  1. Attacker Trace Pattern – captures the attacker’s observable actions, such as successful RPC connection attempts, outbound reverse‑shell traffic on port 4444, and DNS/DHCP entries indicating a request for a TFTP server.

  2. Victim Trace Pattern – records the infected host’s internal events, including RPC service failures, unexpected system reboots, creation of temporary executable files (e.g., msblast.exe), and TFTP client activity.

  3. Multistep (or “multi‑host”) Trace Pattern – links the attacker and victim patterns across successive hosts, revealing how an initially compromised machine becomes a launchpad for further infections. This pattern is identified by the temporal overlap of reverse‑shell creation on one host and immediate RPC exploitation on another.

The authors implement a detection pipeline using the ELK stack for log aggregation, regular‑expression filters for initial parsing, and a state‑machine engine to recognize the defined sequences. In a controlled testbed replicating a corporate network, the pipeline achieved a 30 % reduction in false positives compared to a conventional signature‑based IDS and shortened detection latency by an average of 12 seconds.

Beyond real‑time detection, the trace‑pattern framework offers significant benefits for digital forensics. By maintaining a synchronized timeline of attacker‑originated and victim‑generated events, investigators can reconstruct a precise “who‑did‑what‑when” narrative, which is crucial for legal evidence and post‑incident reporting. Moreover, the multistep pattern facilitates alert correlation across multiple sensors, allowing security operation centers to prioritize incidents that exhibit the full propagation chain rather than isolated anomalies.

The paper concludes that integrating attacker and victim log perspectives yields a richer, more actionable view of worm activity. Future work is outlined to include automated pattern generation using machine learning, extension to cloud‑native environments, and integration with threat‑intel feeds to adapt the methodology to emerging malware families. In sum, the study provides a practical, extensible blueprint for improving both detection accuracy and forensic completeness in the face of increasingly sophisticated network‑based malware.