FIRST - Improving Security Together 18th Annual FIRST Conference - June 2006 - Baltimore, Maryland

Time Signatures to Detect Multi-headed Stealthy Attack Tools

Platinum Sponsor


Silver Sponsor


Local Host

CERT Coordination Center

Supporting Sponsors






Korea CertCC

Conference Schedule

Technical Track

Friday – June 30th, 15:00

In this paper, we present a method to detect the existence of sophisticated attack tools in the Internet that combine, in a misleading way, several exploits. These tools apply various attack strategies, resulting into several different attack fingerprints. A few of these sophisticated tools have already been identified, e.g. Welchia. However, devising a method to automatically detect them is very challenging since their different fingerprints are apparently unrelated. We propose a technique to automatically detect their existence through their time signatures. We exemplify the interest of the technique on a large set of real world attack traces and discover a handful of those new sophisticated tools.

Authors & presenters

  • FRFabien Pouget Presenter (CERTA – French Government, FR)

  • FRGuillaume Urvoy-Keller (Institut EURECOM, FR)

  • FRMarc Dacier (Institut EURECOM, FR)

Conference Schedule