Twenty years ago, on May 4, 2000, the ILOVEYOU worm swept through an Air Force site I happen to be monitoring with an experimental network sensor.

The video below describes what our sensor was doing and how the worm looked from that sensor’s perspective.

Additional Information

Here are some additional links for more information on the fingerprint work (note: in these documents we called it “thumbprint” instead of “fingerprint”)

This 1992 paper is where the fingerprint concept was first described and its initially proposed use - tracking hackers hopping across the Internet

L.T. Heberlein, B. Mukherjee, K.N. Levitt., "Internetwork Security Monitor: An Intrusion-Detection System for Large-Scale Networks," Proc. 15th National Computer Security Conference, pp. 262-271, Oct. 1992., https://www.toddheberlein.com/s/ISM_NCSC_92-pf53.pdf

This 1995 paper provides one mathematical implementation for a fingerprint and describes the results of our first prototype.

S. Staniford-Chen, and L.T. Heberlein , "Holding Intruders Accountable on the Internet". Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, 8-10 May 1995, pp. 39-49., https://www.toddheberlein.com/s/Thumbprint_IEEE_95-eztl.pdf

This 1999 presentation describes the fingerprinting technique and some possible other uses.

T. Heberlein, "Applications of Principal Component Analysis", Dec 13, 1999., https://www.toddheberlein.com/s/PCA-1999-12-13.pdf

This 2002 report describes the Network Radar system, the network sensor that captured the ILOVEYOU worm as it swept through the Air Force site.

L.T. Heberlein, “Network Radar: Final Report”, Net Squared, Technical Report 2002-01, Aug 2002., https://www.toddheberlein.com/s/NetRadar_Final_Report.pdf

Final notes

When putting together this video what I found most fascinating was that I managed to find and then get working 20 year old Java code on my iMac Pro. You might notice some glitches, the most noticeable being the font. But the timestamp was also off from old screenshots I found.