Cited By
View all- Almutairi SMahfoudh SAlmutairi SAlowibdi J(2020)Hybrid Botnet Detection Based on Host and Network AnalysisJournal of Computer Networks and Communications10.1155/2020/90247262020Online publication date: 1-Jan-2020
Containment of network worms via per-process rate-limiting
Article No.: 14, Pages 1 - 10
Abstract
Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for detection of, and response against worms. A frequently-used and automated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. However, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To alleviate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime behavior of each process and accordingly assigns the process a suspicion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates.
References
[1]
Symantec. Symantec internet security threat report highlights rise in threats to confidential information. www.symantec.com/press/2005/n050321.html, 2005.
[2]
M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. Bryant. Semantics-aware malware detection. In Proceedings of IEEE Symposium on Security and Privacy, 05.
[3]
E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th USENIX Security Symposium, 2006.
[4]
S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for Unix processes. IEEE Symposium on Security and Privacy, 120, 1996.
[5]
A. Somayaji and S. Forrest. Automated response using system-call delays. In Proceedings of the USENIX Security Symposium, 2000.
[6]
R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy, 2001.
[7]
H. Wang, S. Jha, and V. Ganapathy. Netspy: Automatic generation of spyware signatures for nids. In Proceedings of Annual Computer Security Applications Conference, 2006.
[8]
M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In Proceedings of The 18th ACSAC, 2002.
[9]
S. Chen and Y. Tang. Slowing down internet worms. In Proceedings of the 24th International Conference on Distributed Computing Systems, March 2004.
[10]
S. E. Schechter, J. Jung, and A. W. Berger. Fast detection of scanning worm infections. In Proceedings of RAID, 04.
[11]
V. Sekar, Y. Xie, M. K. Reiter, and H. Zhang. A multi-resolution approach forworm detection and containment. In Proceedings of the International Conference on Dependable Systems and Networks, 2006.
[12]
W. Lee, S. Stolfo, and K. Mok. A data mining framework for building intrusion detection models. In Proceedings of IEEE Symposium on Security and Privacy, 1999.
[13]
S. Singh, C. Estan, G. Varghese, and S. Savage. The earlybird system for real-time detection of unknown worms. Technical report, University of California, San Diego, 2003.
[14]
T. Lee and J. J. Mody. Behavioral classification, 2006.
[15]
C. Wong, S. Bielski, A. Studer, and C. Wang. Empirical analysis of rate limiting mechanisms. In Proceeding of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), 2005.
[16]
D. Whyte, E. Kranakis, and P. V. Oorschot. Dns-based detection of scanning worms in an enterprise network. In Proceedings of NDSS, 2005.
[17]
V. Vapnik. The Nature of Statistical Learning Theory. Springer, 1995.
[18]
T. Joachims. Making large-scale support vector machine learning practical. In B. Scholkopf, C. Burges, and A. Smola, editors, Advances in Kernel Methods: Support Vector Machines. MIT Press, Cambridge, MA, 1998.
[19]
H. Lin, C. Lin, and R. Weng. A note on platt's probabilistic outputs for support vector machines, 2003.
[20]
Change of variables theorem. http://mathworld.wolfram.com/ChangeofVariablesTheorem.html.
[21]
C.-C. Chang and C.-J. Lin. Libsvm -- a library for support vector machines. www.csie.ntu.edu.tw/cjlin/libsvm/.
[22]
Regmon. www.microsoft.com/technet/sysinternals/utilities/regmon.mspx.
[23]
Api hooking revealed. http://www.codeproject.com/system/hooksys.asp.
[24]
Passmark. http://www.passmark.com/.
[25]
Rootkitrevealer. http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx.
[26]
Lagrande technology architectural overview, 2003.
[27]
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. B. Terra. A virtual machine-based platform for trusted computing. In Proceedings of the Symposium on Operating Systems Principles, 2003.
Index Terms
- Containment of network worms via per-process rate-limiting
Recommendations
A Host-Based Approach for Unknown Fast-Spreading Worm Detection and Containment
Special Section on Best Papers from SEAMS 2012The fast-spreading worm, which immediately propagates itself after a successful infection, is becoming one of the most serious threats to today’s networked information systems. In this article, we present WormTerminator, a host-based solution for fast ...
On the development of an internetwork-centric defense for scanning worms
Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Comments
Information & Contributors
Information
Published In
Copyright © 2008 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
- Create-Net
- INRIA: Institut Natl de Recherche en Info et en Automatique
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 22 September 2008
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
Securecomm08
Sponsor:
- INRIA
Securecomm08: Fourth International Conference On Security on Privacy for communication Networks
September 22 - 25, 2008
Istanbul, Turkey
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 125Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Reflects downloads up to 12 Feb 2025
Other Metrics
Citations
Cited By
View all- Almutairi SMahfoudh SAlmutairi SAlowibdi J(2020)Hybrid Botnet Detection Based on Host and Network AnalysisJournal of Computer Networks and Communications10.1155/2020/90247262020Online publication date: 1-Jan-2020
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in