Abstract | ||
---|---|---|
Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for detection of, and response against worms. A frequently-used and automated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. However, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To alleviate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime behavior of each process and accordingly assigns the process a suspicion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates. |
Year | DOI | Venue |
---|---|---|
2008 | 10.1145/1460877.1460895 | SecureComm |
Keywords | Field | DocType |
suspicion level,rate-limiting scheme,entire host,rate-limiting,network worm,legitimate program,per-process rate-limiting,host-level network activity,worm containment,legitimate application,automated response mechanism,behavior analysis,per-process-based containment framework,outbound worm traffic,rate limiting,machine learning,false alarm rate | Heuristic,Computer science,Computer security,Containment,Limiting,The Internet | Conference |
Citations | PageRank | References |
2 | 0.41 | 15 |
Authors | ||
5 |
Name | Order | Citations | PageRank |
---|---|---|---|
Yuanyuan Zeng | 1 | 417 | 20.28 |
Xin Hu | 2 | 445 | 30.43 |
Haixiong Wang | 3 | 2 | 0.41 |
Kang G. Shin | 4 | 14055 | 1487.46 |
Abhijit Bose | 5 | 219 | 20.83 |