Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2005.12C.6.847

Reducing False Alarm and Shortening Worm Detection Time in Virus Throttling  

Shim Jae-Hong (조선대학교 인터넷소프트웨어공학부)
Kim Jang-bok (아주대학교 정보통신전문대학원)
Choi Hyung-Hee (아주대학교 정보통신전문대학원)
Jung Gi-Hyun (아주대학교 전자공학부)
Publication Information
The KIPS Transactions:PartC / v.12C, no.6, 2005 , pp. 847-854 More about this Journal
Abstract
Since the propagation speed of the Internet worms is quite fast, worm detection in early propagation stage is very important for reducing the damage. Virus throttling technique, one of many early worm detection techniques, detects the Internet worm propagation by limiting the connection requests within a certain ratio.[6, 7] The typical throttling technique increases the possibility of false detection by treating destination IP addresses independently in their delay queue managements. In addition, it uses a simple decision strategy that determines a worn intrusion if the delay queue is overflown. This paper proposes a two dimensional delay queue management technique in which the sessions with the same destination IP are linked and thus a IP is not stored more than once. The virus throttling technique with the proposed delay queue management can reduce the possibility of false worm detection, compared with the typical throttling since the proposed technique never counts the number of a IP more than once when it chicks the length of delay queue. Moreover, this paper proposes a worm detection algorithm based on weighted average queue length for reducing worm detection time and the number of worm packets, without increasing the length of delay queue. Through deep experiments, it is verified that the proposed technique taking account of the length of past delay queue as well as current delay queue forecasts the worn propagation earlier than the typical iuぉ throttling techniques do.
Keywords
Virus Throttling; Worm Early Detection; Internet Worm;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 CERT, 'CERT Advisory CA-2001-26 Nimda Worm, Sept. 2001. http://www.cert.org/advisories/CA-2001-26.html
2 CERT, 'CERT Advisory CA-2000-04 Love Letter Worm, May 2002. http://www.cert.org/advisorieS/CA-2000-04.html
3 C. C. Zou, W. Gong, and D. Towsley, 'Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense,' ACM CCS Workshop on Rapid Malcode (WORM '03), Washington DC, Oct., 2003   DOI
4 N. Gulati, C. Williamson and R. Bunt, 'LAN traffic locality: Characterization and application,' Proc. of the First International Conference of Local Area Network Interconnection, pp.233-250, Oct., 1993
5 X. Qin, D. Dagon, G. Gu, and W. Lee, 'Worm detection using local networks,' Technical report, College of Computing, Georgia Tech., Feb., 2004
6 CERT, 'CERT Advisory CA-2001-08 Code Red Worm Exploiting Buffer Overflow in lIS Indexing Service DLL,' July 2001. http://www.cert.org/incidenLnotes/IN-2001-08.html
7 J. Jung, S. E. Schechter, and A. W. Berger, 'Fast Detection of Scanning Worm Infections,' Proc. of 7th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, French Riviera, France, Sept., 2004
8 J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, 'Fast portscan detection using sequential hypothesis testing,' Proc. of the IEEE Symposium on Security and Privacy, May, 2004   DOI
9 J. Twycross and M. M. Williamson, 'Implementing and testing a virus throttle,' Proc. of the 12th USENIX Security Symposium, pp.285-294, Aug., 2003
10 Matthew M. Williamson, 'Throttling Viruses: Restricting propagation to defeat malicious mobile code,' Proc. of the 18th Annual Computer Security Applications Conference, Dec., 2002   DOI
11 S. Sidiroglou and A. D. Keromytis, 'A Network Worm Vaccine Architecture,' Proc. of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp.220-225, June, 2003
12 D. Moore, V. Paxson, S. Savage, C. Shannon, S. StaniPord and N. Weaver, 'Inside the Slammer worm,' IEEE Security and Privacy, vol. 1, pp. 33-39, July, 2003   DOI   ScienceOn
13 C. Zou, L. Gao, W. Gong, D. Towsley, 'Monitoring and early warning for Internet worms,' ACM Conference on Computer and Communications Security, Washington, DC, Oct., 2003   DOI
14 CERT, 'CERT Advisory CA-2003-04 MS-SQL Server Worm,' Jan., 2003. http://www.cert.org/advisories/CA-2oo304.html
15 CERT, 'CERT Advisory CA-200H)9 Code Red II Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL,' Aug., 2001. http://www.cert.org/incident_notes/lN2001-09.html