Browse > Article

An Algorithm for Increasing Worm Detection Effetiveness in Virus Throttling  

Kim, Jang-Bok (아주대학교 정보통신전문대학원)
Kim, Sang-Joong (계명문화대학 컴퓨터 인터넷학부)
Choi, Sun-Jung (경문대학 정보통신과)
Shim, Jae-Hong (조선대학교 인터넷소프트웨어공학부)
Chung, Gi-Hyun (아주대학교 전자공학부)
Choi, Kyung-Hee (아주대학교 정보통신전문대학원)
Publication Information
Journal of KIISE:Information Networking / v.34, no.3, 2007 , pp. 186-192 More about this Journal
Abstract
The virus throttling technique[5,6] is the one of well-known worm early technique. Virus throttling reduce the worm propagration by delaying connection packets artificially. However the worm detection time is not sufficiently fast as expected when the worm generated worm packets at a low rate. This is because the virus throttling technique use only delay queue length. In this paper we use the trend of weighted average delay queue length (TW AQL). By using TW AQL, the worm detection time is not only shorten at a low rate Internet worm, but also the false alarm does not largely increase. By experiment, we also proved our proposed algorithm had better performance.
Keywords
Virus Throttling; Internet Worm; Worm Early Detection;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Jangbok Kim, Jaehong Shim, Gihyun Jung, and Kyunghee Choi, 'Reducing Worm Detection Timeand False Alarm in Virus Throttling,' LNAI 3802, p.297, December 2005
2 Stuart Staniford, 'Containment of scanning worms in enterprise networks,' Journal of Computer Security, 2004
3 David Whyte, Evangelos Kranakis, P.C. van Oorschot, 'DNS-based Detection of Scanning Wormsin an Enterprise Network,' In Proc. of the 12th Annual Network and Distributed System Security Symposium, Feb. 2005
4 J. Jung, S. E. Schechter, and A. W. Berger, 'Fast Detection of Scanning Worm Infections,' Proc. of 7th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, French Riviera, France, Sept. 2004
5 J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, 'Fast portscan detection using sequential hypothesis testing,' Proc. of the IEEE Symposium on Security and Privacy, May 2004   DOI
6 C. C. Zou, W. Gong, and D. Towsley, 'Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense,' ACM CCS Workshop on Rapid Malcode (WORM'03), Washington DC, Oct.2003   DOI
7 C. Zou, L. Gao, W. Gong, D. Towsley, 'Monitoring and early warning for Internet worms,' ACM Conference on Computer and Communications Security, Washington, DC, Oct. 2003   DOI
8 CERT, 'CERT Advisory CA-2001-08 Code Red Worm Exploiting Buffer Overflow in IIS Indexing Service DLL,' July 2001. http://www.cert.org/incident_notes/IN-2001-08.html
9 CERT, 'CERT Advisory CA-2001-26 Nimda Worm,' Sept. 2001. http://www.cert.org/advisories/CA-2001-26.html
10 Matthew M. Williamson, 'Throttling Viruses: Restricting propagation to defeat malicious mobile code,' Proc. of the 18th Annual Computer Security Applications Conference, Dec. 2002   DOI
11 J. Twycross and M. M. Williamson, 'Implementing and testing a virus throttle,' Proc. of the 12th USENIX Security Symposium, pp. 285-294, Aug. 2003
12 X. Qin, D. Dagon, G. Gu, and W. Lee, 'Worm detection using local networks,' Technical report, College of Computing, Georgia Tech., Feb. 2004
13 CERT, 'CERT Advisory CA-2001-09 Code Red II Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL,' Aug. 2001. http://www.cert.org/incident_notes/IN-2001-09.html
14 CERT, 'CERT Advisory CA-2003-04 MS-SQL Server Worm,' Jan. 2003. http://www.cert.org/advisories/CA-2003-04.html