The nature of statistical learning theory
The nature of statistical learning theory
Making large-scale support vector machine learning practical
Advances in kernel methods
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Terra: a virtual machine-based platform for trusted computing
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
A Multi-Resolution Approach forWorm Detection and Containment
DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
NetSpy: Automatic Generation of Spyware Signatures for NIDS
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Automated response using system-call delays
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Behavior-based spyware detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
LIBSVM: A library for support vector machines
ACM Transactions on Intelligent Systems and Technology (TIST)
Empirical analysis of rate limiting mechanisms
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.02 |
Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for detection of, and response against worms. A frequently-used and automated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. However, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To alleviate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime behavior of each process and accordingly assigns the process a suspicion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates.