Containment of network worms via per-process rate-limiting

Authors:
Yuanyuan Zeng;Xin Hu;Haixiong Wang;Kang G. Shin;Abhijit Bose
Affiliations:
The University of Michigan, Ann Arbor, Michigan;The University of Michigan, Ann Arbor, Michigan;The University of Michigan, Ann Arbor, Michigan;The University of Michigan, Ann Arbor, Michigan;IBM T.J. Watson Research, Hawthorne, New York
Venue:
Proceedings of the 4th international conference on Security and privacy in communication netowrks
Year:
2008

Citing 14
Cited 0

The nature of statistical learning theory

The nature of statistical learning theory
Making large-scale support vector machine learning practical

Advances in kernel methods
Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Terra: a virtual machine-based platform for trusted computing

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Slowing Down Internet Worms

ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
A Multi-Resolution Approach forWorm Detection and Containment

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
NetSpy: Automatic Generation of Spyware Signatures for NIDS

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Automated response using system-call delays

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Behavior-based spyware detection

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
LIBSVM: A library for support vector machines

ACM Transactions on Intelligent Systems and Technology (TIST)
Empirical analysis of rate limiting mechanisms

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.02

Visualization

Abstract

Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for detection of, and response against worms. A frequently-used and automated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. However, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To alleviate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime behavior of each process and accordingly assigns the process a suspicion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates.