Computer virus-antivirus coevolution
Communications of the ACM
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Collaborative Internet Worm Containment
IEEE Security and Privacy
Fast and automated generation of attack signatures: a basis for building self-protecting servers
Proceedings of the 12th ACM conference on Computer and communications security
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
Worm Detection in Large Scale Network by Traffic
PDCAT '05 Proceedings of the Sixth International Conference on Parallel and Distributed Computing Applications and Technologies
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
IEEE Transactions on Dependable and Secure Computing
A monitoring system for detecting repeated packets with applications to computer worms
International Journal of Information Security
Extracting drug utilization knowledge using self-organizing map and rough set theory
Expert Systems with Applications: An International Journal
On acquiring classification knowledge from noisy data based on rough set
Expert Systems with Applications: An International Journal
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hi-index | 12.05 |
In recent years, given their rapid propagations, Internet worms increasingly threaten the Internet hosts and services. It's worsen by the fact that zero-day polymorphic worms, which can change their patterns dynamically, would evade most existing intrusion detection systems which depend on some signature generating approach. In this paper, we propose a novel rough set worm detection (RSWD) scheme which extends well developed rough set theory (RST) to detect zero-day polymorphic worms and provide a minimum set of filtering rules to network barrier equipments, such as firewall, to block worm spreading. The RSWD scheme is based on an assumption that, for a polymorphic worm, all attack packets are generated from some specific worm program and attack the same vulnerability of the victim hosts, therefore some patterns exist even the polymorphic engine mutates dynamically and frequently. Our simulations show that, in a class B network containing a new polymorphic worm which can not be recognized by any known signature, the RSWD module could detect the worm propagation within 17s and produce a precise blocking rule exhibiting 100% true positive rate and 99.82% accuracy rate.