Code red worm propagation modeling and analysis
Proceedings of the 9th ACM conference on Computer and communications security
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Static analysis of executables to detect malicious patterns
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.00 |
With lack of diversity in platforms and softwares running in Internet-attached hosts, Internet worms can spread all over the world in just a few minutes. Many researchers suggest the signature-based Network Intrusion Detection System(NIDS) to defend the network against it. However, the polymorphic worm evolved from the traditional Internet worm was devised to evade signature-based detection schemes, which actually makes NIDS useless. Some schemes are proposed for detecting it, but they have some shortcomings such as belated detection and huge overhead. In this paper, we propose a new system, called PolyI-D, that detects the polymorphic worm through some tests based on instruction distribution in real-time with little overhead. This is particularly suitable even for fast spread and continuously mutated worms.