IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Elements of information theory
Elements of information theory
Code red worm propagation modeling and analysis
Proceedings of the 9th ACM conference on Computer and communications security
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Measuring and Modeling Computer Virus Prevalence
SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Data Mining Methods for Detection of New Malicious Executables
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
IEEE Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Worm propagation modeling and analysis under dynamic quarantine defense
Proceedings of the 2003 ACM workshop on Rapid malcode
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Learning to detect malicious executables in the wild
Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Worm Detection, Early Warning and Response Based on Local Victim Information
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Bayesian detection of router configuration anomalies
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
On instant messaging worms, analysis and countermeasures
Proceedings of the 2005 ACM workshop on Rapid malcode
Proceedings of the 2005 ACM workshop on Rapid malcode
A self-learning worm using importance scanning
Proceedings of the 2005 ACM workshop on Rapid malcode
Fluid modeling of pollution proliferation in P2P networks
SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
On Recognizing Virtual Honeypots and Countermeasures
DASC '06 Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing
Proceedings of the 4th ACM workshop on Recurring malcode
Packet vaccine: black-box exploit detection and signature generation
Proceedings of the 13th ACM conference on Computer and communications security
Pattern Recognition, Third Edition
Pattern Recognition, Third Edition
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Implementing and testing a virus throttle
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Mapping internet sensors with probe response attacks
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Vulnerabilities of passive internet threat monitors
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
An Advanced Hybrid Peer-to-Peer Botnet
IEEE Transactions on Dependable and Secure Computing
Localization Attacks to Internet Threat Monitors: Modeling and Countermeasures
IEEE Transactions on Computers
Detecting self-mutating malware using control-flow graph matching
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Behavioral distance for intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.24 |
Active worms have posed a major security threat to the Internet and many research efforts have focused on them. However, defending against them remains challenging due to their continuous evolution. In this paper, we study a new class of defense-oriented evolved worms, the Varying Scan Rate worm (the VSR worm in short). In order to circumvent detection by existing worm detection schemes, the VSR worm deliberately varies its scan rate according to these schemes' weaknesses. To counteract the VSR worm, we design a new worm-detection scheme, the attack-target Distribution Entropy-based Dynamic detection scheme (DED detection for short). DED detection utilizes the attack-target distribution and robust statistical feature in conjunction with dynamic decision adaptation to distinguish worm-scan traffic from non-worm-scan traffic. We present a comparatively complete space of detection schemes and conduct extensive performance evaluations on the DED detection scheme compared with other schemes, using real-world Internet traces as background scan traffic. Our data clearly demonstrate the effectiveness of the DED detection scheme in detecting both the VSR worm and the traditional worm.