Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Hi-index | 0.00 |
One of problems of virus throttling algorithm, a worm early detection technique to reduce the speed of worm spread, is that it is too sensitive to burstiness in the number of connection requests. The algorithm proposed in this paper reduces the sensitivity and false alarm with weighted average queue length that smoothes sudden traffic changes. Based on an observation that normal connection requests passing through a network has a strong locality in destination IP addresses, the proposed algorithm counts the number of connection requests with different destinations, in contrast to simple length of delay queue as in the typical throttling algorithm. The queue length measuring strategy also helps reduce worm detection time and false alarm.