Reducing worm detection time and false alarm in virus throttling

Authors:
Jangbok Kim;Jaehong Shim;Gihyun Jung;Kyunghee Choi
Affiliations:
Graduate School of Information and Communication, Ajou University, Suwon, South Korea;Department of Internet Software Engineering, Chosun University, Gwangju, South Korea;School of Electrics Engineering, Ajou University, Suwon, South Korea;Graduate School of Information and Communication, Ajou University, Suwon, South Korea
Venue:
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
Year:
2005

Citing 1
Cited 0

Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

One of problems of virus throttling algorithm, a worm early detection technique to reduce the speed of worm spread, is that it is too sensitive to burstiness in the number of connection requests. The algorithm proposed in this paper reduces the sensitivity and false alarm with weighted average queue length that smoothes sudden traffic changes. Based on an observation that normal connection requests passing through a network has a strong locality in destination IP addresses, the proposed algorithm counts the number of connection requests with different destinations, in contrast to simple length of delay queue as in the typical throttling algorithm. The queue length measuring strategy also helps reduce worm detection time and false alarm.