How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Filtering postures: local enforcement for global policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Proceedings of the 2003 ACM workshop on Rapid malcode
Proceedings of the 2003 ACM workshop on Rapid malcode
Poly2 Paradigm: A Secure Network Service Architecture
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Defense and Detection Strategies against Internet Worms
Defense and Detection Strategies against Internet Worms
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Worms vs. perimeters: the case for hard-LANs
HOTI '04 Proceedings of the High Performance Interconnects, 2004. on Proceedings. 12th Annual IEEE Symposium
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
Proceedings of the twentieth ACM symposium on Operating systems principles
Host-based detection of worms through peer-to-peer cooperation
Proceedings of the 2005 ACM workshop on Rapid malcode
Simulating non-scanning worms on peer-to-peer networks
InfoScale '06 Proceedings of the 1st international conference on Scalable information systems
Proactive security for mobile messaging networks
WiSe '06 Proceedings of the 5th ACM workshop on Wireless security
Profiling self-propagating worms via behavioral footprinting
Proceedings of the 4th ACM workshop on Recurring malcode
Proceedings of the 4th ACM workshop on Recurring malcode
Signature metrics for accurate and automated worm detection
Proceedings of the 4th ACM workshop on Recurring malcode
Journal of Computing Sciences in Colleges
WitMeMo '06 Proceedings of the second international workshop on Wireless traffic measurements and modeling
Leveraging good intentions to reduce unwanted network traffic
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
An Automated Signature-Based Approach against Polymorphic Internet Worms
IEEE Transactions on Parallel and Distributed Systems
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Behavioral detection of malware on mobile handsets
Proceedings of the 6th international conference on Mobile systems, applications, and services
Detecting energy-greedy anomalies and mobile malware variants
Proceedings of the 6th international conference on Mobile systems, applications, and services
Spectator: detection and containment of JavaScript worms
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
An FSM-Based Approach for Malicious Code Detection Using the Self-Relocation Gene
ICIC '08 Proceedings of the 4th international conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications - with Aspects of Theoretical and Methodological Issues
Behavioural Characterization for Network Anomaly Detection
Transactions on Computational Science IV
Exploiting dynamicity in graph-based traffic analysis: techniques and applications
Proceedings of the 5th international conference on Emerging networking experiments and technologies
Graph-based P2P traffic classification at the internet backbone
INFOCOM'09 Proceedings of the 28th IEEE international conference on Computer Communications Workshops
Exploring graph-based network traffic monitoring
INFOCOM'09 Proceedings of the 28th IEEE international conference on Computer Communications Workshops
Automated classification and analysis of internet malware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Joint network-host based malware detection using information-theoretic tools
Journal in Computer Virology
A semantic framework for data analysis in networked systems
Proceedings of the 8th USENIX conference on Networked systems design and implementation
Graption: A graph-based P2P traffic classification framework for the internet backbone
Computer Networks: The International Journal of Computer and Telecommunications Networking
Challenges in experimenting with botnet detection systems
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
Empirical analysis of rate limiting mechanisms
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
ICISS'05 Proceedings of the First international conference on Information Systems Security
CBSTM: Cloud-based Behavior Similarity Transmission Method to Detect Industrial Worms
Proceedings of the Second International Conference on Innovative Computing and Cloud Computing
| Hi-index | 0.00 |
This paper presents a new approach to the automatic detection of worms using behavioral signatures. A behavioral signature describes aspects of any particular worm's behavior that are common across the manifestations of a given worm and that span its nodes in temporal order. Characteristic patterns of worm behaviors in network traffic include 1) sending similar data from one machine to the next, 2) tree-like propagation and reconnaissance, and 3) changing a server into a client. These behavioral signatures are presented within the context of a general worm propagation model. Taken together, they have the potential to detect entire classes of worms including those which have yet to be observed. This paper introduces the concept of an network application architecture (NAA) as a way to distribute network applications. An analysis shows that the choice of NAA impacts the sensitivity of behavioral signatures. An NAA that satisfies certain constraints significantly improves worm detection sensitivity. Mathematical models of traffic flow, NAAs, worm propagation, and worm detection provide a context for the entire discussion.