Specification-based anomaly detection: a new approach for detecting network intrusions
Proceedings of the 9th ACM conference on Computer and communications security
Pessimal Print: A Reverse Turing Test
ICDAR '01 Proceedings of the Sixth International Conference on Document Analysis and Recognition
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Recent worms: a survey and trends
Proceedings of the 2003 ACM workshop on Rapid malcode
Proceedings of the 2003 ACM workshop on Rapid malcode
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Proceedings of the 2005 ACM workshop on Rapid malcode
Implementing and testing a virus throttle
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Journal of Computing Sciences in Colleges
A framework for detection and measurement of phishing attacks
Proceedings of the 2007 ACM workshop on Recurring malcode
Proceedings of the 2008 ACM symposium on Applied computing
Peer-to-peer system-based active worm attacks: Modeling, analysis and defense
Computer Communications
To catch a predator: a natural language approach for eliciting malicious payloads
SS'08 Proceedings of the 17th conference on Security symposium
Proceedings of the 2008 conference on Knowledge-Based Software Engineering: Proceedings of the Eighth Joint Conference on Knowledge-Based Software Engineering
SBotMiner: large scale search bot detection
Proceedings of the third ACM international conference on Web search and data mining
Large-scale bot detection for search engines
Proceedings of the 19th international conference on World wide web
ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
Modeling and containment of search worms targeting web applications
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Searching the searchers with searchaudit
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Heat-seeking honeypots: design and experience
Proceedings of the 20th international conference on World wide web
On detecting active worms with varying scan rate
Computer Communications
Hi-index | 0.00 |
Worms are becoming more virulent at the same time as operating system improvements try to contain them.Recent research demonstrates several effective methods to detect and prevent randomly scanning worms from spreading [2, 13]. As a result, worm authors are looking for new ways to acquire vulnerable targets without relying on randomly scanning for them. It is often possible to find vulnerable web servers by sending carefully crafted queries to search engines. Search worms1 automate this approach and spread by using popular search engines to find new attack vectors. These worms not only put significant load on search engines, they also evade detection mechanisms that assume random scanning. From the point of view of a search engine, signatures against search queries are only a temporary measure as many different search queries lead to the same results. In this paper, we present our experience with search worms and a framework that allows search engines to quickly detect new worms and take automatic countermeasures. We argue that signature-based filtering of search queries is ill-suited for protecting against search worms and show how we prevent worm propagation without relying on query signatures. We illustrate our approach with measurements and numeric simulations.