Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Practical automated detection of stealthy portscans
Journal of Computer Security
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
IEEE Security and Privacy
Proceedings of the 2003 ACM workshop on Rapid malcode
Worm propagation modeling and analysis under dynamic quarantine defense
Proceedings of the 2003 ACM workshop on Rapid malcode
Denial of service via algorithmic complexity attacks
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Implementing and testing a virus throttle
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Proceedings of the 2004 ACM workshop on Rapid malcode
A behavioral approach to worm detection
Proceedings of the 2004 ACM workshop on Rapid malcode
Collaborative Internet Worm Containment
IEEE Security and Privacy
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
Proceedings of the twentieth ACM symposium on Operating systems principles
The monitoring and early detection of internet worms
IEEE/ACM Transactions on Networking (TON)
On instant messaging worms, analysis and countermeasures
Proceedings of the 2005 ACM workshop on Rapid malcode
Defending against hitlist worms using network address space randomization
Proceedings of the 2005 ACM workshop on Rapid malcode
Worm evolution tracking via timing analysis
Proceedings of the 2005 ACM workshop on Rapid malcode
The limits of global scanning worm detectors in the presence of background noise
Proceedings of the 2005 ACM workshop on Rapid malcode
Host-based detection of worms through peer-to-peer cooperation
Proceedings of the 2005 ACM workshop on Rapid malcode
The detection of RCS worm epidemics
Proceedings of the 2005 ACM workshop on Rapid malcode
Proactive security for mobile messaging networks
WiSe '06 Proceedings of the 5th ACM workshop on Wireless security
Proceedings of the 4th ACM workshop on Recurring malcode
Puppetnets: misusing web browsers as a distributed attack infrastructure
Proceedings of the 13th ACM conference on Computer and communications security
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
The shunt: an FPGA-based accelerator for network intrusion prevention
Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays
Using performance signatures and software rejuvenation for worm mitigation in tactical MANETs
WOSP '07 Proceedings of the 6th international workshop on Software and performance
SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots
Computer Networks: The International Journal of Computer and Telecommunications Networking
Effective worm detection for various scan techniques
Journal of Computer Security
BINDER: an extrusion-based break-in detector for personal computers
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Analyzing cooperative containment of fast scanning worms
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Adaptive defense against various network attacks
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Detecting targeted attacks using shadow honeypots
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation
IEEE Transactions on Dependable and Secure Computing
Fast Worm Containment Using Feedback Control
IEEE Transactions on Dependable and Secure Computing
Defending against hitlist worms using network address space randomization
Computer Networks: The International Journal of Computer and Telecommunications Networking
An Automated Signature-Based Approach against Polymorphic Internet Worms
IEEE Transactions on Parallel and Distributed Systems
Reversible sketches: enabling monitoring and analysis over high-speed data streams
IEEE/ACM Transactions on Networking (TON)
Evaluation of collaborative worm containment on the DETER testbed
DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
Catch me, if you can: evading network signatures with web-based polymorphic worms
WOOT '07 Proceedings of the first USENIX workshop on Offensive Technologies
A model of the spread of randomly scanning Internet worms that saturate access links
ACM Transactions on Modeling and Computer Simulation (TOMACS)
Deterministic and stochastic models for the detection of random constant scanning worms
ACM Transactions on Modeling and Computer Simulation (TOMACS)
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
Origins: an approach to trace fast spreading worms to their roots
International Journal of Security and Networks
Design and analysis of a multipacket signature detection system
International Journal of Security and Networks
Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints
Computer Networks: The International Journal of Computer and Telecommunications Networking
Distributed Evasive Scan Techniques and Countermeasures
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
On the Adaptive Real-Time Detection of Fast-Propagating Network Worms
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Modeling Modern Social-Network-Based Epidemics: A Case Study of Rose
ATC '08 Proceedings of the 5th international conference on Autonomic and Trusted Computing
A Comparative Evaluation of Anomaly Detectors under Portscan Attacks
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure
ACM Transactions on Information and System Security (TISSEC)
Online Accumulation: Reconstruction of Worm Propagation Path
NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing
An integrated approach to detection of fast and slow scanning worms
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Towards an analytic model of epidemic spreading in heterogeneous systems
The Fourth International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness & Workshops
A modeling framework of content pollution in Peer-to-Peer video streaming systems
Computer Networks: The International Journal of Computer and Telecommunications Networking
When gossip is good: distributed probabilistic inference for detection of slow network intrusions
AAAI'06 proceedings of the 21st national conference on Artificial intelligence - Volume 2
An adaptive approach to granular real-time anomaly detection
EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems
COD: online temporal clustering for outbreak detection
AAAI'07 Proceedings of the 22nd national conference on Artificial intelligence - Volume 1
Evolving TCP/IP packets: a case study of port scans
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Distributed instrusion prevention in active and extensible networks
IWAN'04 Proceedings of the 6th IFIP TC6 international working conference on Active networks
PolyI-D: polymorphic worm detection based on instruction distribution
WISA'06 Proceedings of the 7th international conference on Information security applications: PartI
Investigating the impact of real-world factors on internet worm propagation
ICISS'07 Proceedings of the 3rd international conference on Information systems security
SWorD: a simple worm detection scheme
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency
Computer Networks: The International Journal of Computer and Telecommunications Networking
What is the impact of p2p traffic on anomaly detection?
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Behavior-based worm detectors compared
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Community epidemic detection using time-correlated anomalies
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Idle port scanning and non-interference analysis of network protocol stacks using model checking
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Accuracy improving guidelines for network anomaly detection systems
Journal in Computer Virology
Joint network-host based malware detection using information-theoretic tools
Journal in Computer Virology
A practical approach to portscan detection in very high-speed links
PAM'11 Proceedings of the 12th international conference on Passive and active measurement
Characterizing Intelligence Gathering and Control on an Edge Network
ACM Transactions on Internet Technology (TOIT)
On detecting active worms with varying scan rate
Computer Communications
Detecting malware domains at the upper DNS hierarchy
SEC'11 Proceedings of the 20th USENIX conference on Security
ACM Transactions on Modeling and Computer Simulation (TOMACS)
Trust extension as a mechanism for secure code execution on commodity computers
Trust extension as a mechanism for secure code execution on commodity computers
Early warning for network worms
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
Fast detection of worm infection for large-scale networks
ICMLC'05 Proceedings of the 4th international conference on Advances in Machine Learning and Cybernetics
Coupled kermack-mckendrick models for randomly scanning and bandwidth-saturating internet worms
QoS-IP'05 Proceedings of the Third international conference on Quality of Service in Multiservice IP Networks
A first look at peer-to-peer worms: threats and defenses
IPTPS'05 Proceedings of the 4th international conference on Peer-to-Peer Systems
Empirical analysis of rate limiting mechanisms
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A fast static analysis approach to detect exploit code inside network flows
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
ICARIS'05 Proceedings of the 4th international conference on Artificial Immune Systems
A dynamic mechanism for recovering from buffer overflow attacks
ISC'05 Proceedings of the 8th international conference on Information Security
Adaptive detection of local scanners
ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
TAO: protecting against hitlist worms using transparent address obfuscation
CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
Using trustworthy host-based information in the network
Proceedings of the seventh ACM workshop on Scalable trusted computing
A worm containment model based on neighbor-alarm
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
A Host-Based Approach for Unknown Fast-Spreading Worm Detection and Containment
ACM Transactions on Autonomous and Adaptive Systems (TAAS) - Special Section on Best Papers from SEAMS 2012
| Hi-index | 0.00 |
Computer worms - malicious, self-propagating programs - represent a significant threat to large networks. One possible defense, containment, seeks to limit a worm's spread by isolating it in a small subsection of the network. In this work we develop containment algorithms suitable for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host after fewer than 10 scans with a very low false-positive rate. We also augment this approach by devising mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection. Finally, we discuss ways that a worm can attempt to bypass containment techniques in general, and ours in particular.