Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator
ACM Transactions on Modeling and Computer Simulation (TOMACS) - Special issue on uniform random number generation
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
IEEE Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Worm Origin Identification Using Random Moonwalks
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Simulation and Analysis on the Resiliency and Efficiency of Malnets
Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Implementing and testing a virus throttle
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
IEEE Network: The Magazine of Global Internetworking
Online Accumulation: Reconstruction of Worm Propagation Path
NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing
Hi-index | 0.00 |
Once a host is infected by an Internet worm, prompt action must be taken before that host does more harm to its local network and the rest of the Internet. It is therefore critical to quickly detect that a worm has infected a host. In this paper, we enhance our SWORD system to allow for the detection of infected hosts and evaluate its performance. This enhanced version of SWORD inherits the advantages of the original SWORD: it does not rely on inspecting traffic payloads to search for worm byte patterns or setting up a honeypot to lure worm traffic. Furthermore, while acting as a host-level detection system, it runs at a network's gateway and stays transparent to individual hosts. We show that our enhanced SWORD system is able to quickly and accurately detect if a host is infected by a zero-day worm. Furthermore, the detection is shown to be effective against worms of different types and speeds, including polymorphic worms