Title :
An innovative behavioral approach to worm detection
Author_Institution :
Comput. Network & Inf. Security Res. Center(IV), Harbin Inst. of Technol., Weihai, China
fDate :
Nov. 29 2011-Dec. 1 2011
Abstract :
This paper presents a new approach to the automatic detection of worms using behavioral signature with sequential hypothesis testing. Characteristic patterns of worm behaviors in network traffic include 1) sending similar data from one machine to the next, 2) tree-like propagation and reconnaissance, and 3) changing a server into a client [1]. 4) infected hosts should meet the basic requirements [2]. This sequential hypothesis testing theory first developed by Wald [3] overcomes the hurdle that it´s difficult to find a threshold of determining whether a host is infected when we build a tree of worm propagation. Besides, to slow down the propagation of worms we alter an existing method which is connection rate limiting to packet-sending rate limiting. Our results that show this approach successfully restricts the number of packets sent by worms, has a low false alarm rate and a low missing alarm rate.
Keywords :
Internet; invasive software; trees (mathematics); automatic worm detection; connection rate limiting; innovative behavioral approach; low false alarm rate; low missing alarm rate; network traffic; packet-sending rate limiting; sequential hypothesis testing; tree-like propagation; worm behaviors; worm propagation; Equations; Grippers; Internet; Limiting; Reconnaissance; Servers; Testing;
Conference_Titel :
Computer Sciences and Convergence Information Technology (ICCIT), 2011 6th International Conference on
Conference_Location :
Seogwipo
Print_ISBN :
978-1-4577-0472-7
