Research Article
Containment of Network Worms via Per-Process Rate-Limiting
@INPROCEEDINGS{10.1145/1460877.1460895, author={Yuanyuan Zeng and xin hu and Haixiong Wang and Kang G. Shin and Abhijit Bose}, title={Containment of Network Worms via Per-Process Rate-Limiting}, proceedings={4th International ICST Conference on Security and Privacy in Communication Networks}, publisher={ACM}, proceedings_a={SECURECOMM}, year={2008}, month={9}, keywords={Worm Containment Rate-Limiting Behavior Analysis}, doi={10.1145/1460877.1460895} }- Yuanyuan Zeng
xin hu
Haixiong Wang
Kang G. Shin
Abhijit Bose
Year: 2008
Containment of Network Worms via Per-Process Rate-Limiting
SECURECOMM
ACM
DOI: 10.1145/1460877.1460895
Abstract
Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for detection of, and response against worms. A frequently-used and automated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. However, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To alleviate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime behavior of each process and accordingly assigns the process a suspicion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates.