About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
4th International ICST Conference on Security and Privacy in Communication Networks

Research Article

Containment of Network Worms via Per-Process Rate-Limiting

Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1145/1460877.1460895,
        author={Yuanyuan Zeng and xin hu and Haixiong Wang and Kang G. Shin and Abhijit Bose},
        title={Containment of Network Worms via Per-Process Rate-Limiting},
        proceedings={4th International ICST Conference on Security and Privacy in Communication Networks},
        publisher={ACM},
        proceedings_a={SECURECOMM},
        year={2008},
        month={9},
        keywords={Worm Containment Rate-Limiting Behavior Analysis},
        doi={10.1145/1460877.1460895}
    }
    
  • Yuanyuan Zeng
    xin hu
    Haixiong Wang
    Kang G. Shin
    Abhijit Bose
    Year: 2008
    Containment of Network Worms via Per-Process Rate-Limiting
    SECURECOMM
    ACM
    DOI: 10.1145/1460877.1460895
Yuanyuan Zeng1,*, xin hu1,*, Haixiong Wang1,*, Kang G. Shin1,*, Abhijit Bose2,*
  • 1: The University of Michigan Ann Arbor, Michigan
  • 2: IBM T.J. Watson Research Hawthorne, New York
*Contact email: gracez@umich.edu, huxin@umich.edu, wanghx@umich.edu, kgshin@umich.edu, bosea@us.ibm.com

Abstract

Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for detection of, and response against worms. A frequently-used and automated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. However, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To alleviate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime behavior of each process and accordingly assigns the process a suspicion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates.

Keywords
Worm Containment Rate-Limiting Behavior Analysis
Published
2008-09-25
Publisher
ACM
Modified
2010-05-16
http://dx.doi.org/10.1145/1460877.1460895
Copyright © 2008–2025 ACM
EBSCOProQuestDBLPDOAJPortico
EAI Logo

About EAI

  • Who We Are
  • Leadership
  • Research Areas
  • Partners
  • Media Center

Community

  • Membership
  • Conference
  • Recognition
  • Sponsor Us

Publish with EAI

  • Publishing
  • Journals
  • Proceedings
  • Books
  • EUDL