4th International ICST Conference on Security and Privacy in Communication Networks

Research Article

Containment of Network Worms via Per-Process Rate-Limiting

  • @INPROCEEDINGS{10.1145/1460877.1460895,
        author={Yuanyuan Zeng and xin hu and Haixiong Wang and Kang G. Shin and Abhijit Bose},
        title={Containment of Network Worms via Per-Process Rate-Limiting},
        proceedings={4th International ICST Conference on Security and Privacy in Communication Networks},
        keywords={Worm Containment Rate-Limiting Behavior Analysis},
  • Yuanyuan Zeng
    xin hu
    Haixiong Wang
    Kang G. Shin
    Abhijit Bose
    Year: 2008
    Containment of Network Worms via Per-Process Rate-Limiting
    DOI: 10.1145/1460877.1460895
Yuanyuan Zeng1,*, xin hu1,*, Haixiong Wang1,*, Kang G. Shin1,*, Abhijit Bose2,*
  • 1: The University of Michigan Ann Arbor, Michigan
  • 2: IBM T.J. Watson Research Hawthorne, New York
*Contact email: gracez@umich.edu, huxin@umich.edu, wanghx@umich.edu, kgshin@umich.edu, bosea@us.ibm.com


Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for detection of, and response against worms. A frequently-used and automated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. However, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To alleviate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime behavior of each process and accordingly assigns the process a suspicion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates.