Publication:

Host-Based Detection of Worms through Peer-to-Peer Cooperation

Thumbnail Image

Date

2005

Authors

Published Version

10.1145/1103626.1103641

Journal Title

Journal ISSN

Volume Title

Publisher

Association for Computing Machinery
The Harvard community has made this article openly available. Please share how this access benefits you.

Research Projects

Organizational Units

Journal Issue

Citation

Malan, David J. and Michael D. Smith. 2005. Host-based detection of worms through peer-to-peer cooperation. In WORM '05: Proceedings of the 2005 ACM Workshop on Rapid Malcode: November 11, 2005, Fairfax, Virginia (co-located with CCS 2005), ed. Angelos Keromytis, 72-80. New York, N.Y.: Association for Computing Machinery.

Abstract

We propose a host-based, runtime defense against worms that achieves negligible risk of false positives through peer-to-peer cooperation. We view correlation among otherwise independent peers’ behavior as anomalous behavior, indication of a fast-spreading worm. We detect correlation by exploiting worms’ temporal consistency, similarity (low temporal variance) in worms’ invocations of system calls. We evaluate our ideas on Windows XP with Service Pack 2 using traces of nine variants of worms and twenty-five non-worms, including ten commercial applications and fifteen processes native to the platform. We find that two peers, upon exchanging snapshots of their internal behavior, defined with frequency distributions of system calls, can decide that they are, more likely than not, executing a worm between 76% and 97% of the time. More importantly, we find that the probability that peers might err, judging a non-worm a worm, is negligible.

Description

Other Available Sources

Research Data

Keywords

Terms of Use

Metadata Only

URI

http://nrs.harvard.edu/urn-3:HUL.InstRepos:2961698

Collections

FAS Scholarly Articles

Endorsement

Review

Supplemented By

Related Stories