Host-Based Detection of Worms through Peer-to-Peer Cooperation

DSpace/Manakin Repository

Host-Based Detection of Worms through Peer-to-Peer Cooperation

Citable link to this page


Title: Host-Based Detection of Worms through Peer-to-Peer Cooperation
Author: Malan, David J.; Smith, Michael

Note: Order does not necessarily reflect citation order of authors.

Citation: Malan, David J. and Michael D. Smith. 2005. Host-based detection of worms through peer-to-peer cooperation. In WORM '05: Proceedings of the 2005 ACM Workshop on Rapid Malcode: November 11, 2005, Fairfax, Virginia (co-located with CCS 2005), ed. Angelos Keromytis, 72-80. New York, N.Y.: Association for Computing Machinery.
Access Status: At the direction of the depositing author this work is not currently accessible through DASH.
Full Text & Related Files:
Abstract: We propose a host-based, runtime defense against worms that achieves negligible risk of false positives through peer-to-peer cooperation. We view correlation among otherwise independent peers’ behavior as anomalous behavior, indication of a fast-spreading worm. We detect correlation by exploiting worms’ temporal consistency, similarity (low temporal variance) in worms’ invocations of system calls. We evaluate our ideas on Windows XP with Service Pack 2 using traces of nine variants of worms and twenty-five non-worms, including ten commercial applications and fifteen processes native to the platform. We find that two peers, upon exchanging snapshots of their internal behavior, defined with frequency distributions of system calls, can decide that they are, more likely than not, executing a worm between 76% and 97% of the time. More importantly, we find that the probability that peers might err, judging a non-worm a worm, is negligible.
Published Version:
Citable link to this page:
Downloads of this work:

Show full Dublin Core record

This item appears in the following Collection(s)


Search DASH

Advanced Search