Host-Based Detection of Worms through Peer-to-Peer Cooperation

DSpace/Manakin Repository

Host-Based Detection of Worms through Peer-to-Peer Cooperation

Citable link to this page


Title: Host-Based Detection of Worms through Peer-to-Peer Cooperation
Author: Malan, David J.; Smith, Michael

Note: Order does not necessarily reflect citation order of authors.

Citation: Malan, David J. and Michael D. Smith. 2005. Host-based detection of worms through peer-to-peer cooperation. In WORM '05: Proceedings of the 2005 ACM Workshop on Rapid Malcode: November 11, 2005, Fairfax, Virginia (co-located with CCS 2005), ed. Angelos Keromytis, 72-80. New York, N.Y.: Association for Computing Machinery.
Access Status: Full text of the requested work is not available in DASH at this time (“dark deposit”). For more information on dark deposits, see our FAQ.
Full Text & Related Files:
Abstract: We propose a host-based, runtime defense against worms that achieves negligible risk of false positives through peer-to-peer cooperation. We view correlation among otherwise independent peers’ behavior as anomalous behavior, indication of a fast-spreading worm. We detect correlation by exploiting worms’ temporal consistency, similarity (low temporal variance) in worms’ invocations of system calls. We evaluate our ideas on Windows XP with Service Pack 2 using traces of nine variants of worms and twenty-five non-worms, including ten commercial applications and fifteen processes native to the platform. We find that two peers, upon exchanging snapshots of their internal behavior, defined with frequency distributions of system calls, can decide that they are, more likely than not, executing a worm between 76% and 97% of the time. More importantly, we find that the probability that peers might err, judging a non-worm a worm, is negligible.
Published Version:
Citable link to this page:
Downloads of this work:

Show full Dublin Core record

This item appears in the following Collection(s)


Search DASH

Advanced Search