Host-Based Detection of Worms through Peer-to-Peer Cooperation
Access StatusFull text of the requested work is not available in DASH at this time ("dark deposit"). For more information on dark deposits, see our FAQ.
Malan, David J.
MetadataShow full item record
CitationMalan, David J. and Michael D. Smith. 2005. Host-based detection of worms through peer-to-peer cooperation. In WORM '05: Proceedings of the 2005 ACM Workshop on Rapid Malcode: November 11, 2005, Fairfax, Virginia (co-located with CCS 2005), ed. Angelos Keromytis, 72-80. New York, N.Y.: Association for Computing Machinery.
AbstractWe propose a host-based, runtime defense against worms that achieves negligible risk of false positives through peer-to-peer cooperation. We view correlation among otherwise independent peers’ behavior as anomalous behavior, indication of a fast-spreading worm. We detect correlation by exploiting worms’ temporal consistency, similarity (low temporal variance) in worms’ invocations of system calls. We evaluate our ideas on Windows XP with Service Pack 2 using traces of nine variants of worms and twenty-ﬁve non-worms, including ten commercial applications and ﬁfteen processes native to the platform. We ﬁnd that two peers, upon exchanging snapshots of their internal behavior, deﬁned with frequency distributions of system calls, can decide that they are, more likely than not, executing a worm between 76% and 97% of the time. More importantly, we ﬁnd that the probability that peers might err, judging a non-worm a worm, is negligible.
Citable link to this pagehttp://nrs.harvard.edu/urn-3:HUL.InstRepos:2961698
- FAS Scholarly Articles