• Journal of KIISE:Computing Practices and Letters
• /
• v.14 no.5
• /
• pp.517-521
• /
• 2008

A worm is a malware that propagates quickly from host to host without any human intervention. Need of early worm detection has changed research paradigm from signature based worm detection to the behavioral based detection. To increase effectiveness of proposed solution, in this paper we present mechanism of detection and prevention of worm in distributed fashion. Furthermore, to minimize the worm destruction; upon worm detection we propagate the possible attack aleγt to neighboring nodes in secure and organized manner. Considering worm behavior, our proposed mechanism detects worm cycles and infection chains to detect the sudden change in network performance. And our model neither needs to maintain a huge database of signatures nor needs to have too much computing power, that is why it is very light and simple. So, our proposed scheme is suitable for the ubiquitous environment. Simulation results illustrate better detection and prevention which leads to the reduction of infection rate.

• The KIPS Transactions:PartC
• /
• v.12C no.6 s.102
• /
• pp.847-854
• /
• 2005

Since the propagation speed of the Internet worms is quite fast, worm detection in early propagation stage is very important for reducing the damage. Virus throttling technique, one of many early worm detection techniques, detects the Internet worm propagation by limiting the connection requests within a certain ratio.[6, 7] The typical throttling technique increases the possibility of false detection by treating destination IP addresses independently in their delay queue managements. In addition, it uses a simple decision strategy that determines a worn intrusion if the delay queue is overflown. This paper proposes a two dimensional delay queue management technique in which the sessions with the same destination IP are linked and thus a IP is not stored more than once. The virus throttling technique with the proposed delay queue management can reduce the possibility of false worm detection, compared with the typical throttling since the proposed technique never counts the number of a IP more than once when it chicks the length of delay queue. Moreover, this paper proposes a worm detection algorithm based on weighted average queue length for reducing worm detection time and the number of worm packets, without increasing the length of delay queue. Through deep experiments, it is verified that the proposed technique taking account of the length of past delay queue as well as current delay queue forecasts the worn propagation earlier than the typical iuぉ throttling techniques do.

• Journal of KIISE:Information Networking
• /
• v.34 no.3
• /
• pp.186-192
• /
• 2007

The virus throttling technique[5,6] is the one of well-known worm early technique. Virus throttling reduce the worm propagration by delaying connection packets artificially. However the worm detection time is not sufficiently fast as expected when the worm generated worm packets at a low rate. This is because the virus throttling technique use only delay queue length. In this paper we use the trend of weighted average delay queue length (TW AQL). By using TW AQL, the worm detection time is not only shorten at a low rate Internet worm, but also the false alarm does not largely increase. By experiment, we also proved our proposed algorithm had better performance.

• The KIPS Transactions:PartC
• /
• v.13C no.5 s.108
• /
• pp.559-566
• /
• 2006

Virus throttling technique, one of many early worm detection techniques, detects the Internet worm propagation by limiting the connect requests within a certain ratio. The typical virus throttling detects worm occurrence by monitoring the length of delay queue with the fixed period of rate limiter. In this paper, we propose an algorithm that controls the period of rate limiter autonomically by utilizing the weighted average delay queue length and suggest various period determination policies that use the weighted average delay queue length as an input parameter. Through deep experiments, it is verified that the proposed technique is able to lessen inconvenience of users by reducing the connection delay time with haying just little effect on worm detection time.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.47 no.5
• /
• pp.67-74
• /
• 2010

Recently, the early detection and prevention of worm research is mainly studying based on the analysis of generalized worm propagation property. However, it is not easy to do Worm early detection with its attributes because the modeling method for Worm propagation is vague and not specified yet. Worm scanning method is exceedingly effect to Worm propagation process. This paper describes a modeling method and its simulations to estimate various worm growth patterns and their corresponding propagation algorithms. It also tests and varies the impact of various improvements, starting from a trivial simulation of worm propagation and the underlying network infrastructure. It attempts to determine the theoretical maximum propagation speed of worms and how it can be achieved. Moreover, we present the feasibility of the proposed model based on real testbed for verification.

• Journal of KIISE:Information Networking
• /
• v.35 no.6
• /
• pp.474-481
• /
• 2008

Scanning worm increases network traffic load and result in severe network congestion because it is a self-replicating worm and send copies of itself to a number of hosts through the Internet. So an early detection system which can automatically detect scanning worms is needed to protect network from those attacks. Although many studies are conducted to detect scanning worms, most of them are focusing on the method using packet header information. The method using packet header information has long detection delay since it must examine the header information of all packets entering or leaving the network. Therefore we propose an algorithm to detect scanning worms using network traffic characteristics such as variance of traffic volume, differentiated traffic volume, mean of differentiated traffic volume, and product of mean traffic volume and mean of differentiated traffic volume. We verified the proposed algorithm by analyzing the normal traffic captured in the real network and the worm traffic generated by simulator. The proposed algorithm can detect CodeRed and Slammer which are not detected by existing algorithm. In addition, all worms were detected in early stage: Slammer was detected in 4 seconds and CodeRed and Witty were detected in 11 seconds.

• Journal of KIISE:Computing Practices and Letters
• /
• v.15 no.9
• /
• pp.675-684
• /
• 2009

Internet worm can cause a traffic problem through DDoS(Distributed Denial of Services) or other kind of attacks. In those manners, it can compromise the internet infrastructure. In addition to this, it can intrude to important server and expose personal information to attacker. However, current detection and response mechanisms to worm have many vulnerabilities, because they only use local characteristic of worm or can treat known worms. In this paper, we propose a new framework to detect unknown worms. It uses macroscopic characteristic of worm to detect unknown worm early. In proposed idea, we define the macroscopic behavior of worm, propose a worm detection method to detect worm flow directly in IP packet networks, and show the performance of our system with simulations. In IP based method, we implement the proposed system and measure the time overhead to execute our system. The measurement shows our system is not too heavy to normal host users.

• Journal of KIISE:Computing Practices and Letters
• /
• v.12 no.6
• /
• pp.339-348
• /
• 2006

Recently, many researches on detecting and responding worms due to the fatal infrastructural damages explosively damaged by automated attack tools, particularly worms. Network service vulnerability exploiting worms have high propagation velocity, exhaust network bandwidth and even disrupt the Internet. Previous worm researches focused on signature-based approaches however these days, approaches based on behavioral features of worms are more highlighted because of their low false positive rate and the attainability of early detection. In this paper, we propose a Distributed Worm Detection Model based on packet marking. The proposed model detects Worm Cycle and Infection Chain among which the behavior features of worms. Moreover, it supports high scalability and feasibility because of its distributed reacting mechanism and low processing overhead. We virtually implement worm propagation environment and evaluate the effectiveness of detecting and responding worm propagation.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.32 no.1C
• /
• pp.67-77
• /
• 2007

Virus throttling technique, one of many early worm detection techniques, detects Internet worm propagation by limiting connect requests within a certain ratio. The typical virus throttling controls the period of rate limiter autonomically by utilizing weighted average delay queue length to reduce connection delay time without hanving a large effect on worm detection time. In the existing virus throttling research, a minimum period of variable rate limiter is fired and a turning point which is a point that the period of rate limiter has been being decreased and starts to be increased is also fixed. However, these two performance factors have different effects on worm detection time and connection delay. In this paper, we analyze the effect of minimum period and turning point of variable rate limiter, and then propose an algorithm which determines values of performance factors by referencing current traffic pattern. Through deep experiments, it is verified that the proposed technique is more efficient in respect of reducing worm detection time and connection delay than the existing virus throttling which fixed the performance factors.

• Journal of Information Processing Systems
• /
• v.5 no.1
• /
• pp.33-40
• /
• 2009

Ever since the network-based malicious code commonly known as a 'worm' surfaced in the early part of the 1980's, its prevalence has grown more and more. The RCS (Random Constant Spreading) worm has become a dominant, malicious virus in recent computer networking circles. The worm retards the availability of an overall network by exhausting resources such as CPU capacity, network peripherals and transfer bandwidth, causing damage to an uninfected system as well as an infected system. The generation and spreading cycle of these worms progress rapidly. The existing studies to counter malicious code have studied the Microscopic Model for detecting worm generation based on some specific pattern or sign of attack, thus preventing its spread by countering the worm directly on detection. However, due to zero-day threat actualization, rapid spreading of the RCS worm and reduction of survival time, securing a security model to ensure the survivability of the network became an urgent problem that the existing solution-oriented security measures did not address. This paper analyzes the recently studied efficient dynamic network. Essentially, this paper suggests a model that dynamically controls the RCS worm using the characteristics of Power-Law and depth distribution of the delivery node, which is commonly seen in preferential growth networks. Moreover, we suggest a model that dynamically controls the spread of the worm using information about the depth distribution of delivery. We also verified via simulation that the load for each node was minimized at an optimal depth to effectively restrain the spread of the worm.