1 research outputs found
Limiting Self-Propagating Malware Based on Connection Failure Behavior through Hyper-Compact Estimators
Self-propagating malware (e.g., an Internet worm) exploits security loopholes
in software to infect servers and then use them to scan the Internet for more
vulnerable servers. While the mechanisms of worm infection and their
propagation models are well understood, defense against worms remains an open
problem. One branch of defense research investigates the behavioral difference
between worm-infected hosts and normal hosts to set them apart. One particular
observation is that a worm-infected host, which scans the Internet with
randomly selected addresses, has a much higher connection-failure rate than a
normal host. Rate-limit algorithms have been proposed to control the spread of
worms by traffic shaping based on connection failure rate. However, these
rate-limit algorithms can work properly only if it is possible to measure
failure rates of individual hosts efficiently and accurately. This paper points
out a serious problem in the prior method. To address this problem, we first
propose a solution based on a highly efficient double-bitmap data structure,
which places only a small memory footprint on the routers, while providing good
measurement of connection failure rates whose accuracy can be tuned by system
parameters. Furthermore, we propose another solution based on shared register
array data structure, achieving better memory efficiency and much larger
estimation range than our double-bitmap solution.Comment: International Journal of Network Security & Its Applications (IJNSA)
Vol.8, No.1, January 201