TY - GEN
T1 - PWC
T2 - 3rd International Conference on Security and Privacy in Communication Networks, SecureComm
AU - Jhi, Yoon Chan
AU - Liu, Peng
AU - Li, Lunquan
AU - Gu, Qijun
AU - Jing, Jiwu
AU - Kesidis, George
PY - 2007/12/1
Y1 - 2007/12/1
N2 - We propose PWC, a proactive worm containment solution for enterprises. PWC can stop - instead of slowing down - an infected host from releasing worm scans as early as after merely 4 scans. Motivated by the observation that a worm uses a sustained outgoing packet rate, PWC gains infection awareness seconds before a signature or filter can be generated. To overcome denial-of-service possibly caused by such smoking signs of infection, PWC develops two new white detection (detecting who are uninfected) techniques: (a) the vulnerability time window lemma, and (b) the relaxation analysis. PWC is signature-free thus it is immunized from polymorphic worms and timely in containing. PWC is also resilient to containment evading. PWC is not sensitive to worm scan rate, and not protocol specific. Due to white detection, PWC causes minimal denial-ofservice. Evaluation based on real traces and worm simulations demonstrates that PWC significantly outperforms Virus Throttle [1] in terms of number of released worm scans, number of hosts infected by local scans, and availability.
AB - We propose PWC, a proactive worm containment solution for enterprises. PWC can stop - instead of slowing down - an infected host from releasing worm scans as early as after merely 4 scans. Motivated by the observation that a worm uses a sustained outgoing packet rate, PWC gains infection awareness seconds before a signature or filter can be generated. To overcome denial-of-service possibly caused by such smoking signs of infection, PWC develops two new white detection (detecting who are uninfected) techniques: (a) the vulnerability time window lemma, and (b) the relaxation analysis. PWC is signature-free thus it is immunized from polymorphic worms and timely in containing. PWC is also resilient to containment evading. PWC is not sensitive to worm scan rate, and not protocol specific. Due to white detection, PWC causes minimal denial-ofservice. Evaluation based on real traces and worm simulations demonstrates that PWC significantly outperforms Virus Throttle [1] in terms of number of released worm scans, number of hosts infected by local scans, and availability.
UR - http://www.scopus.com/inward/record.url?scp=51449093164&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=51449093164&partnerID=8YFLogxK
U2 - 10.1109/SECCOM.2007.4550364
DO - 10.1109/SECCOM.2007.4550364
M3 - Conference contribution
AN - SCOPUS:51449093164
SN - 1424409756
SN - 9781424409754
T3 - Proceedings of the 3rd International Conference on Security and Privacy in Communication Networks, SecureComm
SP - 433
EP - 442
BT - Proceedings of the 3rd International Conference on Security and Privacy in Communication Networks, SecureComm
Y2 - 17 September 2007 through 21 September 2007
ER -