Article

Host-based detection of worms through peer-to-peer cooperation

Authors:

David J. Malan,

Michael D. SmithAuthors Info & Claims

WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

Pages 72 - 80

https://doi.org/10.1145/1103626.1103641

Published: 11 November 2005 Publication History

Abstract

We propose a host-based, runtime defense against worms that achieves negligible risk of false positives through peer-to-peer cooperation. We view correlation among otherwise independent peers' behavior as anomalous behavior, indication of a fast-spreading worm. We detect correlation by exploiting worms' temporal consistency, similarity (low temporal variance) in worms' invocations of system calls. We evaluate our ideas on Windows XP with Service Pack 2 using traces of nine variants of worms and twenty-five non-worms, including ten commercial applications and fifteen processes native to the platform. We find that two peers, upon exchanging snapshots of their internal behavior, defined with frequency distributions of system calls, can decide that they are, more likely than not, executing a worm between 76% and 97% of the time. More importantly, we find that the probability that peers might err, judging a non-worm a worm, is negligible.

References

[1]

Eric Anderson and Jun Li. Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX, June 2004.

[2]

B. Calder, A. Chien, J. Wang, and D. Yang. The Entropia Virtual Machine for Desktop Grids. In Proceedings of the First International Conference on Virtual Execution Environments (VEE'05), pages 186--196, Chicago, IL, June 2005.

Digital Library

[3]

Prasad Dabak, Sandeep Phadke, and Milind Borate. Undocumented Windows NT. M&T Books, 1999.

Digital Library

[4]

Daniel R. Ellis, John G. Aiken, Kira S. Attwood, and Scott D. Tenaglia. A Behavioral Approach to Worm Wetection. In WORM '04: Proceedings of the 2004 ACM Workshop on Rapid Malcode, pages 43--53, New York, NY, USA, 2004. ACM Press.

Digital Library

[5]

Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120--128. IEEE Computer Society Press, 1996.

Digital Library

[6]

Grisoft Inc. http://www.grisoft.com/.

[7]

John Gulbrandsen. How Do Windows NT System Calls REALLY Work? http://www.codeguru.com/Cpp/W-P/system/devicedriverdevelopment/article.php/c8035/, August 2004.

[8]

John Gulbrandsen. System Call Optimization with the SYSENTER Instruction. http://www.codeguru.com/Cpp/W-P/system/devicedriverdevelopment/article.php/c8223/, October 2004.

[9]

Nishad P. Herath. Adding Services To The NT Kernel. microsoft.public.win32.programmer.kernel, October 1998.

[10]

Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, 6(3):151--180, 1998.

[11]

Steven Andrew Hofmeyr. An Immunological Model of Distributed Detection and Its Application to Computer Security. PhD thesis, 1999.

[12]

Hyang-Ah Kim and Brad Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In USENIX Security Symposium, pages 271--286, 2004.

Digital Library

[13]

Oleg Kolesnikov and Wenke Lee. Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. Technical Report GIT-CC-05-09, Georgia Institute of Technology, 2005.

[14]

PC Magazine. WebBench 5.0. http://www.pcmag.com/benchmarks/.

[15]

McAfee, Inc. http://www.mcafee.com/.

[16]

David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. Inside the Slammer Worm. IEEE Security and Privacy, 1(4):33--39, 2003.

Digital Library

[17]

Gary Nebbett. Windows NT/2000 Native API Reference. MTP, 2000.

Digital Library

[18]

James Newsome, Brad Karp, and Dawn Song. Polygraph: Automatically Generating Signatures For Polymorphic Worms. In USENIX Security Symposium, 2005.

[19]

PC World Communications, Inc. WorldBench 5. http://www.worldbench.com/.

[20]

Matt Pietrek. Poking Around Under the Hood: A Programmer's View of Windows NT 4.0. Microsoft Systems Journal, August 1996. http://www.microsoft.com/msj/archive/s413.aspx.

[21]

Niels Provos. Improving Host Security with System Call Policies. In USENIX Security Symposium, pages 257--272, 2003.

Digital Library

[22]

Tim J. Robbins. Windows NT System Service Table Hooking. http://www.wiretapped.net/~fyre/sst.html.

[23]

Paul Roberts. Mydoom Sets Speed Records. http://www.pcworld.com/news/article/0,aid,114461,00.asp.

[24]

Mark Russinovich. Inside the Native API. http://www.sysinternals.com/Information/NativeApi.html, 1998.

[25]

Todd Sabin. Personal correspondence.

[26]

Todd Sabin. Strace for NT. http://www.bindview.com/Services/RAZOR/Utilities/Windows/strace_readme.cfm.

[27]

Sana Security, Inc. http://www.sanasecurity.com/.

[28]

Stuart Schechter, Jaeyeon Jung, and Arthur W. Berger. Fast Detection of Scanning Worm Infections. In 7th International Symposium on Recent Advances in Intrusion Detection (RAID), French Riviera, France, September 2004.

[29]

Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage. Automated Worm Fingerprinting. In OSDI, pages 45--60, 2004.

Digital Library

[30]

Vadim Smirnov. Re: Hooking system call from driver. NTDEV -- Windows System Software Developers List, April 2002.

[31]

Anil Somayaji and Stephanie Forrest. Automated Response Using System-Call Delays. In Proceedings of 9th Usenix Security Symposium, August 2000.

Digital Library

[32]

Anil Buntwal Somayaji. Operating System Stability and Security through Process Homeostasis. PhD thesis, 2002.

[33]

Stuart Staniford, David Moore, Vern Paxson, and Nicholas Weaver. The Top Speed of Flash Worms. In WORM '04: Proceedings of the 2004 ACM Workshop on Rapid Malcode, pages 33--42, New York, NY, USA, 2004. ACM Press.

Digital Library

[34]

Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to 0wn the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, August 2002.

Digital Library

[35]

Symantec Corporation. http://www.symantec.com/.

[36]

Péter Ször and Peter Ferrie. Hunting for Metamorphic. In Proceedings of Virus Bulletin Conference, pages 123 -- 144, September 2001.

[37]

Bill Tucker. SoBig.F breaks virus speed records. http://www.cnn.com/2003/TECH/internet/08/21/sobig.virus/.

[38]

Jamie Twycross and Matthew M. Williamson. Implementing and Testing a Virus Throttle. In USENIX Security Symposium, pages 285--294, 2003.

Digital Library

[39]

Nicholas Weaver, Stuart Staniford, and Vern Paxson. Very Fast Containment of Scanning Worms. In USENIX Security Symposium, pages 29--44, 2004.

Digital Library

Cited By

Qi BShi ZWang YWang JWang QJiang J(2018)BotTokenizer: Exploring Network Tokens of HTTP-Based Botnet Using Malicious Network TracesInformation Security and Cryptology10.1007/978-3-319-75160-3_23(383-403)Online publication date: 4-Feb-2018
https://doi.org/10.1007/978-3-319-75160-3_23
Augustine JPandurangan GRobinson P(2016)Distributed Algorithmic Foundations of Dynamic NetworksACM SIGACT News10.1145/2902945.290295947:1(69-98)Online publication date: 10-Mar-2016
https://dl.acm.org/doi/10.1145/2902945.2902959
Augustine JPandurangan GRobinson PRoche SUpfal E(2015)Enabling Robust and Efficient Distributed Computation in Dynamic Peer-to-Peer NetworksProceedings of the 2015 IEEE 56th Annual Symposium on Foundations of Computer Science (FOCS)10.1109/FOCS.2015.29(350-369)Online publication date: 17-Oct-2015
https://dl.acm.org/doi/10.1109/FOCS.2015.29
Show More Cited By

Index Terms

Host-based detection of worms through peer-to-peer cooperation
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

The speed of today's worms demands automated detection, but the risk of false positives poses a difficult problem. In prior work, we proposed a host-based intrusion-detection system for worms that leveraged collaboration among peers to lower its risk of ...
An Advanced Hybrid Peer-to-Peer Botnet

A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently, botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and ...
Modeling the propagation of Peer-to-Peer worms

Propagation of Peer-to-Peer (P2P) worms in the Internet is posing a serious challenge to network security research because of P2P worms' increasing complexity and sophistication. Due to the complexity of the problem, no existing work has solved the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

November 2005

94 pages

ISBN:1595932291

DOI:10.1145/1103626

General Chair:
Vijay Atluri
Rutgers University
,
Program Chair:
Angelos D. Keromytis
Columbia University

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS05

Sponsor:

CCS05: 12th ACM Conference on Computer and Communications Security 2005

November 11, 2005

VA, Fairfax, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
636
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Qi BShi ZWang YWang JWang QJiang J(2018)BotTokenizer: Exploring Network Tokens of HTTP-Based Botnet Using Malicious Network TracesInformation Security and Cryptology10.1007/978-3-319-75160-3_23(383-403)Online publication date: 4-Feb-2018
https://doi.org/10.1007/978-3-319-75160-3_23
Augustine JPandurangan GRobinson P(2016)Distributed Algorithmic Foundations of Dynamic NetworksACM SIGACT News10.1145/2902945.290295947:1(69-98)Online publication date: 10-Mar-2016
https://dl.acm.org/doi/10.1145/2902945.2902959
Augustine JPandurangan GRobinson PRoche SUpfal E(2015)Enabling Robust and Efficient Distributed Computation in Dynamic Peer-to-Peer NetworksProceedings of the 2015 IEEE 56th Annual Symposium on Foundations of Computer Science (FOCS)10.1109/FOCS.2015.29(350-369)Online publication date: 17-Oct-2015
https://dl.acm.org/doi/10.1109/FOCS.2015.29
Alazab M(2015)Profiling and classifying the behavior of malicious codesJournal of Systems and Software10.1016/j.jss.2014.10.031100:C(91-102)Online publication date: 1-Feb-2015
https://dl.acm.org/doi/10.1016/j.jss.2014.10.031
Augustine JPandurangan GRobinson PUpfal E(2015)Distributed agreement in dynamic peer-to-peer networksJournal of Computer and System Sciences10.1016/j.jcss.2014.10.00581:7(1088-1109)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1016/j.jcss.2014.10.005
Tong XWang ZZhang MLiu YXu H(2014)A Novel Anomaly Detection Method for WormsProceedings of the 2014 13th International Symposium on Distributed Computing and Applications to Business, Engineering and Science10.1109/DCABES.2014.55(253-257)Online publication date: 24-Nov-2014
https://dl.acm.org/doi/10.1109/DCABES.2014.55
Azab ALayton RAlazab MOliver J(2014)Mining Malware to Detect VariantsProceedings of the 2014 Fifth Cybercrime and Trustworthy Computing Conference10.1109/CTC.2014.11(44-53)Online publication date: 24-Nov-2014
https://dl.acm.org/doi/10.1109/CTC.2014.11
Alazab MVenkatraman S(2013)Detecting malicious behaviour using supervised learning algorithms of the function callsInternational Journal of Electronic Security and Digital Forensics10.1504/IJESDF.2013.0550475:2(90-109)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1504/IJESDF.2013.055047
Oliner AIyer AStoica ILagerspetz ETarkoma SPetrioli CCox LWhitehouse K(2013)CaratProceedings of the 11th ACM Conference on Embedded Networked Sensor Systems10.1145/2517351.2517354(1-14)Online publication date: 11-Nov-2013
https://dl.acm.org/doi/10.1145/2517351.2517354
Augustine JMolla AMorsy EPandurangan GRobinson PUpfal EBlelloch GVöcking B(2013)Storage and search in dynamic peer-to-peer networksProceedings of the twenty-fifth annual ACM symposium on Parallelism in algorithms and architectures10.1145/2486159.2486170(53-62)Online publication date: 23-Jul-2013
https://dl.acm.org/doi/10.1145/2486159.2486170
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten