CiteSeerX — effective way of detecting the “possibility ” of worm infection and the suspicious location

DMCA

effective way of detecting the “possibility ” of worm infection and the suspicious location

Cached

Download Links

[iec.cugb.edu.cn]

by Unknown Authors

BibTeX

@MISC{_effectiveway,
    author = {},
    title = {effective way of detecting the “possibility ” of worm infection and the suspicious location},
    year = {}
}

OpenURL

Abstract

and alerting the administrator of the possibility and the location of worm infection. Table 1: Number of days between patch and worm Name Patch distribution Birth of worm 2. Worm infection routes Worm infects systems via versatile routes, as services, OSs and application become much variety. Typical examples on how the systems are infected by the worm are shown below[3]. (1) mail attached file (2) attack to the security hole via network (3) web browsing (4) file sharing In the case (1), a system is infected by the worm due to opening a file attached to a mail sent by other worm-infected host. Different from virus in narrow sense virus, a worm is self-contained and does not need to be part of another program to propagate itself. So, the penetration of damage is rather quickly by mails sent without users ’ intention. In the case (2), worms try to detect and intrude on hosts with security holes in OS and/or applications. During the time frame from the discovery of security hole to distribution of patch program, hosts are unprotected in very dangerous situation. In the case (3), worms first infect web servers with weakness in security and then distribute themselves to hosts which visit the servers. In the case (4), worm is distributed via file sharing system which enables file sharing by several hosts. The way of infection is categorized into two groups, i.e., (a) user-assisted multiplication requiring users ’ judgment and action, and (b) self-multiplication without any users ’ action. Cases (1), (3) and (4) are categorized into group (a) where infection can be controlled by users’ judgment. But the case (4) is self-multiplication type and the infection speed is rather faster than the group (a). This paper tackles with the case (2), which is self-multiplication type, and proposes a primary detection mechanism. 3. Existing worm detection methods and requirements to worm detection 3.1 Worm detection methods between patch and worm

Keyphrases

worm infection suspicious location security hole effective way user judgment self-multiplication type worm detection method worm first infect web server versatile route time frame infection route worm much variety patch program user-assisted multiplication web browsing narrow sense virus worm-infected host infection speed user action primary detection mechanism user intention dangerous situation several host typical example worm name patch distribution birth