Abstract:
As email becomes one of the most convenient and indispensable communication mediums in our life, it is very important to protect email users from increasing email worm attacks. In this paper, we present the architecture and system design of a “feedback email worm defense system ” to protect email users in enterprise networks. The defense system is flexible and able to integrate many existing detection techniques to provide effective and efficient email worm defense. First, in response to a “detection score ” of a detected worm email and information on the possible appearance of a malicious email worm in the global Internet, the defense system adaptively chooses a cost-effective defense action that can range from simply labelling this email to aggressively deleting it from an email server. Second, the system uses “honeypot ” [13] to thoroughly detect worm emails received by email servers and also to early detect the presence of an email worm in the global Internet. Third, the defense system implements a “multi-sifting detection ” technique and “differential email service ” to achieve accurate detection without causing much delay on most emails. Furthermore, the defense system separates email attachments from email texts and saves attachments in separate “attachment caching servers”, which facilitate both email worm detection and email service efficiency. 1.
Citations
|
135
|
Random graphs with arbitrary degree distributions and their applications
– Newman, Strogatz, et al.
- 2001
|
|
102
|
Inside the Slammer worm
– Moore, Paxson, et al.
|
|
48
|
Email networks and the spread of computer viruses
– NEWMAN, FORREST, et al.
|
|
41
|
Worm propagation modeling and analysis under dynamic quarantine defense
– Zou, Gong, et al.
- 2003
|
|
29
|
Data mining methods for detection of new malicious executables
– Schultz, Eskin, et al.
- 2001
|
|
23
|
The use of honeynets to detect exploited systems across large enterprise networks
– Levine, LaBella, et al.
- 2002
|
|
22
|
MET: An Experimental System for Malicious Email Tracking
– Bhattacharyya, Schultz, et al.
- 2002
|
|
22
|
Modeling malware spreading dynamics
– Garetto, Gong, et al.
- 2003
|
|
16
|
An approach for detecting self-propagating email using anomaly detection
– Gupta, Sekar
- 2003
|
|
13
|
Epidemic profiles and defense of scale-free networks
– BRIESEMEISTER, LINCOLN, et al.
- 2003
|
|
11
|
Email virus propagation modeling and analysis
– Zou, Towsley, et al.
- 2002
|
|
8
|
Assuring the Safety of Opening Email Attachments
– Balzer
- 2001
|
|
7
|
Incident note IN-2004-01 W32/Novarg.A virus
– CERT
- 2004
|
|
2
|
Cert incident note in-2003-03: W32/sobig.f worm. http://www.cert.org/incident notes/IN-2003-03.html
– CERT
- 2003
|
|
1
|
Cert advisory ca-2001-22 w32/sircam malicious code
– CERT
- 2001
|
|
1
|
F-secure virus descriptions : Bagle.q. http://www.f-secure.com/v-descs/bagle q.shtml
– F-Secure
- 2004
|
|
1
|
Vmware: Virtual infrastruture. http://www.vmware.com/vinfrastructure
– Inc
|
|
1
|
Melissa virus’ author owns up
– news
- 1999
|
|
1
|
Love bug costs billions. http://money.cnn.com/2000/05/05/technology/virus impact
– news
- 2000
|
|
1
|
Research white paper. The role of attachment caching in e-mail server consolidation. http://www.ostermanresearch.com/whitepapers/ download07.htm
– Osterman
- 2004
|
|
1
|
The convergence of viruses and spam lessons learned from the sobig.f experience. http://www.messagelabs.com/microsites/MessageLabs
– Whitepaper
- 2003
|
