Jae Hong Shim , Jang Bok Kim , Kyung Hee Choi , Qi Hyun Jung

The KIPS Transactions:PartC, Vol. 12, No. 6, pp. 847-854, Oct. 2005
10.3745/KIPSTC.2005.12.6.847,   PDF Download:

Abstract

Since the propagation speed of the Internet worms is quite fast, worm detection in early propagation stage is very important for reducing the damage. Virus throttling technique, one of many early worm detection techniques, detects the Internet worm propagation by limiting the connection requests within a certain ratio. The typical throttling technique increases the possibility of false detection by treating destination IP addresses independently in their delay queue managements. In addition, it uses a simple decision strategy that detemines a worm intrusion if the delay queue is overflown. This paper proposes a two dimensional delay queue management technique in which the sessions tith the same destination IP are linked and thus a IP is not sored more than once. The virus throttling technique with the proposed delay queue management can reduce the possibility of false worm detection, compared with the typical throttling since the proposed technique never counts the number of a IP more than once when it checks the length of delay queue. Moreover, this paper proposes a worm detection algorums based on weighted average queue length for reducing worm detection time and the number of worm packets, without increasing the length of delay queue. Through deep experiments, it is verified that the proposed technique taking account of the length of past delay qyeye as well as current delay queue forecasts the worm propagation earlier than the typical virus throttling techniques do.

Statistics
Cite this article