出版社:Academy & Industry Research Collaboration Center (AIRCC)
摘要:Self-propagating malware (e.g., an Internet worm) exploits security loopholes in software toinfect servers and then use them to scan the Internet for more vulnerable servers. While themechanisms of worm infection and their propagation models are well understood, defenseagainst worms remains an open problem. One branch of defense research investigates thebehavioral difference between worm-infected hosts and normal hosts to set them apart. Oneparticular observation is that a worm-infected host, which scans the Internet with randomlyselected addresses, has a much higher connection-failure rate than a normal host. Rate-limitalgorithms have been proposed to control the spread of worms by traffic shaping based onconnection failure rate. However, these rate-limit algorithms can work properly only if it ispossible to measure failure rates of individual hosts efficiently and accurately. This paper pointsout a serious problem in the prior method and proposes a new solution based on a highlyefficient double-bitmap data structure, which places only a small memory footprint on therouters, while providing good measurement of connection failure rates whose accuracy can betuned by system parameters.
