Optimally Identifying Worm-Infected Hosts

Noriaki KAMIYAMA  Tatsuya MORI  Ryoichi KAWAHARA  Shigeaki HARADA  

Publication
IEICE TRANSACTIONS on Communications   Vol.E96-B   No.8   pp.2084-2094
Publication Date: 2013/08/01
Online ISSN: 1745-1345
Print ISSN: 0916-8516
Type of Manuscript: PAPER
Category: Network Management/Operation
Keyword: 
worm,  detection,  sampling,  optimum design,  

Full Text: PDF(1.3MB)
>>Buy this Article


Summary: 
We have proposed a method of identifying superspreaders by flow sampling and a method of filtering legitimate hosts from the identified superspreaders using a white list. However, the problem of how to optimally set parameters of φ, the measurement period length, m*, the identification threshold of the flow count m within φ, and H*, the identification probability for hosts with m=m*, remained unsolved. These three parameters seriously impact the ability to identify the spread of infection. Our contributions in this work are two-fold: (1) we propose a method of optimally designing these three parameters to satisfy the condition that the ratio of the number of active worm-infected hosts divided by the number of all vulnerable hosts is bound by a given upper-limit during the time T required to develop a patch or an anti-worm vaccine, and (2) the proposed method can optimize the identification accuracy of worm-infected hosts by maximally using a limited amount of memory resource of monitors.