{"title":"包含多态签名的基于hitlist的蠕虫","authors":"Theodor Richardson, Chin-Tser Huang","doi":"10.1109/ICCCN.2007.4317891","DOIUrl":null,"url":null,"abstract":"Worms are a significant threat to network systems, both through resource consumption and malicious activity. This paper examines the spread of a class of hitlist-based worms that attempt to propagate by searching for address book files on the host system and using the host's mail program to spread to the addresses found. This threat becomes more severe when the worms are assumed to be polymorphic in nature - able to dynamically change their signature to elude capture. Because the method of propagation for these worms is predictable, it is possible to contain their spread through the use of honeytoken e-mail addresses in the client address book. Any e-mail received by the honeytoken address will be immediately recognized as malicious and can therefore be used to flag client machines as infected. This paper provides a complete description of a method to allow for better containment of this class of worms. The results of the proposed method are examined and compared to a previous method of capturing this type of worm.","PeriodicalId":388763,"journal":{"name":"2007 16th International Conference on Computer Communications and Networks","volume":"115 15","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-09-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Containing Hitlist-Based Worms with Polymorphic Signatures\",\"authors\":\"Theodor Richardson, Chin-Tser Huang\",\"doi\":\"10.1109/ICCCN.2007.4317891\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Worms are a significant threat to network systems, both through resource consumption and malicious activity. This paper examines the spread of a class of hitlist-based worms that attempt to propagate by searching for address book files on the host system and using the host's mail program to spread to the addresses found. This threat becomes more severe when the worms are assumed to be polymorphic in nature - able to dynamically change their signature to elude capture. Because the method of propagation for these worms is predictable, it is possible to contain their spread through the use of honeytoken e-mail addresses in the client address book. Any e-mail received by the honeytoken address will be immediately recognized as malicious and can therefore be used to flag client machines as infected. This paper provides a complete description of a method to allow for better containment of this class of worms. The results of the proposed method are examined and compared to a previous method of capturing this type of worm.\",\"PeriodicalId\":388763,\"journal\":{\"name\":\"2007 16th International Conference on Computer Communications and Networks\",\"volume\":\"115 15\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-09-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2007 16th International Conference on Computer Communications and Networks\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICCCN.2007.4317891\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 16th International Conference on Computer Communications and Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCCN.2007.4317891","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Containing Hitlist-Based Worms with Polymorphic Signatures
Worms are a significant threat to network systems, both through resource consumption and malicious activity. This paper examines the spread of a class of hitlist-based worms that attempt to propagate by searching for address book files on the host system and using the host's mail program to spread to the addresses found. This threat becomes more severe when the worms are assumed to be polymorphic in nature - able to dynamically change their signature to elude capture. Because the method of propagation for these worms is predictable, it is possible to contain their spread through the use of honeytoken e-mail addresses in the client address book. Any e-mail received by the honeytoken address will be immediately recognized as malicious and can therefore be used to flag client machines as infected. This paper provides a complete description of a method to allow for better containment of this class of worms. The results of the proposed method are examined and compared to a previous method of capturing this type of worm.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
