{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:20:09Z","timestamp":1750306809914,"version":"3.41.0"},"reference-count":30,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2014,1,1]],"date-time":"2014-01-01T00:00:00Z","timestamp":1388534400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000144","name":"Division of Computer and Network Systems","doi-asserted-by":"publisher","award":["CNS-0509061, CNS-0746649, CNS-1117300"],"award-info":[{"award-number":["CNS-0509061, CNS-0746649, CNS-1117300"]}],"id":[{"id":"10.13039\/100000144","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000181","name":"Air Force Office of Scientific Research","doi-asserted-by":"publisher","award":["FA9550-09-1-0071"],"award-info":[{"award-number":["FA9550-09-1-0071"]}],"id":[{"id":"10.13039\/100000181","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Auton. Adapt. Syst."],"published-print":{"date-parts":[[2014,1]]},"abstract":"<jats:p>The fast-spreading worm, which immediately propagates itself after a successful infection, is becoming one of the most serious threats to today\u2019s networked information systems. In this article, we present WormTerminator, a host-based solution for fast Internet worm detection and containment with the assistance of virtual machine techniques based on the fast-worm defining characteristic. In WormTerminator, a virtual machine cloning the host OS runs in parallel to the host OS. Thus, the virtual machine has the same set of vulnerabilities as the host. Any outgoing traffic from the host is diverted through the virtual machine. If the outgoing traffic from the host is for fast worm propagation, the virtual machine should be infected and will exhibit worm propagation pattern very quickly because a fast-spreading worm will start to propagate as soon as it successfully infects a host. To prove the concept, we have implemented a prototype of WormTerminator and have examined its effectiveness against the real Internet worm Linux\/Slapper. Our empirical results confirm that WormTerminator is able to completely contain worm propagation in real-time without blocking any non-worm traffic. The major performance cost of WormTerminator is a one-time delay to the start of each outgoing normal connection for worm detection. To reduce the performance overhead, caching is utilized, through which WormTerminator will delay no more than 6% normal outgoing traffic for such detection on average.<\/jats:p>","DOI":"10.1145\/2555615","type":"journal-article","created":{"date-parts":[[2014,2,4]],"date-time":"2014-02-04T14:16:21Z","timestamp":1391523381000},"page":"1-18","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["A Host-Based Approach for Unknown Fast-Spreading Worm Detection and Containment"],"prefix":"10.1145","volume":"8","author":[{"given":"Songqing","family":"Chen","sequence":"first","affiliation":[{"name":"George Mason University"}]},{"given":"Lei","family":"Liu","sequence":"additional","affiliation":[{"name":"George Mason University"}]},{"given":"Xinyuan","family":"Wang","sequence":"additional","affiliation":[{"name":"George Mason University"}]},{"given":"Xinwen","family":"Zhang","sequence":"additional","affiliation":[{"name":"Samsung Information Systems America"}]},{"given":"Zhao","family":"Zhang","sequence":"additional","affiliation":[{"name":"Iowa State University"}]}],"member":"320","published-online":{"date-parts":[[2014,1]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.41"},{"volume-title":"Proceedings of the IEEE Symposium on High Assurance System Engineering (HASE). 95--105","author":"Buchacker K.","key":"e_1_2_1_2_1","unstructured":"Buchacker , K. and Sieh , V . 2001. Framework for testing the fault-tolerance of systems including os and network aspects . In Proceedings of the IEEE Symposium on High Assurance System Engineering (HASE). 95--105 . Buchacker, K. and Sieh, V. 2001. Framework for testing the fault-tolerance of systems including os and network aspects. In Proceedings of the IEEE Symposium on High Assurance System Engineering (HASE). 95--105."},{"key":"e_1_2_1_3_1","unstructured":"Corey J. 2009 Advanced honeypot identification and exploitation. http:\/\/www.phrack.org\/fakes\/p63\/p63-0x09.txt.  Corey J. 2009 Advanced honeypot identification and exploitation. http:\/\/www.phrack.org\/fakes\/p63\/p63-0x09.txt."},{"volume-title":"Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS).","author":"Cui W.","key":"e_1_2_1_4_1","unstructured":"Cui , W. , Paxson , V. , Weaver , N. , and Katz , R . 2006. Protocol-independent adaptive replay of application dialog . In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS). Cui, W., Paxson, V., Weaver, N., and Katz, R. 2006. Protocol-independent adaptive replay of application dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the Linux Showcase and Conference.","author":"Dike J.","year":"2000","unstructured":"Dike , J. 2000 . A user-mode port of the linux kernel . In Proceedings of the Linux Showcase and Conference. Dike, J. 2000. A user-mode port of the linux kernel. In Proceedings of the Linux Showcase and Conference."},{"key":"e_1_2_1_6_1","unstructured":"Hon. 2004. Honeyd security advisory 2004-001: Remonte detection via simple probe packet. http:\/\/www.honeyd.org\/adv.2004-01.asc.  Hon. 2004. Honeyd security advisory 2004-001: Remonte detection via simple probe packet. http:\/\/www.honeyd.org\/adv.2004-01.asc."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/MM.2004.1289290"},{"volume-title":"Proceedings of the 2nd International Conference on Security and Privacy in Communication Networks (SecureComm\u201906)","author":"Kataria G.","key":"e_1_2_1_8_1","unstructured":"Kataria , G. , Anand , G. , Araujo , R. , Krishnan , R. , and Perrig , A . 2006. A distributed stealthy coordination mechanism for worm synchronization . In Proceedings of the 2nd International Conference on Security and Privacy in Communication Networks (SecureComm\u201906) . Kataria, G., Anand, G., Araujo, R., Krishnan, R., and Perrig, A. 2006. A distributed stealthy coordination mechanism for worm synchronization. In Proceedings of the 2nd International Conference on Security and Privacy in Communication Networks (SecureComm\u201906)."},{"volume-title":"Proceedings of USENIX Security.","author":"Kim H.","key":"e_1_2_1_9_1","unstructured":"Kim , H. and Karp , B . 2004. Autograph: Toward automated distributed worm signature detection . In Proceedings of USENIX Security. Kim, H. and Karp, B. 2004. Autograph: Toward automated distributed worm signature detection. In Proceedings of USENIX Security."},{"volume-title":"Proceedings of the Annual USENIX Technical Conference.","author":"King S.","key":"e_1_2_1_10_1","unstructured":"King , S. , Dunlap , G. , and Chen , P . 2003. Operating system support for virtual machines . In Proceedings of the Annual USENIX Technical Conference. King, S., Dunlap, G., and Chen, P. 2003. Operating system support for virtual machines. In Proceedings of the Annual USENIX Technical Conference."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/MM.2005.35"},{"volume-title":"Proceedings of HotNets.","author":"Kreibich C.","key":"e_1_2_1_12_1","unstructured":"Kreibich , C. and Crowcroft , J . 2003. Honeycomb - Creating intrusion detection signatures using honeypots . In Proceedings of HotNets. Kreibich, C. and Crowcroft, J. 2003. Honeycomb - Creating intrusion detection signatures using honeypots. In Proceedings of HotNets."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.18"},{"key":"e_1_2_1_14_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.","volume":"1","author":"Moore D.","unstructured":"Moore , D. , Paxson , V. , Savage , S. , Shannon , C. , Staniford , S. , and Weaver , N . 2003. Inside the slammer worm . In Proceedings of the IEEE Symposium on Security and Privacy. Vol. 1 . Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003. Inside the slammer worm. In Proceedings of the IEEE Symposium on Security and Privacy. Vol. 1."},{"key":"e_1_2_1_15_1","unstructured":"NSF. Malware immunization through deterrence and diversion. http:\/\/www.nsf.gov\/awardsearch\/showAward.do?AwardNumber=0650386.  NSF. Malware immunization through deterrence and diversion. http:\/\/www.nsf.gov\/awardsearch\/showAward.do?AwardNumber=0650386."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1389-1286(99)00112-7"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.26"},{"key":"e_1_2_1_18_1","volume-title":"Proceedings of the Conference on System Administration.","author":"Roesch M.","year":"1999","unstructured":"Roesch , M. 1999 . Snort: Lightweight intrusion detection for networks . In Proceedings of the Conference on System Administration. Roesch, M. 1999. Snort: Lightweight intrusion detection for networks. In Proceedings of the Conference on System Administration."},{"key":"e_1_2_1_19_1","unstructured":"Seifried K. 2002. Honeypotting with VMware basics. http:\/\/www.seifried.org\/security\/index.php.  Seifried K. 2002. Honeypotting with VMware basics. http:\/\/www.seifried.org\/security\/index.php."},{"key":"e_1_2_1_20_1","unstructured":"Singh S. Estan C. Varghese G. and Savage S. 2003. The earlybird system for real-time detection of unknown worms. Tech. rep. University of California San Diego.  Singh S. Estan C. Varghese G. and Savage S. 2003. The earlybird system for real-time detection of unknown worms. Tech. rep. University of California San Diego."},{"volume-title":"Proceedings of OSDI.","author":"Singh S.","key":"e_1_2_1_21_1","unstructured":"Singh , S. , Estan , C. , Varghese , G. , and Savage , S . 2004. Automated worm fingerprinting . In Proceedings of OSDI. Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In Proceedings of OSDI."},{"key":"e_1_2_1_22_1","unstructured":"SLA. http:\/\/www.symantec.com\/avcenter\/venc\/data\/linux.slapper.worm.html.  SLA. http:\/\/www.symantec.com\/avcenter\/venc\/data\/linux.slapper.worm.html."},{"key":"e_1_2_1_23_1","article-title":"Containment of scanning worms in enterprise networks","author":"Staniford S.","year":"2004","unstructured":"Staniford , S. 2004 . Containment of scanning worms in enterprise networks . J. Comput. Secur. Staniford, S. 2004. Containment of scanning worms in enterprise networks. J. Comput. Secur.","journal-title":"J. Comput. Secur."},{"volume-title":"Proceedings of the USENIX Technical Conference.","author":"Sugerman J.","key":"e_1_2_1_24_1","unstructured":"Sugerman , J. , Venkitachalam , G. , and Lim , B . 2001. Virtualizing I\/O devices on VMware workstation\u2019s hosted virtual machine monitor . In Proceedings of the USENIX Technical Conference. Sugerman, J., Venkitachalam, G., and Lim, B. 2001. Virtualizing I\/O devices on VMware workstation\u2019s hosted virtual machine monitor. In Proceedings of the USENIX Technical Conference."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.5555\/1060289.1060307"},{"volume-title":"Proceedings of USENIX Security.","author":"Weaver N.","key":"e_1_2_1_26_1","unstructured":"Weaver , N. , Staniford , B. , and Paxson , V . 2004. Very fast containment of scanning worms . In Proceedings of USENIX Security. Weaver, N., Staniford, B., and Paxson, V. 2004. Very fast containment of scanning worms. In Proceedings of USENIX Security."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.5555\/784592.784785"},{"key":"e_1_2_1_28_1","unstructured":"XEN (a). http:\/\/www.cl.cam.ac.uk\/research\/srg\/netos\/xen\/.  XEN (a). http:\/\/www.cl.cam.ac.uk\/research\/srg\/netos\/xen\/."},{"key":"e_1_2_1_29_1","unstructured":"XEN (b). http:\/\/www.xensource.com\/.  XEN (b). http:\/\/www.xensource.com\/."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2006.38"}],"container-title":["ACM Transactions on Autonomous and Adaptive Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2555615","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2555615","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T07:35:05Z","timestamp":1750232105000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2555615"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014,1]]},"references-count":30,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2014,1]]}},"alternative-id":["10.1145\/2555615"],"URL":"https:\/\/doi.org\/10.1145\/2555615","relation":{},"ISSN":["1556-4665","1556-4703"],"issn-type":[{"type":"print","value":"1556-4665"},{"type":"electronic","value":"1556-4703"}],"subject":[],"published":{"date-parts":[[2014,1]]},"assertion":[{"value":"2009-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2009-12-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2014-01-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}