Skip to main content
SpringerLink
Log in

An Email Worm Vaccine Architecture

  • Conference paper
Information Security Practice and Experience (ISPEC 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3439))

Abstract

We present an architecture for detecting “zero-day” worms and viruses in incoming email. Our main idea is to intercept every incoming message, pre-scan it for potentially dangerous attachments, and only deliver messages that are deemed safe. Unlike traditional scanning techniques that rely on some form of pattern matching (signatures), we use behavior-based anomaly detection. Under our approach, we “open” all suspicious attachments inside an instrumented virtual machine looking for dangerous actions, such as writing to the Windows registry, and flag suspicious messages. The attachment processing can be offloaded to a cluster of ancillary machines (as many as are needed to keep up with a site’s email load), thus not imposing any computational load on the mail server. Messages flagged are put in a “quarantine” area for further, more labor-intensive processing. Our implementation shows that we can use a large number of malware-checking VMs operating in parallel to cope with high loads. Finally, we show that we are able to detect the actions of all malicious software we tested, while keeping the false positive rate to under 5%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. US-CERT Incident Note IN-2003-03: Sobig Worm (2003), http://www.cert.org/incident_notes/IN-2003-03.html

  2. US-CERT Technical Cyber Security Alert TA04-028A: MyDoom Virus (2004), http://www.us-cert.gov/cas/techalerts/TA04-028A.html

  3. Spinellis, D.: Reliable identification of bounded-length viruses is NP-complete. IEEE Transactions on Information Theory 49, 280–284 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  4. Apap, F., Honig, A., Hershkop, S., Eskin, E., Stolfo, S.J.: Detecting malicious software by monitoring anomalous windows registry accesses. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 36. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  5. VMware (2004), http://www.vmware.com

  6. Postfix (2004), http://www.postfix.org

  7. Microsoft Outlook 2003 (2004), http://office.microsoft.com/en-us/FX010857931033.aspx

  8. EZdetach (2004), http://www.techhit.com/ezdetach/

  9. Stolfo, S.J., Li, W.J., Hershkop, S., Wang, K., Hu, C.W., Nimeskern, O.: Detecting Viral Propagations Using Email Behavior Profiles. In: ACM TOIT 2005 (2005)

    Google Scholar 

  10. Cohen, F.: Computer Viruses: Theory and Practice. Computers & Security 6, 22–35 (1987)

    Article  Google Scholar 

  11. Kephart, J.O.: A Biologically Inspired Immune System for Computers. In: Artificial Life IV: Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems, pp. 130–139. MIT Press, Cambridge (1994)

    Google Scholar 

  12. Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: An On-Access Anti-Virus File System. In: Proceedings of the 13th USENIX Security Symposium, pp. 73–88 (2004)

    Google Scholar 

  13. Zou, C.C., Towsley, D., Gong, W.: Email Worm Modeling and Defense. In: Proceedings of the 3rd International Conference on Computer Communications and Networks, ICCCN (2004)

    Google Scholar 

  14. Wong, C., Bielski, S., McCune, J.M., Wang, C.: A Study of Mass-Mailing Worms. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 1–10 (2004)

    Google Scholar 

  15. Xiong, J.: ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), 11–22 (2004)

    Google Scholar 

  16. Bhattacharyya, M., Schultz, M.G., Eskin, E., Hershkop, S., Stolfo, S.J.: MET: An Experimental System for Malicious Email Tracking. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 1–12 (2002)

    Google Scholar 

  17. Schultz, M.G., Eskin, E., Zadok, E., Bhattacharyya, M., Stolfo, S.J.: Mef: Malicious email filter - a unix mail filter that detects malicious windows executables. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference (2001)

    Google Scholar 

  18. Zou, C.C., Gong, W., Towsley, D.: Feedback Email Worm Defense System for Enterprise Networks. Technical Report TR-04-CSE-05, Univ. of Massachussetts, ECE Department (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University,  

    Stelios Sidiroglou, John Ioannidis, Angelos D. Keromytis & Salvatore J. Stolfo

Authors
  1. Stelios Sidiroglou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John Ioannidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Systems, Singapore Management University, Singapore

    Robert H. Deng

  2. Institute for Infocomm Research, 119613, Singapore

    Feng Bao

  3. School of Information Systems, Singapore Management University,  

    HweeHwa Pang

  4. Cryptography and Security Department Institute for Infocomm Research, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sidiroglou, S., Ioannidis, J., Keromytis, A.D., Stolfo, S.J. (2005). An Email Worm Vaccine Architecture. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2005. Lecture Notes in Computer Science, vol 3439. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31979-5_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-31979-5_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-25584-0

  • Online ISBN: 978-3-540-31979-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation