Academic Commons

Articles

An Email Worm Vaccine Architecture

Sidiroglou, Stelios; Ioannidis, John; Keromytis, Angelos D.; Stolfo, Salvatore

We present an architecture for detecting "zero-day" worms and viruses in incoming email. Our main idea is to intercept every incoming message, pre-scan it for potentially dangerous attachments, and only deliver messages that are deemed safe. Unlike traditional scanning techniques that rely on some form of pattern matching (signatures), we use behavior-based anomaly detection. Under our approach, we "open" all suspicious attachments inside an instrumented virtual machine looking for dangerous actions, such as writing to the Windows registry, and flag suspicious messages. The attachment processing can be offloaded to a cluster of ancillary machines (as many as are needed to keep up with a site's email load), thus not imposing any computational load on the mail server. Messages flagged are put in a "quarantine" area for further, more labor-intensive processing. Our implementation shows that we can use a large number of malware-checking VMs operating in parallel to cope with high loads. Finally, we show that we are able to detect the actions of all malicious software we tested, while keeping the false positive rate to under 5%.

Subjects

Files

Also Published In

Title
Information Security Practice and Experience: First International Conference, ISPEC 2005, Singapore, April 11-14, 2005: Proceedings
DOI
https://doi.org/10.1007/978-3-540-31979-5_9

More About This Work

Academic Units
Computer Science
Publisher
Springer
Series
Lecture Notes in Computer Science, 3439
Published Here
June 28, 2012
Academic Commons provides global access to research and scholarship produced at Columbia University, Barnard College, Teachers College, Union Theological Seminary and Jewish Theological Seminary. Academic Commons is managed by the Columbia University Libraries.