Code-Red

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Code-Red: a case study on the spread and victims of an internet worm

Full text

Pdf (1.11 MB)

Source

Internet Measurement Conference archive
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment table of contents

Marseille, France

SESSION: Session 9: traffic analysis table of contents

Pages: 273 - 284

Year of Publication: 2002

ISBN:1-58113-603-X

Authors

David Moore	CAIDA, San Diego Supercomputer Center, University of California, San Diego
Colleen Shannon	CAIDA, San Diego Supercomputer Center, University of California, San Diego
k claffy	CAIDA, San Diego Supercomputer Center, University of California, San Diego

Sponsor

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 19, Downloads (12 Months): 145, Citation Count: 93

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/637201.637244 What is a DOI?

ABSTRACT

On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hours. The cost of this epidemic, including subsequent strains of Code-Red, is estimated to be in excess of $2.6 billion. Despite the global damage caused by this attack, there have been few serious attempts to characterize the spread of the worm, partly due to the challenge of collecting global information about worms. Using a technique that enables global detection of worm spread, we collected and analyzed data over a period of 45 days beginning July 2nd, 2001 to determine the characteristics of the spread of Code-Red throughout the Internet.In this paper, we describe the methodology we use to trace the spread of Code-Red, and then describe the results of our trace analyses. We first detail the spread of the Code-Red and CodeRedII worms in terms of infection and deactivation rates. Even without being optimized for spread of infection, Code-Red infection rates peaked at over 2,000 hosts per minute. We then examine the properties of the infected host population, including geographic location, weekly and diurnal time effects, top-level domains, and ISPs. We demonstrate that the worm was an international event, infection activity exhibited time-of-day effects, and found that, although most attention focused on large corporations, the Code-Red worm primarily preyed upon home and small business users. We also qualified the effects of DHCP on measurements of infected hosts and determined that IP addresses are not an accurate measure of the spread of a worm on timescales longer than 24 hours. Finally, the experience of the Code-Red worm demonstrates that wide-spread vulnerabilities in Internet hosts can be exploited quickly and dramatically, and that techniques other than host patching are required to mitigate Internet worms.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	E. Spafford, "The internet worm: Crisis and aftermath," 1989.
	2	Charles Schmidt and Tom Darby, "The Morris Internet Worm," Tech. Rep., http://www.software.com.pl/newarchive/misc/Worm/darbyt/pages/history.html.
	3	John F. Shoch , Jon A. Hupp, The “worm” programs—early experience with a distributed computation, Communications of the ACM, v.25 n.3, p.172-180, March 1982 [doi>10.1145/358453.358455]
	4	CERT Coordination Center, "CERT Advisory CA-1989-04 WANK Worm On SPAN Network," http://www.cert.org/advisories/CA-1989-04.html.
	5	Max Vision, "Ramen Internet Worm Analysis," http://www.whitehats.com/library/worms/ramen/.
	6	SANS Global Incident Analysis Center, "Lion Worm," http://www.sans.org/y2k/lion.htm.
	7	Computer Economics, "2001 economic impact of malicious code attacks," http://www.computereconomics.com/cei/press/pr92101.html.
	8	eEye Digital Security, "Advisories and Alerts: AD20010618," http://www.eeye.com/html/Research/Advisories/AD20010618.html.
	9	Microsoft, "A Very Real and Present Threat to the Internet," http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/codealrt.asp.
	10	eEye Digital Security, "Advisories and Alerts: .ida "Code Red" Worm," July 2001, http://www.eeye.com/html/Research/Advisories/AL20010717.html.
	11	Silicon Defense, "Code Red Analysis page," http://www.silicondefense.com/cr/.
	12	Cisco Systems, Inc, "Cisco Security Advisory: "Code Red" Worm - Customer Impact," http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml.
	13	eEye Digital Security, "CodeRedlI Worm Analysis," August 2001, http://www.eeye.com/html/Research/Advisories/AL20010804.html.
	14	SecurityFocus, "SecurityFocus Code Red II Information Headquarters," http://aris.securityfocus.com/alerts/codered2/.
	15	"Cisco NetFlow," http://www.cisco.com/warp/public/732/netflow/.
	16	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999 [doi>10.1016/S1389-1286(99)00112-7]
	17	eEye Digital Security, "eEye Code Red analysis, commented disassembly, full IDA database, and binary of the worm;" http://www.eeye.com/html/advisories/codered.zip.
	18	Ixiacom IxMapping, "Ixmapping," http://www.ipmapper.com.
	19	David Moore, Geoffrey M. Voelker, and Stefan Savage, "Inferring Internet Denial-of-Service Activity," Usenix Security Symposium, 2001.
	20	Dug Song and Rob Malan and Robert Stone, "A Snapshot of Global Internet Worm Activity," http://research.arbor.net/up_media/up_files/snapshot_worm_activity_f.ps.
	21	Netsizer, "Evaluating the size of the internet," http://www.netsizer.com.

CITED BY 93

	Gaurav S. Kc , Angelos D. Keromytis , Vassilis Prevelakis, Countering code-injection attacks with instruction-set randomization, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Darrell M. Kienzle , Matthew C. Elder, Recent worms: a survey and trends, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Nicholas Weaver , Vern Paxson , Stuart Staniford , Robert Cunningham, A taxonomy of computer worms, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Michael Liljenstam , David M. Nicol , Vincent H. Berk , Robert S. Gray, Simulating realistic network worm traffic for worm warning system design and testing, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Cliff Changchun Zou , Weibo Gong , Don Towsley, Worm propagation modeling and analysis under dynamic quarantine defense, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003
	Cliff Changchun Zou , Lixin Gao , Weibo Gong , Don Towsley, Monitoring and early warning for internet worms, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Tom Anderson , Timothy Roscoe , David Wetherall, Preventing Internet denial-of-service with capabilities, ACM SIGCOMM Computer Communication Review, v.34 n.1, January 2004
	Nicholas Weaver , Ihab Hamadeh , George Kesidis , Vern Paxson, Preliminary results using scale-down to explore worm dynamics, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
	Jintao Xiong, ACT: attachment chain tracing scheme for email virus detection and control, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
	Helen J. Wang , Chuanxiong Guo , Daniel R. Simon , Alf Zugenmaier, Shield: vulnerability-driven network filters for preventing known vulnerability exploits, ACM SIGCOMM Computer Communication Review, v.34 n.4, October 2004
	Phillip Porras , Linda Briesemeister , Keith Skinner , Karl Levitt , Jeff Rowe , Yu-Cheng Allen Ting, A hybrid quarantine defense, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
	Arno Wagner , Thomas Dübendorfer , Bernhard Plattner , Roman Hiestand, Experiences with worm propagation simulations, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
	Wu-chang Feng, The case for TCP/IP puzzles, ACM SIGCOMM Computer Communication Review, v.33 n.4, October 2003
	Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, Worm evolution tracking via timing analysis, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	Stuart Staniford , David Moore , Vern Paxson , Nicholas Weaver, The top speed of flash worms, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
	Helayne T. Ray , Raghunath Vemuri , Hariprasad R. Kantubhukta, Toward an Automated Attack Model for Red Teams, IEEE Security and Privacy, v.3 n.4, p.18-25, July 2005
	Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
	Michael Bailey , Evan Cooke , Farnam Jahanian , David Watson , Jose Nazario, The Blaster Worm: Then and Now, IEEE Security and Privacy, v.3 n.4, p.26-31, July 2005
	S. Antonatos , P. Akritidis , E. P. Markatos , K. G. Anagnostakis, Defending against hitlist worms using network address space randomization, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	Justin Ma , Geoffrey M. Voelker , Stefan Savage, Self-stopping worms, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	Kurt Rohloff , Tamer Başar, The detection of RCS worm epidemics, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	David W. Richardson , Steven D. Gribble , Edward D. Lazowska, The limits of global scanning worm detectors in the presence of background noise, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	Cliff C. Zou , Weibo Gong , Don Towsley , Lixin Gao, The monitoring and early detection of internet worms, IEEE/ACM Transactions on Networking (TON), v.13 n.5, p.961-974, October 2005
	Zesheng Chen , Chuanyi Ji, A self-learning worm using importance scanning, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	Bryan Parno , Mema Roussopoulos, Defending a P2P Digital Preservation System, IEEE Transactions on Dependable and Secure Computing, v.1 n.4, p.209-222, October 2004
	David M. Nicol , William H. Sanders , Kishor S. Trivedi, Model-Based Evaluation: From Dependability to Security, IEEE Transactions on Dependable and Secure Computing, v.1 n.1, p.48-65, January 2004
	David Brumley , Li-Hao Liu , Pongsin Poosankam , Dawn Song, Design space and analysis of worm defense strategies, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
	Jarmo Mölsä, Mitigating denial of service attacks: a tutorial, Journal of Computer Security, v.13 n.6, p.807-837, December 2005
	Cliff C. Zou , Don Towsley , Weibo Gong, On the performance of internet worm scanning strategies, Performance Evaluation, v.63 n.7, p.700-723, July 2006
	David S. Anderson , Chris Fleizach , Stefan Savage , Geoffrey M. Voelker, Spamscatter: characterizing internet scam hosting infrastructure, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-14, August 06-10, 2007, Boston, MA
	Karim El Defrawy , Minas Gjoka , Athina Markopoulou, BotTorrent: misusing BitTorrent to launch DDoS attacks, Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet, p.1-6, June 18, 2007, Santa Clara, CA
	Duc T. Ha , Hung Q. Ngo, On the trade-off between speed and resiliency of flashworms and similar malcodes, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	Hui He , Ming-Zeng Hu , Wei-Zhe Zhang , Hong-Li Zhang, A worm early detection system based on multi-similarity, Proceedings of the 9th WSEAS International Conference on Communications, p.1-7, July 14-16, 2005, Athens, Greece
	Jedidiah R. Crandall , Frederic T. Chong, Minos: Control Data Attack Prevention Orthogonal to Memory Model, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.221-232, December 04-08, 2004, Portland, Oregon
	Jedidiah R. Crandall , S. Felix Wu , Frederic T. Chong, Minos: Architectural support for protecting control data, ACM Transactions on Architecture and Code Optimization (TACO), v.3 n.4, p.359-389, December 2006
	Jedidiah R. Crandall , Gary Wassermann , Daniela A. S. de Oliveira , Zhendong Su , S. Felix Wu , Frederic T. Chong, Temporal search: detecting hidden malware timebombs with virtual machines, ACM SIGPLAN Notices, v.41 n.11, November 2006
	Srinivas Shakkottai , R. Srikant, Peer to peer networks for defense against internet worms, Proceedings from the 2006 workshop on Interdisciplinary systems approach in performance evaluation and design of computer & communications sytems, October 14-14, 2006, Pisa, Italy
	Jing Su , Kelvin K. W. Chan , Andrew G. Miklas , Kenneth Po , Ali Akhavan , Stefan Saroiu , Eyal de Lara , Ashvin Goel, A preliminary investigation of worm infections in a bluetooth environment, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
	Andrew Kalafut , Abhinav Acharya , Minaxi Gupta, A study of malware in peer-to-peer networks, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Cliff C. Zou , Don Towsley , Weibo Gong , Songlin Cai, Advanced Routing Worm and Its Security Challenges, Simulation, v.82 n.1, p.75-85, January 2006
	Richard Ford , Mark Bush , Alex Boulatov, Internet instability and disturbance: goal or menace?, Proceedings of the 2005 workshop on New security paradigms, September 20-23, 2005, Lake Arrowhead, California
	Guanling Chen , Robert S. Gray, Simulating non-scanning worms on peer-to-peer networks, Proceedings of the 1st international conference on Scalable information systems, p.29-es, May 30-June 01, 2006, Hong Kong
	Songqing Chen , Xinyuan Wang , Lei Liu , Xinwen Zhang, WormTerminator: an effective containment of unknown and polymorphic fast spreading worms, Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems, December 03-05, 2006, San Jose, California, USA
	Terrence August , Tunay I. Tunca, Network Software Security and User Incentives, Management Science, v.52 n.11, p.1703-1720, November 2006
	S. Antonatos , P. Akritidis , E. P. Markatos , K. G. Anagnostakis, Defending against hitlist worms using network address space randomization, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.12, p.3471-3490, August, 2007
	Songjie Wei , Jelena Mirkovic, A realistic simulation of internet-scale events, Proceedings of the 1st international conference on Performance evaluation methodolgies and tools, October 11-13, 2006, Pisa, Italy
	Surasak Sanguanpong , Urupoj Kanlayasiri, Worm damage minimization in enterprise networks, International Journal of Human-Computer Studies, v.65 n.1, p.3-16, January, 2007
	Flavio Junqueira , Ranjita Bhagwan , Keith Marzullo , Stefan Savage , Geoffrey M. Voelker, The phoenix recovery system: rebuilding from the ashes of an internet catastrophe, Proceedings of the 9th conference on Hot Topics in Operating Systems, p.13-13, May 18-21, 2003, Lihue, Hawaii
	Hyang-Ah Kim , Brad Karp, Autograph: toward automated, distributed worm signature detection, Proceedings of the 13th conference on USENIX Security Symposium, p.19-19, August 09-13, 2004, San Diego, CA
	John Bethencourt , Jason Franklin , Mary Vernon, Mapping internet sensors with probe response attacks, Proceedings of the 14th conference on USENIX Security Symposium, p.13-13, July 31-August 05, 2005, Baltimore, MD
	Niels Provos, A virtual honeypot framework, Proceedings of the 13th conference on USENIX Security Symposium, p.1-1, August 09-13, 2004, San Diego, CA
	Andreas Haeberlen , Alan Mislove , Peter Druschel, Glacier: highly durable, decentralized storage despite massive correlated failures, Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation, p.143-158, May 02-04, 2005
	Eric Rescorla, Security holes... who cares?, Proceedings of the 12th conference on USENIX Security Symposium, p.6-6, August 04-08, 2003, Washington, DC
	Marianne Shaw, Leveraging good intentions to reduce unwanted network traffic, Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, p.9-9, July 07, 2006, San Jose, CA
	Stefan Saroiu , Steven D. Gribble , Henry M. Levy, Measurement and analysis of spywave in a university environment, Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation, p.11-11, March 29-31, 2004, San Francisco, California
	Sumeet Singh , Cristian Estan , George Varghese , Stefan Savage, Automated worm fingerprinting, Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation, p.4-4, December 06-08, 2004, San Francisco, CA
	Flavio Junqueira , Ranjita Bhagwan , Alejandro Hevia , Keith Marzullo , Geoffrey M. Voelker, Surviving internet catastrophes, Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference, p.4-4, April 10-15, 2005, Anaheim, CA
	Terrence August , Tunay I. Tunca, Network Software Security and User Incentives, Management Science, v.52 n.11, p.1703-1720, November 2006
	David M. Nicol , Steve Hanna , Frank Stratton , William H. Sanders, Modeling and analysis of worm defense using stochastic activity networks, Proceedings of the 2007 spring simulation multiconference, p.349-355, March 25-29, 2007, Norfolk, Virginia
	Anirudh Ramachandran , Nick Feamster, Understanding the network-level behavior of spammers, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
	Attila Ondi , Richard Ford, Modeling malcode with Hephaestus: beyond simple spread, Proceedings of the 45th annual southeast regional conference, March 23-24, 2007, Winston-Salem, North Carolina
	John C. McEachen , Cheng Wai Kah, An analysis of distributed sensor data aggregation for network intrusion detection, Microprocessors & Microsystems, v.31 n.4, p.263-272, June, 2007
	Shad Stafford , Jun Li , Toby Ehrenkranz, Enhancing SWORD to Detect Zero-Day-Worm-Infected Hosts, Simulation, v.83 n.2, p.199-212, February 2007
	Qunwei Zheng , Sibabrata Ray , Xiaoyan Hong , Lei Tang , Li Gao, Integrity and its applications, Proceedings of the 45th annual southeast regional conference, March 23-24, 2007, Winston-Salem, North Carolina
	Sehun Kim , Seong-jun Shin , Hyunwoo Kim , Ki Hoon Kwon , Younggoo Han, Hybrid Intrusion Forecasting Framework for Early Warning System, IEICE - Transactions on Information and Systems, v.E91-D n.5, p.1234-1241, May 2008
	Kurt R. Rohloff , Tamer Bacşar, Deterministic and stochastic models for the detection of random constant scanning worms, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-24, April 2008
	Mohamed Abdelhafez , George Riley , Robert G. Cole , Nam Phamdo, Modeling and Simulations of TCP MANET Worms, Proceedings of the 21st International Workshop on Principles of Advanced and Distributed Simulation, p.123-130, June 12-15, 2007
	Songjie Wei , Jelena Mirkovic , Martin Swany, Distributed Worm Simulation with a Realistic Internet Model, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, p.71-79, June 01-03, 2005
	Monirul I. Sharif , George F. Riley , Wenke Lee, Comparative Study between Analytical Models and Packet-Level Worm Simulations, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, p.88-98, June 01-03, 2005
	Thorsten Holz , Moritz Steiner , Frederic Dahl , Ernst Biersack , Felix Freiling, Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
	Shigang Chen , Yong Tang, DAW: A Distributed Antiworm System, IEEE Transactions on Parallel and Distributed Systems, v.18 n.7, p.893-906, July 2007
	Jens Grossklags , Nicolas Christin , John Chuang, Security and insurance management in networks with heterogeneous agents, Proceedings of the 9th ACM conference on Electronic commerce, July 08-12, 2008, Chicago, Il, USA
	Qinhua Zheng , Ting Liu , Xiaohong Guan , Yu Qu , Na Wang, A new worm exploiting IPv4-IPv6 dual-stack networks, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	Oliver Sharma , Mark Girolami , Joseph Sventek, Detecting worm variants using machine learning, Proceedings of the 2007 ACM CoNEXT conference, December 10-13, 2007, New York, New York
	Jens Grossklags , Nicolas Christin , John Chuang, Secure or insure?: a game-theoretic analysis of information security games, Proceeding of the 17th international conference on World Wide Web, April 21-25, 2008, Beijing, China
	Robert Moskovitch , Yuval Elovici , Lior Rokach, Detection of unknown computer worms based on behavioral classification of the host, Computational Statistics & Data Analysis, v.52 n.9, p.4544-4566, May, 2008
	Chiou-Pirng Wang , Don Snyder , Kathaleena Monds, A conceptual framework for curbing the epidemic of information malice: e-hygiene model with a human-factor approach, International Journal of Information and Computer Security, v.1 n.4, p.455-465, October 2007
	Zesheng Chen , Chuanyi Ji, Optimal worm-scanning method using vulnerable-host distributions, International Journal of Security and Networks, v.2 n.1/2, p.71-80, March 2007
	Mark Allman , Vern Paxson , Jeff Terrell, A brief history of scanning, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
	Abhijit Bose , Kang G. Shin, On capturing malware dynamics in mobile power-law networks, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey
	Songjie Wei , Jelena Mirkovic, Correcting congestion-based error in network telescope's observations of worm dynamics, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, October 20-22, 2008, Vouliagmeni, Greece
	Wei Yu , Sriram Chellappan , Xun Wang , Dong Xuan, Peer-to-peer system-based active worm attacks: Modeling, analysis and defense, Computer Communications, v.31 n.17, p.4005-4017, November, 2008
	Min Cai , Kai Hwang , Jianping Pan , Christos Papadopoulos, WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation, IEEE Transactions on Dependable and Secure Computing, v.4 n.2, p.88-104, April 2007
	Xiaohong Guan , Wei Wang , Xiangliang Zhang, Fast intrusion detection based on a non-negative matrix factorization model, Journal of Network and Computer Applications, v.32 n.1, p.31-44, January, 2009
	Yong Tang , Shigang Chen, An Automated Signature-Based Approach against Polymorphic Internet Worms, IEEE Transactions on Parallel and Distributed Systems, v.18 n.7, p.879-892, July 2007
	Brian L. Sharp , Gregory D. Peterson , Lok Kwong Yan, Extending hardware based mandatory access controls for memory to multicore architectures, Proceedings of the 4th annual workshop on Cyber security and informaiton intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead, May 12-14, 2008, Oak Ridge, Tennessee
	Xiaowei Yang , David Wetherall , Thomas Anderson, TVA: a DoS-limiting network architecture, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1267-1280, December 2008
	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: End-to-end containment of Internet worm epidemics, ACM Transactions on Computer Systems (TOCS), v.26 n.4, p.1-68, December 2008
	Frank Akujobi , Ioannis Lambadaris , Evangelos Kranakis, An integrated approach to detection of fast and slow scanning worms, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
	Zesheng Chen , Chao Chen , Yubin Li, Deriving a closed-form expression for worm-scanning strategies, International Journal of Security and Networks, v.4 n.3, p.135-144, July 2009
	Zesheng Chen , Chuanyi Ji, An information-theoretic view of network-aware malware attacks, IEEE Transactions on Information Forensics and Security, v.4 n.3, p.530-541, September 2009