Extracting worm-infected hosts using white list

Noriaki Kamiyama*, Tatsuya Mori, Ryoichi Kawahara, Shigeaki Harada, Hideaki Yoshino

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)


In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.

Original languageEnglish
Title of host publicationProceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008
Number of pages8
Publication statusPublished - 2008
Externally publishedYes
Event2008 International Symposium on Applications and the Internet, SAINT 2008 - Turku, Finland
Duration: 2008 Jul 282008 Aug 1

Publication series

NameProceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008


Conference2008 International Symposium on Applications and the Internet, SAINT 2008

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications


Dive into the research topics of 'Extracting worm-infected hosts using white list'. Together they form a unique fingerprint.

Cite this