1 Implementing and testing a virus throttle Jamie Twycross, Matthew M. Williamson Trusted Systems Laboratory HP Laboratories Bristol HPL2003103 st May 21 , 2003*Email:jamie@milieu3.net,matthew.williamson@hp.comIn this paper we build on previous theoretical work and describe the implementation and testing of avirus throttle a program, based on a new approach, that is able to substantially reduce the spread of and hence damage caused by mobile code such as worms and viruses. Our approach is different from current, signaturebased antivirus paradigms in that it identifies potential viruses based on their network behaviour and, instead of preventing such progr ams from entering a system, seeks to prevent them from leaving. The results presented here show that such an approach is effective in stopping the spread of a real worm, W32/NimdaD, in under a second, as well as several different configurations of a testworm.
* Internal Accession Date Only Approved for External Publication 1 th th Proceedings 12 USENIX Security Symposium, 48 August 2003, Washington, DC, USA ãCopyright HewlettPackard Company 2003