ABSTRACT
The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the capability to detect and contain worms automatically in real-time. While signature based worm detection and containment are effective in detecting and containing known worms, they are inherently ineffective against previously unknown worms and polymorphic worms. Existing traffic anomaly pattern based approaches have the potential to detect and/or contain previously unknown and polymorphic worms, but they either impose too much constraint on normal traffic or allow too much infectious worm traffic to go out to the Internet before an unknown or polymorphic worm can be detected.In this paper, we present WormTerminator, which can detect and completely contain, at least in theory, almost all fast spreading worms in real-time while blocking virtually no normal traffic. WormTerminator detects and contains the fast spreading worm based on its defining characteristic -- a fast spreading worm will start to infect others as soon as it successfully infects one host. WormTerminator also exploits the observation that a fast spreading worm keeps exploiting the same set of vulnerabilities when infecting new machines. To prove the concept, we have implemented a prototype of WormTerminator and have examined its effectiveness against the real Internet worm Linux/Slapper.
- http://www.symantec.com/avcenter/venc/data/linux.slapper.worm.html.Google Scholar
- http://www.symantec.com/index.htm.Google Scholar
- An analysis of the slapper worm exploit. http://www.symantec.com/avcenter/reference/analysis.slapper.worm.pdf.Google Scholar
- D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, May 2006. Google ScholarDigital Library
- K. Buchacker and V. Sieh. Framework for testing the fault-tolerance of systems including os and network aspects. In Proceeding s of the IEEE Symposium on High Assurance System Engineering (HASE), pages 95--105, October 2001. Google ScholarDigital Library
- P. Chen and B. Boble. When virtual is better than real. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS), pages 133--138, May 2001. Google ScholarDigital Library
- M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proceedings of SOSP, Brighton, United Kingdom, October 2005. Google ScholarDigital Library
- D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. Honeystat: Local worm detection using honeypots. In Proceedings of RAID, 2004.Google ScholarCross Ref
- J. Dike. A user-mode port of the linux kernel. In Proceedings of the Linux Showcase and Conference, October 2000. Google ScholarDigital Library
- G. Dunlap, S. King, S. Cinar, M. Basrai, and P. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the Symposium on Operating Systems Design and Implementation, pages 211--224, December 2002. Google ScholarDigital Library
- M. Handley, V. Paxson, and C. Kreibich. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of USENIX security Symposium, August 2001. Google ScholarDigital Library
- A. Joshi, S. King, G. Dunlap, and P. Chen. Detecting past and present intrusion through vulnerability-specific predicates. In Proceedings of SOSP, Brighton, United Kingdom, October 2005. Google ScholarDigital Library
- Ron Kalla, Balaram Sinharoy, and Joel M. Tendler. IBM Power5 chip: A dual-core multithreaded processor. IEEE Micro, 24(2):40--47, March/April 2004. Google ScholarDigital Library
- H. Kim and B. Karp. Autograph: Toward automated distributed worm signature detection. In Proceedings of USENIX Security, San Diego, CA, August 2004. Google ScholarDigital Library
- S. King, P. Chen, Y. Wang, C. Verbowski, H. Wang, and J. Lorch. Subvirt: Implementing malware with virtual machines. In Proceedings of IEEE symposium on security and privacy, Berkeley/Oakland, CA, May 2006. Google ScholarDigital Library
- S. King, G. Dunlap, and P. Chen. Operating system support for virtual machines. In Proceedings of the Annual USENIX Technical Conference, June 2003. Google ScholarDigital Library
- C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In Proceedings of HotNets, Boston, MA, November 2003.Google Scholar
- Z. Li, M. Sanghi, Y. Chen, M. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proceedings of IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, May 2006. Google ScholarDigital Library
- G. Malan, D. Watson, and F. Jahanian. Transport and application protocol scrubbing. In Proceedings of IEEE INFOCOM, 2001.Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The spread of the sapphire/slammer worm. http://www.caida.org/publications/papers/2003/sapphire/sapphire.html.Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In Proceedings of IEEE Security and Privacy, volume~1, July 2003. Google ScholarDigital Library
- D. Moore, C. Shannon, and Jeffery Brown. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of the second Internet Measurement Workshop, November 2002. Google ScholarDigital Library
- J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, May 2005. Google ScholarDigital Library
- K. Aingaran P. Kongetira and K. Olukotun. Niagara: A 32-way multithreaded Sparc processor. IEEE Micro, 25(2), 2005. Google ScholarDigital Library
- V. Paxson. Bro: a system for detecting network intruders in real time. In Computer Networks, volume 31, December 1999. Google ScholarDigital Library
- R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif. Misleading worm signature generators using deliberate noise injection. In Proceedings of IEEE symposium on security and privacy, Berkeley/Oakland, CA, May 2006. Google ScholarDigital Library
- N. Provos. A virtual honeypot framework. Technical report, University of Michigan, October 2003.Google Scholar
- M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of Conference on System Administration, November 1999. Google ScholarDigital Library
- U. Shenkar and V. Paxson. Active mapping: Resisting nids evasion without altering traffic. In Proceedings of IEEE Symposium on Security and Privacy, May 2003. Google ScholarDigital Library
- S. Singh, C. Estan, G. Varghese, and S. Savage. The earlybird system for real-time detection of unknown worms. Technical report, University of California, San Diego, August 2003.Google Scholar
- S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of OSDI, San Francisco, CA, December 2004. Google ScholarDigital Library
- S. Staniford. Containment of scanning worms in enterprise networks. In Journal of Computer Security, 2004.Google Scholar
- S. Staniford, V. Paxson, and N. Weaver. How to 0wn the internet in your spare time. In Proceedings of USENIX Security, San Francisco, CA, August 2002. Google ScholarDigital Library
- t. Ptacek and T. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. http://www.insecure.org/stf/secnet-ids/secnet-ids.html, January 1998.Google Scholar
- H. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of ACM SIGCOMM, Portland, OR, August 2004. Google ScholarDigital Library
- N. Weaver, B. Staniford, and V. Paxson. Very fast containment of scanning worms. In Proceedings of USENIX Security, San Diego, CA, August 2004. Google ScholarDigital Library
- M. Williamnson. Throttling viruses: Restricting propagation to defeat mobile malicious code. In Proceedings of Annual Computer Security Applications Conference, Las Vegas, NV, December 2002. Google ScholarDigital Library
Index Terms
- WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
Recommendations
A Host-Based Approach for Unknown Fast-Spreading Worm Detection and Containment
Special Section on Best Papers from SEAMS 2012The fast-spreading worm, which immediately propagates itself after a successful infection, is becoming one of the most serious threats to today’s networked information systems. In this article, we present WormTerminator, a host-based solution for fast ...
On the development of an internetwork-centric defense for scanning worms
Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These ...
Vigilante: end-to-end containment of internet worms
SOSP '05Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the ...
Comments