Abstract
Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently.
In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to balance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cert Advisory CA-2003-04: MS-SQL Server Worm (January 2003), http://www.cert.org/advisories/CA-2003-04.html
Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A Cooperative Immunization System for an Untrusting Internet. In: Proceedings of the 11th IEEE Internation Conference on Networking (ICON) (September/October 2003), pp. 403–408 (2003)
Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Miltchev, S.: Open packet monitoring on FLAME: Safety, performance, and applications. In: Sterbenz, J.P.G., Takada, O., Tschudin, C.F., Plattner, B. (eds.) IWAN 2002. LNCS, vol. 2546, pp. 120–131. Springer, Heidelberg (2002)
Bailey, M., Cooke, E., Jahanian, F., Watson, D., Nazario, J.: The Blaster Worm: Then and Now. IEEE Security & Privacy 3(4), 26–31 (2005)
Bhattacharyya, M., Schultz, M.G., Eskin, E., Hershkop, S., Stolfo, S.J.: MET: An Experimental System for Malicious Email Tracking. In: Proceedings of the New Security Paradigms Workshop (NSPW) (September 2002), pp. 1–12 (2002)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)
Kannan, J., Subramanian, L., Stoica, I., Katz, R.H.: Analyzing Cooperative Containment of Fast Scanning Worms. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 17–23 (July 2005)
Kim, H., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 271–286 (August 2004)
Levine, J.G., Grizzard, J.B., Owen, H.L.: Using Honeynets to Protect Large Enterprise Networks. IEEE Security & Privacy 2(6), 73–75 (2004)
Levy, E.: Approaching Zero. IEEE Security & Privacy 2(4), 65–66 (2004)
Locasto, M., Parekh, J., Stolfo, S., Keromytis, A., Malkin, T., Misra, V.: Collaborative Distributed Intrusion Detection. Technical Report CUCS-012-04, Columbia University Department of Computer Science (2004)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of 22nd Annual Joint Conference of IEEE Computer and Communication societies (INFOCOM) (April 2003)
Nojiri, D., Rowe, J., Levitt, K.: Cooperative response strategies for large scale attack mitigation. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (April 2003)
Porras, P., Briesemeister, L., Levitt, K., Rowe, J., Ting, Y.-C.A.: A Hybrid Quarantine Defense. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM) (October 2004), pp. 73–82 (2004)
Rajab, M.A., Monrose, F., Terzis, A.: On the Effectiveness of Distributed Worm Monitoring. In: Proceedings of the 14th USENIX Security Symposium, pp. 225–237 (August 2005)
Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security (June 2003), pp. 220–225 (2003)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design & Implementation (OSDI) (December 2004)
Toyoizumi, H., Kara, A.: Predators: Good Will Mobile Codes Combat against Computer Viruses. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 13–21 (September 2002)
Wu, J., Vangala, S., Gao, L., Kwiat, K.: An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In: Proceedings of the Network and Distributed System Security (NDSS) Symposium, pp. 143–156 (February 2004)
Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of NDSS (February 2004)
Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and Early Warning for Internet Worms. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), October 2003, pp. 190–199 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Anagnostakis, K., Ioannidis, S., Keromytis, A.D., Greenwald, M.B. (2006). Robust Reactions to Potential Day-Zero Worms Through Cooperation and Validation. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds) Information Security. ISC 2006. Lecture Notes in Computer Science, vol 4176. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11836810_31
Download citation
DOI: https://doi.org/10.1007/11836810_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-38341-3
Online ISBN: 978-3-540-38343-7
eBook Packages: Computer ScienceComputer Science (R0)