Skip to main content
SpringerLink
Log in

Robust Reactions to Potential Day-Zero Worms Through Cooperation and Validation

  • Conference paper
Book cover Information Security (ISC 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4176))

Included in the following conference series:

Abstract

Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently.

In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to balance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cert Advisory CA-2003-04: MS-SQL Server Worm (January 2003), http://www.cert.org/advisories/CA-2003-04.html

  2. Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A Cooperative Immunization System for an Untrusting Internet. In: Proceedings of the 11th IEEE Internation Conference on Networking (ICON) (September/October 2003), pp. 403–408 (2003)

    Google Scholar 

  3. Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Miltchev, S.: Open packet monitoring on FLAME: Safety, performance, and applications. In: Sterbenz, J.P.G., Takada, O., Tschudin, C.F., Plattner, B. (eds.) IWAN 2002. LNCS, vol. 2546, pp. 120–131. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  4. Bailey, M., Cooke, E., Jahanian, F., Watson, D., Nazario, J.: The Blaster Worm: Then and Now. IEEE Security & Privacy 3(4), 26–31 (2005)

    Article  Google Scholar 

  5. Bhattacharyya, M., Schultz, M.G., Eskin, E., Hershkop, S., Stolfo, S.J.: MET: An Experimental System for Malicious Email Tracking. In: Proceedings of the New Security Paradigms Workshop (NSPW) (September 2002), pp. 1–12 (2002)

    Google Scholar 

  6. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)

    Google Scholar 

  7. Kannan, J., Subramanian, L., Stoica, I., Katz, R.H.: Analyzing Cooperative Containment of Fast Scanning Worms. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 17–23 (July 2005)

    Google Scholar 

  8. Kim, H., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 271–286 (August 2004)

    Google Scholar 

  9. Levine, J.G., Grizzard, J.B., Owen, H.L.: Using Honeynets to Protect Large Enterprise Networks. IEEE Security & Privacy 2(6), 73–75 (2004)

    Article  Google Scholar 

  10. Levy, E.: Approaching Zero. IEEE Security & Privacy 2(4), 65–66 (2004)

    Article  Google Scholar 

  11. Locasto, M., Parekh, J., Stolfo, S., Keromytis, A., Malkin, T., Misra, V.: Collaborative Distributed Intrusion Detection. Technical Report CUCS-012-04, Columbia University Department of Computer Science (2004)

    Google Scholar 

  12. Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of 22nd Annual Joint Conference of IEEE Computer and Communication societies (INFOCOM) (April 2003)

    Google Scholar 

  13. Nojiri, D., Rowe, J., Levitt, K.: Cooperative response strategies for large scale attack mitigation. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (April 2003)

    Google Scholar 

  14. Porras, P., Briesemeister, L., Levitt, K., Rowe, J., Ting, Y.-C.A.: A Hybrid Quarantine Defense. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM) (October 2004), pp. 73–82 (2004)

    Google Scholar 

  15. Rajab, M.A., Monrose, F., Terzis, A.: On the Effectiveness of Distributed Worm Monitoring. In: Proceedings of the 14th USENIX Security Symposium, pp. 225–237 (August 2005)

    Google Scholar 

  16. Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security (June 2003), pp. 220–225 (2003)

    Google Scholar 

  17. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design & Implementation (OSDI) (December 2004)

    Google Scholar 

  18. Toyoizumi, H., Kara, A.: Predators: Good Will Mobile Codes Combat against Computer Viruses. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 13–21 (September 2002)

    Google Scholar 

  19. Wu, J., Vangala, S., Gao, L., Kwiat, K.: An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In: Proceedings of the Network and Distributed System Security (NDSS) Symposium, pp. 143–156 (February 2004)

    Google Scholar 

  20. Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of NDSS (February 2004)

    Google Scholar 

  21. Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and Early Warning for Internet Worms. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), October 2003, pp. 190–199 (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Infocomm Research, 21 Heng Mui Keng Terrace, 119613, Singapore

    K. Anagnostakis

  2. Computer Science Department, Stevens Institute of Technology, Hoboken, NJ, 07030, USA

    S. Ioannidis

  3. Department of Computer Science, Columbia University, 1214 Amsterdam Ave, New York, NY, 10027, USA

    A. D. Keromytis

  4. Bell Labs, Lucent Technologies, Inc., 600-700 Mountain Ave., Murray Hill, NJ, 07974, USA

    M. B. Greenwald

Authors
  1. K. Anagnostakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. S. Ioannidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. A. D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. M. B. Greenwald
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of the Aegean, University Hill, 81100, Mytilene, Greece

    Sokratis K. Katsikas

  2. Department of Information and Communication Technologies, University of A Coruña, Spain

    Javier López

  3. MPI-SWS,  

    Michael Backes

  4. Department of Information and Communication Systems Engineering, University of the Aegean, Karlovassi, Samos, Greece

    Stefanos Gritzalis

  5. Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium

    Bart Preneel

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Anagnostakis, K., Ioannidis, S., Keromytis, A.D., Greenwald, M.B. (2006). Robust Reactions to Potential Day-Zero Worms Through Cooperation and Validation. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds) Information Security. ISC 2006. Lecture Notes in Computer Science, vol 4176. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11836810_31

Download citation

  • DOI: https://doi.org/10.1007/11836810_31

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-38341-3

  • Online ISBN: 978-3-540-38343-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation