Abstract
Collaborative environments present a happy hunting ground for worms due to inherent trust present amongst the peers. We present a novel control-theoretic approach to respond to zero-day worms in a signature independent fashion in a collaborative environment. A federation of collaborating peers share information about anomalies to estimate the presence of a worm and each one of them independently chooses the most cost-optimal response from a given set of responses. This technique is designed to work when the presence of a worm is uncertain. It is unique in that the response is dynamic and self-regulating based on the current environment conditions. Distributed Sequential Hypothesis Testing is used to estimate the extent of worm infection in the environment. Response is formulated as a Dynamic Programming problem with imperfect state information. We present a solution and evaluate it in the presence of an Internet worm attack for various costs of infections and response.
A major contribution of this paper is analytically formalizing the problem of optimal and cost-effective response to worms. The second contribution is an adaptive response design that minimizes the variety of worms that can be successful. This drives the attacker towards kinds of worms that can be detected by other means; which in itself is a success. Counter-intutive results such as leaving oneself open to infections being the cheapest option in certain scenarios become apparent with our response model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anagnostakis, K.G., et al.: A cooperative immunization system for an untrusting internet. In: Proc. of IEEE ICON, October 2003, pp. 403–408 (2003)
Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D.: Robust reactions to potential day-zero worms through cooperation and validation. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 427–442. Springer, Heidelberg (2006)
Bajcsy, R., et al.: Cyber defense technology networking and evaluation. Commun. of the ACM 47(3), 58–61 (2004)
Balepin, I., Maltsev, S., Rowe, J., Levitt, K.: Using specification-based intrusion detection for automated response. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 136–154. Springer, Heidelberg (2003)
Bertsekas, D.P., Shreve, S.E.: Stochastic Optimal Control: The Discrete Time Case. Academic Press, N.Y (1978)
Bertsekas, D.P.: Dynamic Programming and Optimal Control, 3rd edn., vol. 1. Athena Scientific (2005)
Cai, M., Hwang, K., Kwok, Y.-K., Song, S., Chen, Y.: Collaborative internet worm containment. IEEE Security and Privacy 4(3), 34–43 (2005)
Cheetancheri, S.G., et al.: Towards a framework for worm defense evaluation. In: Proc. of the IPCCC Malware Workshop on Swarm Intelligence, Phoenix (April 2006)
Cheetancheri, S.G., Agosta, J.M., Dash, D.H., Levitt, K.N., Rowe, J., Schooler, E.M.: A distributed host-based worm detection system. In: Proc. of SIGCOMM LSAD, pp. 107–113. ACM Press, New York (2006)
Costa, M., et al.: Vigilante: end-to-end containment of internet worms. In: Proc. of the SOSP, pp. 133–147. ACM Press, New York (2005)
Dash, D., Kveton, B., Agosta, J.M., Schooler, E., Chandrashekar, J., Bachrach, A., Newman, A.: When gossip is good: Distributed probabilistic inference for detection of slow network intrusions. In: Proc. of AAAI, AAAI Press, Menlo Park (2006)
Hong, S.-S., Felix Wu, S.: On Interactive Internet Traffic Replay. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 247–264. Springer, Heidelberg (2006)
Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proc. of the USENIX Security Symposium (2004)
Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E.: Towards cost-sensitive modeling for intrusion detection and response. J. of Computer Security 10(1,2) (2002)
Malan, D.J., Smith, M.D.: Host-based detection of worms through peer-to-peer cooperation. In: Proc. of the WORM, pp. 72–80. ACM Press, New York (2005)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proc. of the IEEE Symposium on Security and Privacy, pp. 226–241. IEEE, Los Alamitos (2005)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proc. of OSDI, San Francisco, CA (December 2004)
Sidiroglou, S., Keromytis, A.D.: Countering network worms through automatic patch generation. IEEE Security and Privacy 3(6), 41–49 (2005)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proc. of the Summer USENIX Conf., Berkeley, August 2002. USENIX (2002)
Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Proc. of RAID. ACM Press, New York (2005)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Proc. of RAID, September 2004. ACM Press, New York (2004)
Weaver, N., Hamadeh, I., Kesidis, G., Paxson, V.: Preliminary results using scale-down to explore worm dynamics. In: Proc. of WORM, pp. 65–72. ACM Press, New York (2004)
White, B., et al.: An integrated experimental environment for distributed systems and networks. In: OSDI, Boston, December 2002, pp. 255–270. USENIX (2002)
Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proc. of the CCS, pp. 190–199. ACM Press, New York (2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cheetancheri, S.G., Agosta, JM., Levitt, K.N., Wu, F., Rowe, J. (2008). Optimal Cost, Collaborative, and Distributed Response to Zero-Day Worms - A Control Theoretic Approach. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-87403-4_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87402-7
Online ISBN: 978-3-540-87403-4
eBook Packages: Computer ScienceComputer Science (R0)