Article

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms

Authors:

Xinwen ZhangAuthors Info & Claims

ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

Pages 173 - 182

https://doi.org/10.1145/1185347.1185371

Published: 03 December 2006 Publication History

Abstract

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the capability to detect and contain worms automatically in real-time. While signature based worm detection and containment are effective in detecting and containing known worms, they are inherently ineffective against previously unknown worms and polymorphic worms. Existing traffic anomaly pattern based approaches have the potential to detect and/or contain previously unknown and polymorphic worms, but they either impose too much constraint on normal traffic or allow too much infectious worm traffic to go out to the Internet before an unknown or polymorphic worm can be detected.In this paper, we present WormTerminator, which can detect and completely contain, at least in theory, almost all fast spreading worms in real-time while blocking virtually no normal traffic. WormTerminator detects and contains the fast spreading worm based on its defining characteristic -- a fast spreading worm will start to infect others as soon as it successfully infects one host. WormTerminator also exploits the observation that a fast spreading worm keeps exploiting the same set of vulnerabilities when infecting new machines. To prove the concept, we have implemented a prototype of WormTerminator and have examined its effectiveness against the real Internet worm Linux/Slapper.

References

[1]

http://www.symantec.com/avcenter/venc/data/linux.slapper.worm.html.

[2]

http://www.symantec.com/index.htm.

[3]

An analysis of the slapper worm exploit. http://www.symantec.com/avcenter/reference/analysis.slapper.worm.pdf.

[4]

D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, May 2006.

Digital Library

[5]

K. Buchacker and V. Sieh. Framework for testing the fault-tolerance of systems including os and network aspects. In Proceeding s of the IEEE Symposium on High Assurance System Engineering (HASE), pages 95--105, October 2001.

Digital Library

[6]

P. Chen and B. Boble. When virtual is better than real. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS), pages 133--138, May 2001.

Digital Library

[7]

M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proceedings of SOSP, Brighton, United Kingdom, October 2005.

Digital Library

[8]

D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. Honeystat: Local worm detection using honeypots. In Proceedings of RAID, 2004.

[9]

J. Dike. A user-mode port of the linux kernel. In Proceedings of the Linux Showcase and Conference, October 2000.

Digital Library

[10]

G. Dunlap, S. King, S. Cinar, M. Basrai, and P. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the Symposium on Operating Systems Design and Implementation, pages 211--224, December 2002.

Digital Library

[11]

M. Handley, V. Paxson, and C. Kreibich. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of USENIX security Symposium, August 2001.

Digital Library

[12]

A. Joshi, S. King, G. Dunlap, and P. Chen. Detecting past and present intrusion through vulnerability-specific predicates. In Proceedings of SOSP, Brighton, United Kingdom, October 2005.

Digital Library

[13]

Ron Kalla, Balaram Sinharoy, and Joel M. Tendler. IBM Power5 chip: A dual-core multithreaded processor. IEEE Micro, 24(2):40--47, March/April 2004.

Digital Library

[14]

H. Kim and B. Karp. Autograph: Toward automated distributed worm signature detection. In Proceedings of USENIX Security, San Diego, CA, August 2004.

Digital Library

[15]

S. King, P. Chen, Y. Wang, C. Verbowski, H. Wang, and J. Lorch. Subvirt: Implementing malware with virtual machines. In Proceedings of IEEE symposium on security and privacy, Berkeley/Oakland, CA, May 2006.

Digital Library

[16]

S. King, G. Dunlap, and P. Chen. Operating system support for virtual machines. In Proceedings of the Annual USENIX Technical Conference, June 2003.

Digital Library

[17]

C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In Proceedings of HotNets, Boston, MA, November 2003.

[18]

Z. Li, M. Sanghi, Y. Chen, M. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proceedings of IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, May 2006.

Digital Library

[19]

G. Malan, D. Watson, and F. Jahanian. Transport and application protocol scrubbing. In Proceedings of IEEE INFOCOM, 2001.

[20]

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The spread of the sapphire/slammer worm. http://www.caida.org/publications/papers/2003/sapphire/sapphire.html.

[21]

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In Proceedings of IEEE Security and Privacy, volume~1, July 2003.

Digital Library

[22]

D. Moore, C. Shannon, and Jeffery Brown. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of the second Internet Measurement Workshop, November 2002.

Digital Library

[23]

J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, May 2005.

Digital Library

[24]

K. Aingaran P. Kongetira and K. Olukotun. Niagara: A 32-way multithreaded Sparc processor. IEEE Micro, 25(2), 2005.

Digital Library

[25]

V. Paxson. Bro: a system for detecting network intruders in real time. In Computer Networks, volume 31, December 1999.

Digital Library

[26]

R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif. Misleading worm signature generators using deliberate noise injection. In Proceedings of IEEE symposium on security and privacy, Berkeley/Oakland, CA, May 2006.

Digital Library

[27]

N. Provos. A virtual honeypot framework. Technical report, University of Michigan, October 2003.

[28]

M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of Conference on System Administration, November 1999.

Digital Library

[29]

U. Shenkar and V. Paxson. Active mapping: Resisting nids evasion without altering traffic. In Proceedings of IEEE Symposium on Security and Privacy, May 2003.

Digital Library

[30]

S. Singh, C. Estan, G. Varghese, and S. Savage. The earlybird system for real-time detection of unknown worms. Technical report, University of California, San Diego, August 2003.

[31]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of OSDI, San Francisco, CA, December 2004.

Digital Library

[32]

S. Staniford. Containment of scanning worms in enterprise networks. In Journal of Computer Security, 2004.

[33]

S. Staniford, V. Paxson, and N. Weaver. How to 0wn the internet in your spare time. In Proceedings of USENIX Security, San Francisco, CA, August 2002.

Digital Library

[34]

t. Ptacek and T. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. http://www.insecure.org/stf/secnet-ids/secnet-ids.html, January 1998.

[35]

H. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of ACM SIGCOMM, Portland, OR, August 2004.

Digital Library

[36]

N. Weaver, B. Staniford, and V. Paxson. Very fast containment of scanning worms. In Proceedings of USENIX Security, San Diego, CA, August 2004.

Digital Library

[37]

M. Williamnson. Throttling viruses: Restricting propagation to defeat mobile malicious code. In Proceedings of Annual Computer Security Applications Conference, Las Vegas, NV, December 2002.

Digital Library

Cited By

Cao HZhao JZhu PLu XZhao C(2013)Worm Detection without Knowledge Base in Industrial NetworksJournal of Communications10.12720/jcm.8.11.716-7238:11(716-723)Online publication date: 2013
https://doi.org/10.12720/jcm.8.11.716-723
Cao HZhu PZhao JWu MLee WZhouzhou YEsa RLee X(2013)CBSTMProceedings of the Second International Conference on Innovative Computing and Cloud Computing10.1145/2556871.2556906(158-164)Online publication date: 1-Dec-2013
https://dl.acm.org/doi/10.1145/2556871.2556906
Bayoğlu BSoğukpınar İ(2012)Graph based signature classes for detecting polymorphic worms via content analysisComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2011.11.00756:2(832-844)Online publication date: 1-Feb-2012
https://dl.acm.org/doi/10.1016/j.comnet.2011.11.007
Show More Cited By

Index Terms

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
1. Networks
  1. Network protocols
    1. Transport protocols
  2. Network types
    1. Public Internet
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

A Host-Based Approach for Unknown Fast-Spreading Worm Detection and Containment
Special Section on Best Papers from SEAMS 2012

The fast-spreading worm, which immediately propagates itself after a successful infection, is becoming one of the most serious threats to today’s networked information systems. In this article, we present WormTerminator, a host-based solution for fast ...
On the development of an internetwork-centric defense for scanning worms

Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These ...
Vigilante: end-to-end containment of internet worms
SOSP '05

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

December 2006

202 pages

ISBN:1595935800

DOI:10.1145/1185347

General Chair:
Laxmi N. Bhuyan
University of California, Riverside, USA
,
Program Chairs:
Michel Dubois
University of Southern California, USA
,
Will Eatherton
Cisco, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ANCS06

Sponsor:

ANCS06: Symposium on Architecture for Networking and Communications Systems

December 3 - 5, 2006

California, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 88 of 314 submissions, 28%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
545
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cao HZhao JZhu PLu XZhao C(2013)Worm Detection without Knowledge Base in Industrial NetworksJournal of Communications10.12720/jcm.8.11.716-7238:11(716-723)Online publication date: 2013
https://doi.org/10.12720/jcm.8.11.716-723
Cao HZhu PZhao JWu MLee WZhouzhou YEsa RLee X(2013)CBSTMProceedings of the Second International Conference on Innovative Computing and Cloud Computing10.1145/2556871.2556906(158-164)Online publication date: 1-Dec-2013
https://dl.acm.org/doi/10.1145/2556871.2556906
Bayoğlu BSoğukpınar İ(2012)Graph based signature classes for detecting polymorphic worms via content analysisComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2011.11.00756:2(832-844)Online publication date: 1-Feb-2012
https://dl.acm.org/doi/10.1016/j.comnet.2011.11.007
Huerta YJigang Liu (2008)Enhancing malware detection in an IM environment2008 IEEE International Conference on Electro/Information Technology10.1109/EIT.2008.4554303(231-236)Online publication date: May-2008
https://doi.org/10.1109/EIT.2008.4554303

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten