research-article

A Host-Based Approach for Unknown Fast-Spreading Worm Detection and Containment

Authors:

Zhao ZhangAuthors Info & Claims

ACM Transactions on Autonomous and Adaptive Systems (TAAS), Volume 8, Issue 4

Article No.: 21, Pages 1 - 18

https://doi.org/10.1145/2555615

Published: 01 January 2014 Publication History

Abstract

The fast-spreading worm, which immediately propagates itself after a successful infection, is becoming one of the most serious threats to today’s networked information systems. In this article, we present WormTerminator, a host-based solution for fast Internet worm detection and containment with the assistance of virtual machine techniques based on the fast-worm defining characteristic. In WormTerminator, a virtual machine cloning the host OS runs in parallel to the host OS. Thus, the virtual machine has the same set of vulnerabilities as the host. Any outgoing traffic from the host is diverted through the virtual machine. If the outgoing traffic from the host is for fast worm propagation, the virtual machine should be infected and will exhibit worm propagation pattern very quickly because a fast-spreading worm will start to propagate as soon as it successfully infects a host. To prove the concept, we have implemented a prototype of WormTerminator and have examined its effectiveness against the real Internet worm Linux/Slapper. Our empirical results confirm that WormTerminator is able to completely contain worm propagation in real-time without blocking any non-worm traffic. The major performance cost of WormTerminator is a one-time delay to the start of each outgoing normal connection for worm detection. To reduce the performance overhead, caching is utilized, through which WormTerminator will delay no more than 6% normal outgoing traffic for such detection on average.

References

[1]

Brumley, D., Newsome, J., Song, D., Wang, H., and Jha, S. 2006. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[2]

Buchacker, K. and Sieh, V. 2001. Framework for testing the fault-tolerance of systems including os and network aspects. In Proceedings of the IEEE Symposium on High Assurance System Engineering (HASE). 95--105.

Digital Library

[3]

Corey, J. 2009 Advanced honeypot identification and exploitation. http://www.phrack.org/fakes/p63/p63-0x09.txt.

[4]

Cui, W., Paxson, V., Weaver, N., and Katz, R. 2006. Protocol-independent adaptive replay of application dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS).

[5]

Dike, J. 2000. A user-mode port of the linux kernel. In Proceedings of the Linux Showcase and Conference.

Digital Library

[6]

Hon. 2004. Honeyd security advisory 2004-001: Remonte detection via simple probe packet. http://www.honeyd.org/adv.2004-01.asc.

[7]

Kalla, R., Sinharoy, B., and Tendler, J. M. 2004. IBM Power5 chip: A dual-core multithreaded processor. IEEE Micro 24, 2, 40--47.

Digital Library

[8]

Kataria, G., Anand, G., Araujo, R., Krishnan, R., and Perrig, A. 2006. A distributed stealthy coordination mechanism for worm synchronization. In Proceedings of the 2nd International Conference on Security and Privacy in Communication Networks (SecureComm’06).

[9]

Kim, H. and Karp, B. 2004. Autograph: Toward automated distributed worm signature detection. In Proceedings of USENIX Security.

Digital Library

[10]

King, S., Dunlap, G., and Chen, P. 2003. Operating system support for virtual machines. In Proceedings of the Annual USENIX Technical Conference.

Digital Library

[11]

Kongetira, P., Aing-Aran, K., and Olukotun, K. 2005. Niagara: A 32-way multithreaded Sparc processor. IEEE Micro 25, 2.

Digital Library

[12]

Kreibich, C. and Crowcroft, J. 2003. Honeycomb - Creating intrusion detection signatures using honeypots. In Proceedings of HotNets.

[13]

Li, Z., Sanghi, M., Chen, Y., Kao, M., and Chavez, B. 2006. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[14]

Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003. Inside the slammer worm. In Proceedings of the IEEE Symposium on Security and Privacy. Vol. 1.

[15]

NSF. Malware immunization through deterrence and diversion. http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0650386.

[16]

Paxson, V. 1999. Bro: A system for detecting network intruders in real time. Comput. Netw. 31.

Digital Library

[17]

Perdisci, R., Dagon, D., Lee, W., Fogla, P., and Sharif, M. 2006. Misleading worm signature generators using deliberate noise injection. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[18]

Roesch, M. 1999. Snort: Lightweight intrusion detection for networks. In Proceedings of the Conference on System Administration.

Digital Library

[19]

Seifried, K. 2002. Honeypotting with VMware basics. http://www.seifried.org/security/index.php.

[20]

Singh, S., Estan, C., Varghese, G., and Savage, S. 2003. The earlybird system for real-time detection of unknown worms. Tech. rep., University of California, San Diego.

[21]

Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In Proceedings of OSDI.

Digital Library

[22]

SLA. http://www.symantec.com/avcenter/venc/data/linux.slapper.worm.html.

[23]

Staniford, S. 2004. Containment of scanning worms in enterprise networks. J. Comput. Secur.

[24]

Sugerman, J., Venkitachalam, G., and Lim, B. 2001. Virtualizing I/O devices on VMware workstation’s hosted virtual machine monitor. In Proceedings of the USENIX Technical Conference.

Digital Library

[25]

Waldspurger, C. 2002. Memory resource management in wmware ESX server. In Proceedings of the Symposium on Operating Systems Design and Implementation.

Digital Library

[26]

Weaver, N., Staniford, B., and Paxson, V. 2004. Very fast containment of scanning worms. In Proceedings of USENIX Security.

Digital Library

[27]

Williamson, M. 2002. Throttling viruses: Restricting propagation to defeat mobile malicious code. In Proceedings of Annual Computer Security Applications Conference.

Digital Library

[28]

XEN (a). http://www.cl.cam.ac.uk/research/srg/netos/xen/.

[29]

XEN (b). http://www.xensource.com/.

[30]

Zou, C. and Cunningham, R. 2006. Honeybot-aware advanced botnet construction and maintenance. In Proceedings of the International Conference on Dependable Systems and Networks (DSN).

Digital Library

Cited By

Jing XYan ZPedrycz W(2019)Security Data Collection and Data Analytics in the Internet: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2018.286394221:1(586-618)Online publication date: Sep-2020
https://doi.org/10.1109/COMST.2018.2863942
Lei ZChunguang MSongtao YXiaodong Z(2017)Probability IndistinguishableWireless Personal Communications: An International Journal10.1007/s11277-017-4833-897:4(6167-6187)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1007/s11277-017-4833-8
Cottone PGaglio SRe GOrtolani M(2016)Gaining insight by structural knowledge extractionProceedings of the Twenty-second European Conference on Artificial Intelligence10.3233/978-1-61499-672-9-999(999-1007)Online publication date: 29-Aug-2016
https://dl.acm.org/doi/10.3233/978-1-61499-672-9-999

Index Terms

A Host-Based Approach for Unknown Fast-Spreading Worm Detection and Containment
1. Information systems
  1. Information retrieval
    1. Search engine architectures and scalability
      1. Distributed retrieval
      2. Peer-to-peer retrieval
  2. Information storage systems
    1. Storage architectures
      1. Distributed storage
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Countermeasures against Worm Spreading: A New Challenge for Vehicular Networks

Vehicular ad hoc networks (VANETs) are essential components of the intelligent transport systems. They are attracting an increasing amount of interest in research and industrial sectors. Vehicular nodes are capable of transporting, sensing, processing ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Worm virulence estimation for the containment of local worm outbreak

A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Autonomous and Adaptive Systems

ACM Transactions on Autonomous and Adaptive Systems Volume 8, Issue 4

Special Section on Best Papers from SEAMS 2012

January 2014

130 pages

ISSN:1556-4665

EISSN:1556-4703

DOI:10.1145/2578044

Editors:
Manish Parashar
Rutgers University, USA
,
Franco Zambonelli
University of Modena e Reggio Emilia, Italy

Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 January 2014

Accepted: 01 December 2009

Revised: 01 August 2009

Received: 01 March 2009

Published in TAAS Volume 8, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
281
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jing XYan ZPedrycz W(2019)Security Data Collection and Data Analytics in the Internet: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2018.286394221:1(586-618)Online publication date: Sep-2020
https://doi.org/10.1109/COMST.2018.2863942
Lei ZChunguang MSongtao YXiaodong Z(2017)Probability IndistinguishableWireless Personal Communications: An International Journal10.1007/s11277-017-4833-897:4(6167-6187)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1007/s11277-017-4833-8
Cottone PGaglio SRe GOrtolani M(2016)Gaining insight by structural knowledge extractionProceedings of the Twenty-second European Conference on Artificial Intelligence10.3233/978-1-61499-672-9-999(999-1007)Online publication date: 29-Aug-2016
https://dl.acm.org/doi/10.3233/978-1-61499-672-9-999

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents