Skip to main content
SpringerLink
Log in

COVERAGE: detecting and reacting to worm epidemics using cooperation and validation

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed detection systems allow detectors to be more conservative (i.e., paranoid) about potential attacks because they manage false alarms efficiently. In this paper we present our investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to balance effectiveness against worms and viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Allman, M., Blanton, E., Paxson, V.: An architecture for developing behavioral history. In: Proceedings of the 8th Information Security Conference (ISC) (2005)

  2. Anagnostakis, K., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.D.: Detecting targetted attacks using shadow honeypots. In: Proceedings of the 14th USENIX Security Symposium, pp. 129–144 (2005)

  3. Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A cooperative immunization system for an untrusting Internet. In: Proceedings of the 11th IEEE Internation Conference on Networking (ICON), pp. 403–408 (2003)

  4. Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Miltchev, S.: Open packet monitoring on FLAME: safety, performance and applications. In: Proceedings of the 4th International working conference on active networks (2002)

  5. Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. In: Proceedings of the ACM workshop on rapid malcode (WORM), pp. 30–40 (2005)

  6. Bailey M., Cooke E., Jahanian F., Watson D. and Nazario J. (2005). The blaster worm: then and now. IEEE Security Privacy 3(4): 26–31

    Article  Google Scholar 

  7. Bhattacharyya, M., Schultz, M.G., Eskin, E., Hershkop, S., Stolfo, S.J.: MET: An experimental system for malicious Email Tracking. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 1–12 (2002)

  8. Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 43–48 (2006)

  9. Briesenmeister, L., Porras, P.A.: Automatically deducing propagation sequences that circumvent a collaborative worm defense. In: Proceedings of the 25th International Performance Computing and Communications Conference (Workshop on Malware), pp. 587–592 (2006)

  10. Bruschi, D., Martignoni, L., Monga, M.: Detecting Self-mutating Malware Using Control-Flow Graph Matching. In: Proceedings of the 3rd International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), pp. 129–143 (2006)

  11. Cai M., Hwang K., Kwok Y.K., Song S. and Chen Y. (2005). Collaborative Internet worm containment. IEEE Security Privacy Mag. 3(3): 25–33

    Article  Google Scholar 

  12. CERT Advisory CA-2001-19: ‘Code Red’ Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html (2001)

  13. Cert Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/advisories/CA-2003-04.html (2003)

  14. Cheetancheri, S.G., Agosta, J.M., Dash, D.H., Levitt, K.N., Rowe, J., Schooler, E.M.: A distributed host-based worm detection system. In: Proceedings of the SIGCOMM Workshop on Large-Scale Attack Defense (LSAD) (2006)

  15. Chen, Z., Ji, C.: A self-learning worm using importance scanning. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 22–30 (2005)

  16. Chinchani, R., Berg, E.V.D.: A fast static analysis approach to detect exploit code inside network flows. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 284–304 (2005)

  17. Chung, S.P., Mok, A.K.: Allerge attack against automatic signature generation. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 61–80 (2006)

  18. Cohen F. (1987). Computer viruses: theory and practice. Comput. Security 6: 22–35

    Article  Google Scholar 

  19. Cooke, E., Jahanian, F., McPherson, D.: The Zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the 8th Information Security Conference (ISC) (2005)

  20. Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Can we contain Internet worms? In: Proceedings of the 3rd Workshop on Hot Topics in Networks (HotNets) (2004)

  21. Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Vigilante: end-to-end containment of Internet worms. In: Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (2005)

  22. Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 235–248 (2005)

  23. Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J., Owen, H.: HoneyStat: local worm detection using honepots. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 39–58 (2004)

  24. Dreger, H., Kreibich, C., Paxson, V., Sommer, R.: Enhancing the accuracy of network-based intrusion detection with host-based context. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2005)

  25. Dubendorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-level traffic analysis of the Blaster and Sobig worm outbreaks in an Internet backbone. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2005)

  26. Ellis, D.R., Aiken, J.G., Attwood, K.S., Tenaglia, S.D.: A behavioral approach to worm detection. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 43–53 (2004)

  27. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of the 15th USENIX Security Symposium, pp. 241–256 (2006)

  28. Goel S. and Bush S.F. (2004). Biological models of security for virus propagation in computer networks. USENIX;login: 29(6): 49–56

    Google Scholar 

  29. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedins of the IEEE Symposium on Security and Privacy (2004)

  30. Kannan, J., Subramanian, L., Stoica, I., Katz, R.H.: Analyzing cooperative containment of fast scanning worms. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 17–23 (2005)

  31. Kephart, J.O.: A biologically inspired immune system for computers. In: Artificial Life IV: Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems, pp. 130–139. MIT Press, Cambridge (1994)

  32. Kim, H., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 271–286 (2004)

  33. Krugel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 207–226 (2005)

  34. Leavitt, N.: Mobile Phones: the next frontier for hackers? IEEE Computer 38(4) (2005)

  35. Levine J.G., Grizzard J.B. and Owen H.L. (2004). Using honeynets to protect large enterprise networks. IEEE Security Privacy 2(6): 73–75

    Article  Google Scholar 

  36. Levy E. (2004). Approaching zero. IEEE Security Privacy 2(4): 65–66

    Article  Google Scholar 

  37. Li, Z., Chen, Y., Beach, A.: Towards scalable and robust distributed intrusion alert fusion with good load balancing. In: Proceedings of the 1st Workshop on Large-Scale Attack Defence (LSAD), pp. 115–122 (2006)

  38. Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 213–222 (2005)

  39. Liston, T.: Welcome to my tarpit: the tactical and strategic use of LaBrea. http://www.threenorth.com/LaBrea/LaBrea.txt (2001)

  40. Locasto, M., Parekh, J., Stolfo, S., Keromytis, A., Malkin, T., Misra, V.: Collaborative distributed intrusion detection. In: Technical Report CUCS-012-04, Columbia University Department of Computer Science (2004)

  41. Locasto, M., Wang, K., Keromytis, A., Stolfo, S.: FLIPS: Hybrid adaptive intrusion prevention. In: Proceedings of the 8th Symposium on Recent Advances in Intrusion Detection (RAID) (2005)

  42. Ma, J., Voelker, G.., Savage, S.: Self-stopping worms. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 12–21 (2005)

  43. Malan, D.J., Smith, M.D.: Host-based detection of worms through peer-to-peer cooperation. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 72–80 (2005)

  44. Mannan, M., van Oorschot, P.C.: On instant messaging worms, analysis and countermeasures. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 2–11 (2005)

  45. Matrawy, A., van Oorschot, P.C., Somayaji, A.: Mitigating network denial-of-service through diversity-based traffic management. In: Proceedings of the 3rd International Conference on Applied Cryptography and Network Security (ACNS), pp. 104–121 (2005)

  46. Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: an on-access anti-virus file system. In: Proceedings of the 13th USENIX Security Symposium, pp. 73–88 (2004)

  47. Moore, D., Shanning, C., Claffy, K.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd Internet Measurement Workshop, pp. 273–284 (2002)

  48. Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: requirements for containing self-propagating code. In: Proceedings of 22nd Annual Joint Conference of IEEE Computer and Communication societies (INFOCOM) (2003)

  49. Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Security and Privacy Symposium, pp. 226–241 (2005)

  50. Newsome, J., Karp, B., Song, D.: Paragraph: thwarting signature learning by training maliciously. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 81–105 (2006)

  51. Nojiri, D., Rowe, J., Levitt, K.: Cooperative response strategies for large scale attack mitigation. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (2003)

  52. Parekh, J.J., Wang, K., Stolfo, S.J.: Privacy-preserving payload-based correlation for accurate malicious traffic detection. In: Proceedings of the 1st Workshop on Large-Scale Attack Defence (LSAD), pp. 99–106 (2006)

  53. Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, J., Fan, K.: Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities. In: Proceedings of the Network Operations and Management Symposium (NOMS), vol. 1, pp. 235–248, (2004)

  54. Pincus J. and Baker B. (2004). Beyond stack smashing: recent advances in exploiting buffer overflows. IEEE Security Privacy 2(4): 20–27

    Article  Google Scholar 

  55. Polychronakis, M., Anagnostakis, K.G., Markatos, E.: Network- level polymorphic shellcode detection using emulation. In: Proceedings of the 3rd International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), pp. 54–73 (2006)

  56. Porras, P., Briesemeister, L., Levitt, K., Rowe, J., Ting, Y.C.A.: A hybrid quarantine defense. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 73–82 (2004)

  57. Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: treating bugs as allergies—a safe method to survive software failures. In: Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (2005)

  58. Rajab, M.A., Monrose, F., Terzis, A.: On the effectiveness of distributed worm monitoring. In: Proceedings of the 14th USENIX Security Symposium, pp. 225–237 (2005)

  59. Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using DNSBL counter-intelligence. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 49–54 (2006)

  60. Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Proceedings of the 13th Symposium on Network and Distributed System Security (NDSS) (2006)

  61. Shannon C. and Moore D. (2004). The spread of the witty worm. IEEE Security Privacy 2(4): 46–50

    Article  Google Scholar 

  62. Sidiroglou, S., Keromytis, A.D.: A network worm vaccine architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp. 220–225 (2003)

  63. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design and Implementation (OSDI) (2004)

  64. The Spread of the Sapphire/Slammer Worm. http://www. silicondefense.com/research/worms/slammer.php (2003)

  65. Song, D., Malan, R., Stone, R.: A snapshot of global Internet Worm Activity. In: Technical report, Arbor Networks (2001)

  66. Spinellis, D.: Reliable identification of bounded-length viruses is NP-complete. IEEE Trans. Inf. Theory 49(1), 280–284 (2003). DOI doi:10.1109/TIT.2002.806137. URL: http://www.dmst.aueb. gr/dds/pubs/jrnl/2002-ieeetit-npvirus/html/npvirus.html

    Google Scholar 

  67. Staniford, S., Moore, D., Paxson, V., Weaver, N.: The top speed of flash worms. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 33–42 (2004)

  68. Staniford, S., Paxson, V., Weaver, N.: How to own the Internet in your spare time. In: Proceedings of the USENIX Security Symposium, pp. 149–167 (2002)

  69. Ször, P., Ferrie, P.: Hunting for metamorphic. Technical report, Symantec Corporation (2003)

  70. Toyoizumi, H., Kara, A.: Predators: Good will mobile codes combat against computer viruses. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 13–21 (2002)

  71. Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium, pp. 285–294 (2003)

  72. Venkataraman, S., Song, D., Gibbons, P.B., Blum, A.: New streaming algorithms for fast detection of superspreaders. In: Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pp. 149–166 (2005)

  73. Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS), pp. 21–30 (2004)

  74. Wang, C., Knight, J.C., Elder, M.C.: On computer viral infection and the effect of immunization. In: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 246–256 (2000)

  75. Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In: Proceedings of the ACM SIGCOMM Conference, pp. 193–204 (2004)

  76. Wang, J., Hamadeh, I., Kesidis, G., Miller, D.J.: Polymorphic worm detection and defense: system design, experimental methodology, and data resources. In: Proceedings of the 1st Workshop on Large-Scale Attack Defence (LSAD), pp. 169–176 (2006)

  77. Wang, K., Parekh, J., Stolfo, S.J.: ANAGRAM: a content-based anomaly detector resistant to mimicry attack. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 226–248 (2006)

  78. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 201–222 (2004)

  79. Whyte, D., Kranakis, E., van Oorschot, P.: DNS-based detection of scanning worms in an enterprise network. In: Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pp. 181–195 (2005)

  80. Williamson, M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Technical Report HPL-2002-172, HP Laboratories Bristol (2002)

  81. Wu, J., Vangala, S., Gao, L., Kwiat, K.: An effective architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the Network and Distributed System Security (NDSS) Symposium, pp. 143–156 (2004)

  82. Xiong, J.: ACT: Attachment chain tracing scheme for Email virus detection and control. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 11–22 (2004)

  83. Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic diagnosis and response to memory corruption vulnerabilities. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 222–234 (2005)

  84. Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the DOMINO overlay system. In: Proceedings of NDSS (2004)

  85. Yegneswaran, V., Barford, P., Plonka, D.: On the design and use of internet sinks for network abuse monitoring. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 146–165 (2004)

  86. Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An architecture for generating semantics-aware signatures. In: Proceedings of the 14th USENIX Security Symposium, pp. 97–112 (2005)

  87. Zhou, L., Zhang, L., Sherry, F.M., Immorlica, N., Costa, M., Chien, S.: A first look at peer-to-peer worms: threats and defenses. In: Proceedings of the 4th International Workshop on Peer-To-Peer Systems (IPTPT) (2005)

  88. Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for Internet worms. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), pp. 190–199 (2003)

  89. Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 138–147 (2002)

Download references

Author information

Authors and Affiliations

  1. Institute for Infocomm Research, 21 Heng Mui Keng Terrace, Singapore, 119613, Singapore

    Kostas G. Anagnostakis

  2. Bell Labs, Lucent Technologies, Inc., 600-700 Mountain Avenue, Murray Hill, NJ, 07974, USA

    Michael B. Greenwald

  3. Computer Science Department, Stevens Institute of Technology, Hoboken, NJ, 07030, USA

    Sotiris Ioannidis

  4. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, New York, NJ, 10027, USA

    Angelos D. Keromytis

Authors
  1. Kostas G. Anagnostakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael B. Greenwald
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sotiris Ioannidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kostas G. Anagnostakis.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S. et al. COVERAGE: detecting and reacting to worm epidemics using cooperation and validation. Int. J. Inf. Secur. 6, 361–378 (2007). https://doi.org/10.1007/s10207-007-0032-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0032-z

Keywords

Search

Navigation