Summary
Computer worms — malicious, self-propagating programs — represent a significant threat to large networks. One possible defense, containment, seeks to limit a worm’s spread by isolating it in a small subsection of the network. In this work we develop containment algorithms suitable for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host after fewer than 10 scans with a very low false-positive rate. We also augment this approach by devising mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection. In addition, we discuss ways that a worm can attempt to bypass containment techniques in general, and ours in particular.
We then report on experiences subsequently implementing our algorithm in Click [13] and deploying it both on our own network and in the DETER testbed [6]. Doing so uncovered additional considerations, including the need to passively map the monitored LAN due to Ethernet switch behavior, and the problem of detecting ARP scanning as well as IP scanning. We finish with discussion of some deployment issues, including broadcast/multicast traffic and the use of NAT to realize sparser address spaces.
An earlier version of this chapter appears in Proceedings of the USENIX Securiv Symposium. 2004.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
R. Anderson, E. Biham, and L. Knudsen. Serpent: A Proposal for the Advanced Encryption Standard.
B. Bloom. Space_Time Trade-offs in Hash Coding with Allowable Errors. CACM, July 1970.
CERT. CERT Advisory CA-2001-26 Nimda Worm, http://www.cert.org/advisories/ca-2001-26.html.
CERT. Code Red 11: Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL, http://www.cert.org/incident-notes/in-2001-09.html.
S. Crosby and D. Wallach. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th USENIX Security Symposium. USENIX, August 2003.
Deter: A laboratory for security research, http://www.isi.edu/deter/.
eEye Digital Security..ida “Code Red” Worm, http://www.eeye.corn/htmVResearch/ Advisories/AL20010717.htrnl.
K. Egevang and P. Francis. Rfc 1631-the ip network address translator (nat).
L. T. Heberlein, G. Dias, K. Levitt, B. Mukerjee, J. Wood, and D. Wolber. A Network Security Monitor. In Proceedings of the IEEE Symopisum on Research in Security and Privacy, 1990.
J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In 2004 IEEE Symposium on Security and Privacy, to appear, 2004.
J. Jung, S. Schechter, and A. Berger. Fast Detection of Scanning Worm Infections, in submission.
E. KoNer, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The click modular router. ACM Transactions on Computer Systems, 18(3):264–297, August 2000.
C. Leckie and R. Kotagiri. A Probabilistic Approach to Detecting Network Scans. In Proceedings of the Eighth IEEE Network Operations and Management Symposium (NOMS 2002), 2002.
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Magazine of Security and Privacy, pages 33–39, July/August 2003 2003.
D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-propagating Code, 2003.
M. Networks. http://www.rniragenetworks.com/.
D. Nojiri, J. Rowe, and K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. In Proc. DARPA DISCEXIII Conference, 2003.
H. Packard. Connection-rate filtering based on virus-trottling tecnology, http://www.hp.com/rnd/pdf_html/virus-throttling_tech_brief.htm.
V. Paxson. Bro: a System for Detecting Network iItruders in Real-Time. Computer Networks, 31(23-24):2435–2463,1999.
D. Plummer. Rfc 826-ethemet address resolution protocol.
G. Project. Gnutella, A Protocol for Revolution, http://rfc-gnutella.sourceforge.net/.
S. Robertson, E. V. Siegel, M. Miller, and S. J. Stolfo. Surveillance Detection in High Bandwidth Environments. In Proc. DARPA DISCEX III Conference, 2003.
S. E. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection (RAID 2004), Sept. 15-17,2004.
Silicon Defense. Countermalice Worm Containment, http://www.silicondefense.com/ products/countermalice/.
Snort.org. Snort, the Open Source Network Intrusion Detection System, http://www.snort.org/.
S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, to appear, 2004.
S. Staniford, J. Hoagland, and J. McAlemey. Practical Automated Detection of Stealthy Portscans. Journal of Computer Security, 10: 105–136,2002.
S. Staniford and C. Kahn. Worm Containment in the Internal Network. Technical report, Silicon Defense, 2003.
S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENlX Security Symposium. USENIX, August 2002.
Symantec. W32.blaster.worm, http://securityresponse.symantec.com/avcen_r/venc/datdw32.blaster.worm.html.
J. Vwycross and M. M. Williamson. Implementing and Testing a Virus Throttle. In Proceedings of the 12th USENIXSecurity Symposium. USENIX, August 2003.
N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A Taxonomy of Computer Worms. In The First ACM Workshop on Rapid Malcode (WORM), 2003.
B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Proc. of the Fzfth Symposium on Operating Systems Design and Implementation,pages 255–270, Boston, MA, Dec. 2002. USENIX Association.
D. Whyte, P. vas Oorschot, and E. Kranakis. Arp-based detection of scanning worms within an enterprise network. In In proceedings of Annual Computer Security Applications Conference (ACSAC 2005),Tucson, AZ, December 2005.
M. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code. In ACSAC, 2002.
Xilinx Inc. Xilinx ML300 Development Platform, http://www.xilinx.com/products/boards/ml300/.
C. C. Zou, W. Gong, and D. Towsley. Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. In The First ACM Workshop on Rapid Malcode (WORM), 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Weaver, N., Staniford, S., paxson, V. (2007). Very Fast Containment of Scanning Worms, Revisited. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-44599-1_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-32720-4
Online ISBN: 978-0-387-44599-1
eBook Packages: Computer ScienceComputer Science (R0)