International Journal of Information Security

, Volume 6, Issue 6, pp 361–378 | Cite as

COVERAGE: detecting and reacting to worm epidemics using cooperation and validation

  • Kostas G. Anagnostakis
  • Michael B. Greenwald
  • Sotiris Ioannidis
  • Angelos D. Keromytis
Special Issue Paper

Abstract

Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed detection systems allow detectors to be more conservative (i.e., paranoid) about potential attacks because they manage false alarms efficiently. In this paper we present our investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to balance effectiveness against worms and viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Allman, M., Blanton, E., Paxson, V.: An architecture for developing behavioral history. In: Proceedings of the 8th Information Security Conference (ISC) (2005)Google Scholar
  2. 2.
    Anagnostakis, K., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.D.: Detecting targetted attacks using shadow honeypots. In: Proceedings of the 14th USENIX Security Symposium, pp. 129–144 (2005)Google Scholar
  3. 3.
    Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A cooperative immunization system for an untrusting Internet. In: Proceedings of the 11th IEEE Internation Conference on Networking (ICON), pp. 403–408 (2003)Google Scholar
  4. 4.
    Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Miltchev, S.: Open packet monitoring on FLAME: safety, performance and applications. In: Proceedings of the 4th International working conference on active networks (2002)Google Scholar
  5. 5.
    Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. In: Proceedings of the ACM workshop on rapid malcode (WORM), pp. 30–40 (2005)Google Scholar
  6. 6.
    Bailey M., Cooke E., Jahanian F., Watson D. and Nazario J. (2005). The blaster worm: then and now. IEEE Security Privacy 3(4): 26–31 CrossRefGoogle Scholar
  7. 7.
    Bhattacharyya, M., Schultz, M.G., Eskin, E., Hershkop, S., Stolfo, S.J.: MET: An experimental system for malicious Email Tracking. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 1–12 (2002)Google Scholar
  8. 8.
    Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 43–48 (2006)Google Scholar
  9. 9.
    Briesenmeister, L., Porras, P.A.: Automatically deducing propagation sequences that circumvent a collaborative worm defense. In: Proceedings of the 25th International Performance Computing and Communications Conference (Workshop on Malware), pp. 587–592 (2006)Google Scholar
  10. 10.
    Bruschi, D., Martignoni, L., Monga, M.: Detecting Self-mutating Malware Using Control-Flow Graph Matching. In: Proceedings of the 3rd International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), pp. 129–143 (2006)Google Scholar
  11. 11.
    Cai M., Hwang K., Kwok Y.K., Song S. and Chen Y. (2005). Collaborative Internet worm containment. IEEE Security Privacy Mag. 3(3): 25–33 CrossRefGoogle Scholar
  12. 12.
    CERT Advisory CA-2001-19: ‘Code Red’ Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html (2001)Google Scholar
  13. 13.
    Cert Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/advisories/CA-2003-04.html (2003)Google Scholar
  14. 14.
    Cheetancheri, S.G., Agosta, J.M., Dash, D.H., Levitt, K.N., Rowe, J., Schooler, E.M.: A distributed host-based worm detection system. In: Proceedings of the SIGCOMM Workshop on Large-Scale Attack Defense (LSAD) (2006)Google Scholar
  15. 15.
    Chen, Z., Ji, C.: A self-learning worm using importance scanning. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 22–30 (2005)Google Scholar
  16. 16.
    Chinchani, R., Berg, E.V.D.: A fast static analysis approach to detect exploit code inside network flows. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 284–304 (2005)Google Scholar
  17. 17.
    Chung, S.P., Mok, A.K.: Allerge attack against automatic signature generation. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 61–80 (2006)Google Scholar
  18. 18.
    Cohen F. (1987). Computer viruses: theory and practice. Comput. Security 6: 22–35 CrossRefGoogle Scholar
  19. 19.
    Cooke, E., Jahanian, F., McPherson, D.: The Zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the 8th Information Security Conference (ISC) (2005)Google Scholar
  20. 20.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Can we contain Internet worms? In: Proceedings of the 3rd Workshop on Hot Topics in Networks (HotNets) (2004)Google Scholar
  21. 21.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Vigilante: end-to-end containment of Internet worms. In: Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (2005)Google Scholar
  22. 22.
    Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 235–248 (2005)Google Scholar
  23. 23.
    Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J., Owen, H.: HoneyStat: local worm detection using honepots. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 39–58 (2004)Google Scholar
  24. 24.
    Dreger, H., Kreibich, C., Paxson, V., Sommer, R.: Enhancing the accuracy of network-based intrusion detection with host-based context. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2005)Google Scholar
  25. 25.
    Dubendorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-level traffic analysis of the Blaster and Sobig worm outbreaks in an Internet backbone. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2005)Google Scholar
  26. 26.
    Ellis, D.R., Aiken, J.G., Attwood, K.S., Tenaglia, S.D.: A behavioral approach to worm detection. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 43–53 (2004)Google Scholar
  27. 27.
    Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of the 15th USENIX Security Symposium, pp. 241–256 (2006)Google Scholar
  28. 28.
    Goel S. and Bush S.F. (2004). Biological models of security for virus propagation in computer networks. USENIX;login: 29(6): 49–56 Google Scholar
  29. 29.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedins of the IEEE Symposium on Security and Privacy (2004)Google Scholar
  30. 30.
    Kannan, J., Subramanian, L., Stoica, I., Katz, R.H.: Analyzing cooperative containment of fast scanning worms. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 17–23 (2005)Google Scholar
  31. 31.
    Kephart, J.O.: A biologically inspired immune system for computers. In: Artificial Life IV: Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems, pp. 130–139. MIT Press, Cambridge (1994)Google Scholar
  32. 32.
    Kim, H., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 271–286 (2004)Google Scholar
  33. 33.
    Krugel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 207–226 (2005)Google Scholar
  34. 34.
    Leavitt, N.: Mobile Phones: the next frontier for hackers? IEEE Computer 38(4) (2005)Google Scholar
  35. 35.
    Levine J.G., Grizzard J.B. and Owen H.L. (2004). Using honeynets to protect large enterprise networks. IEEE Security Privacy 2(6): 73–75 CrossRefGoogle Scholar
  36. 36.
    Levy E. (2004). Approaching zero. IEEE Security Privacy 2(4): 65–66 CrossRefGoogle Scholar
  37. 37.
    Li, Z., Chen, Y., Beach, A.: Towards scalable and robust distributed intrusion alert fusion with good load balancing. In: Proceedings of the 1st Workshop on Large-Scale Attack Defence (LSAD), pp. 115–122 (2006)Google Scholar
  38. 38.
    Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 213–222 (2005)Google Scholar
  39. 39.
    Liston, T.: Welcome to my tarpit: the tactical and strategic use of LaBrea. http://www.threenorth.com/LaBrea/LaBrea.txt (2001)Google Scholar
  40. 40.
    Locasto, M., Parekh, J., Stolfo, S., Keromytis, A., Malkin, T., Misra, V.: Collaborative distributed intrusion detection. In: Technical Report CUCS-012-04, Columbia University Department of Computer Science (2004)Google Scholar
  41. 41.
    Locasto, M., Wang, K., Keromytis, A., Stolfo, S.: FLIPS: Hybrid adaptive intrusion prevention. In: Proceedings of the 8th Symposium on Recent Advances in Intrusion Detection (RAID) (2005)Google Scholar
  42. 42.
    Ma, J., Voelker, G.., Savage, S.: Self-stopping worms. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 12–21 (2005)Google Scholar
  43. 43.
    Malan, D.J., Smith, M.D.: Host-based detection of worms through peer-to-peer cooperation. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 72–80 (2005)Google Scholar
  44. 44.
    Mannan, M., van Oorschot, P.C.: On instant messaging worms, analysis and countermeasures. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 2–11 (2005)Google Scholar
  45. 45.
    Matrawy, A., van Oorschot, P.C., Somayaji, A.: Mitigating network denial-of-service through diversity-based traffic management. In: Proceedings of the 3rd International Conference on Applied Cryptography and Network Security (ACNS), pp. 104–121 (2005)Google Scholar
  46. 46.
    Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: an on-access anti-virus file system. In: Proceedings of the 13th USENIX Security Symposium, pp. 73–88 (2004)Google Scholar
  47. 47.
    Moore, D., Shanning, C., Claffy, K.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd Internet Measurement Workshop, pp. 273–284 (2002)Google Scholar
  48. 48.
    Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: requirements for containing self-propagating code. In: Proceedings of 22nd Annual Joint Conference of IEEE Computer and Communication societies (INFOCOM) (2003)Google Scholar
  49. 49.
    Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Security and Privacy Symposium, pp. 226–241 (2005)Google Scholar
  50. 50.
    Newsome, J., Karp, B., Song, D.: Paragraph: thwarting signature learning by training maliciously. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 81–105 (2006)Google Scholar
  51. 51.
    Nojiri, D., Rowe, J., Levitt, K.: Cooperative response strategies for large scale attack mitigation. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (2003)Google Scholar
  52. 52.
    Parekh, J.J., Wang, K., Stolfo, S.J.: Privacy-preserving payload-based correlation for accurate malicious traffic detection. In: Proceedings of the 1st Workshop on Large-Scale Attack Defence (LSAD), pp. 99–106 (2006)Google Scholar
  53. 53.
    Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, J., Fan, K.: Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities. In: Proceedings of the Network Operations and Management Symposium (NOMS), vol. 1, pp. 235–248, (2004)Google Scholar
  54. 54.
    Pincus J. and Baker B. (2004). Beyond stack smashing: recent advances in exploiting buffer overflows. IEEE Security Privacy 2(4): 20–27 CrossRefGoogle Scholar
  55. 55.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.: Network- level polymorphic shellcode detection using emulation. In: Proceedings of the 3rd International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), pp. 54–73 (2006)Google Scholar
  56. 56.
    Porras, P., Briesemeister, L., Levitt, K., Rowe, J., Ting, Y.C.A.: A hybrid quarantine defense. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 73–82 (2004)Google Scholar
  57. 57.
    Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: treating bugs as allergies—a safe method to survive software failures. In: Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (2005)Google Scholar
  58. 58.
    Rajab, M.A., Monrose, F., Terzis, A.: On the effectiveness of distributed worm monitoring. In: Proceedings of the 14th USENIX Security Symposium, pp. 225–237 (2005)Google Scholar
  59. 59.
    Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using DNSBL counter-intelligence. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 49–54 (2006)Google Scholar
  60. 60.
    Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Proceedings of the 13th Symposium on Network and Distributed System Security (NDSS) (2006)Google Scholar
  61. 61.
    Shannon C. and Moore D. (2004). The spread of the witty worm. IEEE Security Privacy 2(4): 46–50 CrossRefGoogle Scholar
  62. 62.
    Sidiroglou, S., Keromytis, A.D.: A network worm vaccine architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp. 220–225 (2003)Google Scholar
  63. 63.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design and Implementation (OSDI) (2004)Google Scholar
  64. 64.
    The Spread of the Sapphire/Slammer Worm. http://www. silicondefense.com/research/worms/slammer.php (2003)Google Scholar
  65. 65.
    Song, D., Malan, R., Stone, R.: A snapshot of global Internet Worm Activity. In: Technical report, Arbor Networks (2001)Google Scholar
  66. 66.
    Spinellis, D.: Reliable identification of bounded-length viruses is NP-complete. IEEE Trans. Inf. Theory 49(1), 280–284 (2003). DOI doi:10.1109/TIT.2002.806137. URL: http://www.dmst.aueb. gr/dds/pubs/jrnl/2002-ieeetit-npvirus/html/npvirus.htmlGoogle Scholar
  67. 67.
    Staniford, S., Moore, D., Paxson, V., Weaver, N.: The top speed of flash worms. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 33–42 (2004)Google Scholar
  68. 68.
    Staniford, S., Paxson, V., Weaver, N.: How to own the Internet in your spare time. In: Proceedings of the USENIX Security Symposium, pp. 149–167 (2002)Google Scholar
  69. 69.
    Ször, P., Ferrie, P.: Hunting for metamorphic. Technical report, Symantec Corporation (2003)Google Scholar
  70. 70.
    Toyoizumi, H., Kara, A.: Predators: Good will mobile codes combat against computer viruses. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 13–21 (2002)Google Scholar
  71. 71.
    Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium, pp. 285–294 (2003)Google Scholar
  72. 72.
    Venkataraman, S., Song, D., Gibbons, P.B., Blum, A.: New streaming algorithms for fast detection of superspreaders. In: Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pp. 149–166 (2005)Google Scholar
  73. 73.
    Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS), pp. 21–30 (2004)Google Scholar
  74. 74.
    Wang, C., Knight, J.C., Elder, M.C.: On computer viral infection and the effect of immunization. In: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 246–256 (2000)Google Scholar
  75. 75.
    Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In: Proceedings of the ACM SIGCOMM Conference, pp. 193–204 (2004)Google Scholar
  76. 76.
    Wang, J., Hamadeh, I., Kesidis, G., Miller, D.J.: Polymorphic worm detection and defense: system design, experimental methodology, and data resources. In: Proceedings of the 1st Workshop on Large-Scale Attack Defence (LSAD), pp. 169–176 (2006)Google Scholar
  77. 77.
    Wang, K., Parekh, J., Stolfo, S.J.: ANAGRAM: a content-based anomaly detector resistant to mimicry attack. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 226–248 (2006)Google Scholar
  78. 78.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 201–222 (2004)Google Scholar
  79. 79.
    Whyte, D., Kranakis, E., van Oorschot, P.: DNS-based detection of scanning worms in an enterprise network. In: Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pp. 181–195 (2005)Google Scholar
  80. 80.
    Williamson, M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Technical Report HPL-2002-172, HP Laboratories Bristol (2002)Google Scholar
  81. 81.
    Wu, J., Vangala, S., Gao, L., Kwiat, K.: An effective architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the Network and Distributed System Security (NDSS) Symposium, pp. 143–156 (2004)Google Scholar
  82. 82.
    Xiong, J.: ACT: Attachment chain tracing scheme for Email virus detection and control. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 11–22 (2004)Google Scholar
  83. 83.
    Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic diagnosis and response to memory corruption vulnerabilities. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 222–234 (2005)Google Scholar
  84. 84.
    Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the DOMINO overlay system. In: Proceedings of NDSS (2004)Google Scholar
  85. 85.
    Yegneswaran, V., Barford, P., Plonka, D.: On the design and use of internet sinks for network abuse monitoring. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 146–165 (2004)Google Scholar
  86. 86.
    Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An architecture for generating semantics-aware signatures. In: Proceedings of the 14th USENIX Security Symposium, pp. 97–112 (2005)Google Scholar
  87. 87.
    Zhou, L., Zhang, L., Sherry, F.M., Immorlica, N., Costa, M., Chien, S.: A first look at peer-to-peer worms: threats and defenses. In: Proceedings of the 4th International Workshop on Peer-To-Peer Systems (IPTPT) (2005)Google Scholar
  88. 88.
    Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for Internet worms. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), pp. 190–199 (2003)Google Scholar
  89. 89.
    Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 138–147 (2002)Google Scholar

Copyright information

© Springer-Verlag 2007

Authors and Affiliations

  • Kostas G. Anagnostakis
    • 1
  • Michael B. Greenwald
    • 2
  • Sotiris Ioannidis
    • 3
  • Angelos D. Keromytis
    • 4
  1. 1.Institute for Infocomm ResearchSingaporeSingapore
  2. 2.Bell LabsLucent Technologies, Inc.Murray HillUSA
  3. 3.Computer Science DepartmentStevens Institute of TechnologyHobokenUSA
  4. 4.Department of Computer ScienceColumbia UniversityNew YorkUSA

Personalised recommendations