Robust Reactions to Potential Day-Zero Worms Through Cooperation and Validation

  • K. Anagnostakis
  • S. Ioannidis
  • A. D. Keromytis
  • M. B. Greenwald
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4176)


Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently.

In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to balance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.


False Alarm Communication Cost Malicious Node Infected Node Virus Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cert Advisory CA-2003-04: MS-SQL Server Worm (January 2003),
  2. 2.
    Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A Cooperative Immunization System for an Untrusting Internet. In: Proceedings of the 11th IEEE Internation Conference on Networking (ICON) (September/October 2003), pp. 403–408 (2003)Google Scholar
  3. 3.
    Anagnostakis, K.G., Greenwald, M.B., Ioannidis, S., Miltchev, S.: Open packet monitoring on FLAME: Safety, performance, and applications. In: Sterbenz, J.P.G., Takada, O., Tschudin, C.F., Plattner, B. (eds.) IWAN 2002. LNCS, vol. 2546, pp. 120–131. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Bailey, M., Cooke, E., Jahanian, F., Watson, D., Nazario, J.: The Blaster Worm: Then and Now. IEEE Security & Privacy 3(4), 26–31 (2005)CrossRefGoogle Scholar
  5. 5.
    Bhattacharyya, M., Schultz, M.G., Eskin, E., Hershkop, S., Stolfo, S.J.: MET: An Experimental System for Malicious Email Tracking. In: Proceedings of the New Security Paradigms Workshop (NSPW) (September 2002), pp. 1–12 (2002)Google Scholar
  6. 6.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)Google Scholar
  7. 7.
    Kannan, J., Subramanian, L., Stoica, I., Katz, R.H.: Analyzing Cooperative Containment of Fast Scanning Worms. In: Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 17–23 (July 2005)Google Scholar
  8. 8.
    Kim, H., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 271–286 (August 2004)Google Scholar
  9. 9.
    Levine, J.G., Grizzard, J.B., Owen, H.L.: Using Honeynets to Protect Large Enterprise Networks. IEEE Security & Privacy 2(6), 73–75 (2004)CrossRefGoogle Scholar
  10. 10.
    Levy, E.: Approaching Zero. IEEE Security & Privacy 2(4), 65–66 (2004)CrossRefGoogle Scholar
  11. 11.
    Locasto, M., Parekh, J., Stolfo, S., Keromytis, A., Malkin, T., Misra, V.: Collaborative Distributed Intrusion Detection. Technical Report CUCS-012-04, Columbia University Department of Computer Science (2004)Google Scholar
  12. 12.
    Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of 22nd Annual Joint Conference of IEEE Computer and Communication societies (INFOCOM) (April 2003)Google Scholar
  13. 13.
    Nojiri, D., Rowe, J., Levitt, K.: Cooperative response strategies for large scale attack mitigation. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (April 2003)Google Scholar
  14. 14.
    Porras, P., Briesemeister, L., Levitt, K., Rowe, J., Ting, Y.-C.A.: A Hybrid Quarantine Defense. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM) (October 2004), pp. 73–82 (2004)Google Scholar
  15. 15.
    Rajab, M.A., Monrose, F., Terzis, A.: On the Effectiveness of Distributed Worm Monitoring. In: Proceedings of the 14th USENIX Security Symposium, pp. 225–237 (August 2005)Google Scholar
  16. 16.
    Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security (June 2003), pp. 220–225 (2003)Google Scholar
  17. 17.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design & Implementation (OSDI) (December 2004)Google Scholar
  18. 18.
    Toyoizumi, H., Kara, A.: Predators: Good Will Mobile Codes Combat against Computer Viruses. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 13–21 (September 2002)Google Scholar
  19. 19.
    Wu, J., Vangala, S., Gao, L., Kwiat, K.: An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In: Proceedings of the Network and Distributed System Security (NDSS) Symposium, pp. 143–156 (February 2004)Google Scholar
  20. 20.
    Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of NDSS (February 2004)Google Scholar
  21. 21.
    Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and Early Warning for Internet Worms. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), October 2003, pp. 190–199 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • K. Anagnostakis
    • 1
  • S. Ioannidis
    • 2
  • A. D. Keromytis
    • 3
  • M. B. Greenwald
    • 4
  1. 1.Institute for Infocomm ResearchSingapore
  2. 2.Computer Science DepartmentStevens Institute of TechnologyHobokenUSA
  3. 3.Department of Computer ScienceColumbia UniversityNew YorkUSA
  4. 4.Bell LabsLucent Technologies, Inc.Murray HillUSA

Personalised recommendations