Resilience Strategies for Networked Malware Detection and Remediation

  • Yue Yu
  • Michael Fry
  • Bernhard Plattner
  • Paul Smith
  • Alberto Schaeffer-Filho
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7645)


Network propagated malware such as worms are a potentially serious threat, since they can infect and damage a large number of vulnerable hosts at timescales in which human reaction is unlikely to be effective. Research on worm detection has produced many approaches to identifying them. A common approach is to identify a worm’s signature. However, as worms continue to evolve, this method is incapable of detecting and mitigating new worms in real time. In this paper, we propose a novel resilience strategy for the detection and remediation of networked malware based on progressive, multi-stage deployment of resilience mechanisms. Our strategy monitors various traffic features to detect the early onset of an attack, and then applies further mechanisms to progressively identify the attack and apply remediation to protect the network. Our strategy can be adapted to detect known attacks such as worms, and also to provide some level of remediation for new, unknown attacks. Advantages of our approach are demonstrated via simulation of various types of worm attack on an Autonomous System infrastructure. Our strategy is flexible and adaptable, and we show how it can be extended to identify and remediate network challenges other than worms.


network resilience worm detection worm remediation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Sterbenz, J.P.G., Hutchison, D., Cetinkaya, E.K., Jabbar, A., Rohrer, J.P., Scholler, M., Smith, P.: Resilience and survivability in communication networks: Strategies, principles, and survey of disciplines. Comput. Netw. (2010)Google Scholar
  2. 2.
    Yu, W., et al.: On Defending Peer-to-Peer System-based Active Worm Attacks. In: IEEE Global Telecommunications Conference, pp. 1757–1761. IEEE Press (2006)Google Scholar
  3. 3.
    Li, P., Salour, M., Su, X.: A survey of Internet worm detection and containment. IEEE Communications Surveys & Tutorials 10(1), 20–35 (2008)CrossRefGoogle Scholar
  4. 4.
    Chen, C., Chen, Z., Li, Y.: Characterizing and defending against divide-conquer-scanning worms. Computer Networks 54(18), 3210–3222 (2010)CrossRefGoogle Scholar
  5. 5.
    Chen, S., Tang, Y.: DAW: A distributed antiworm system. IEEE Transactions on Parallel and Distributed Systems, 893–906 (2007)Google Scholar
  6. 6.
    Hugelshofer, F., Smith, P., Hutchison, D., et al.: OpenLIDS: a lightweight intrusion detection system for wireless mesh networks. In: MobiCom 2009. ACM, USA (2009)Google Scholar
  7. 7.
    Schaeffer-Filho, A., Smith, P., Mauthe, A., Hutchison, D., Yu, Y., Fry, M.: A Framework for the Design and Evaluationof Network Resilience Management. In: 13th IEEE/IFIP Network Operations and Management Symposium, USA (2012)Google Scholar
  8. 8.
    Schaeffer-Filho, A., Smith, P., Mauthe, A.: Policy-driven network simulation: a resilience case study. In: SAC 2011, Taiwan, pp. 492–497 (March 2011)Google Scholar
  9. 9.
    Yu, Y., Fry, M., Schaeffer-Filho, A., Smith, P., Hutchison, D.: An adaptive approach to network resilience: Evolving challenge detection and mitigation. In: DRCN 2011: 8th International Workshop on Design of Reliable Communication Networks, Poland, pp. 172–179 (October 2011)Google Scholar
  10. 10.
    Gamer, T., Scharf, M.: Realistic Simulation Environments for IP-based Networks. In: Proceedings of the OMNeT++ Workshop, Marseille, France (March 2008)Google Scholar
  11. 11.
    La Polla, M., Martinelli, F., Sgandurra, D.: A Survey on Security for Mobile Devices. IEEE Communications Surveys Tutorials (99), 1–26 (2012)Google Scholar
  12. 12.
    Pantanilla, C.: Worm Spreads via Facebook Private Messages, Instant Messengers, Malware blog, Trend Micro (May 2012)Google Scholar
  13. 13.
    Flame worm one of the most complex threats ever discovered. Virus Bulletin Fight Malware and Spam (May 2012)Google Scholar
  14. 14.
    Brauckhoff, D., Salamatian, K., May, M.: A signal processing view on packet sampling and anomaly detection. In: INFOCOM, pp. 713–721. IEEE Press, USA (2010)Google Scholar
  15. 15.
    Varga, A., Hornig, R.: An overview of the OMNeT++ simulation environment. In: SIMUTools 2008 ICST, Belgium, pp. 1–10 (2008)Google Scholar
  16. 16.
    Twidle, K., et al.: Ponder2 - a policy environment for autonomous pervasive systems, pp. 245–246. IEEE Computer Society, USA (2008)Google Scholar
  17. 17.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Security and Privacy Magazine 1(4), 33–39 (2003)CrossRefGoogle Scholar
  18. 18.
    Zesheng, C., et al.: An Information-Theoretic View of Network-Aware Malware Attacks. IEEE Transactions on Information Forensics and Security, 530–541 (2009)Google Scholar
  19. 19.
    Shannon, C.E.: A mathematical theory of communication. The Bell System Technical Journal 27, 379–423 (1948)MathSciNetzbMATHGoogle Scholar
  20. 20.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)CrossRefGoogle Scholar
  21. 21.
    Packet vs flow-based anomaly detection. Technical White Paper, ESPHION Neetwork Disaster Protection (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yue Yu
    • 1
  • Michael Fry
    • 1
  • Bernhard Plattner
    • 2
  • Paul Smith
    • 3
  • Alberto Schaeffer-Filho
    • 4
  1. 1.School of Information TechnologiesUniversity of SydneyAustralia
  2. 2.Computer Engineering and Networks LaboratoryETH ZurichSwitzerland
  3. 3.Safety and Security DepartmentAIT Austrian Institute of TechnologyAustria
  4. 4.School of Computing and CommunicationsLancaster UniversityUK

Personalised recommendations