Songqing Chen
Abstract
The fast-spreading worm, which immediately propagates itself after a successful infection, is becoming one of the most serious threats to today’s networked information systems. In this article, we present WormTerminator, a host-based solution for fast Internet worm detection and containment with the assistance of virtual machine techniques based on the fast-worm defining characteristic. In WormTerminator, a virtual machine cloning the host OS runs in parallel to the host OS. Thus, the virtual machine has the same set of vulnerabilities as the host. Any outgoing traffic from the host is diverted through the virtual machine. If the outgoing traffic from the host is for fast worm propagation, the virtual machine should be infected and will exhibit worm propagation pattern very quickly because a fast-spreading worm will start to propagate as soon as it successfully infects a host. To prove the concept, we have implemented a prototype of WormTerminator and have examined its effectiveness against the real Internet worm Linux/Slapper. Our empirical results confirm that WormTerminator is able to completely contain worm propagation in real-time without blocking any non-worm traffic. The major performance cost of WormTerminator is a one-time delay to the start of each outgoing normal connection for worm detection. To reduce the performance overhead, caching is utilized, through which WormTerminator will delay no more than 6% normal outgoing traffic for such detection on average.
- Brumley, D., Newsome, J., Song, D., Wang, H., and Jha, S. 2006. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Buchacker, K. and Sieh, V. 2001. Framework for testing the fault-tolerance of systems including os and network aspects. In Proceedings of the IEEE Symposium on High Assurance System Engineering (HASE). 95--105. Google ScholarDigital Library
- Corey, J. 2009 Advanced honeypot identification and exploitation. http://www.phrack.org/fakes/p63/p63-0x09.txt.Google Scholar
- Cui, W., Paxson, V., Weaver, N., and Katz, R. 2006. Protocol-independent adaptive replay of application dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
- Dike, J. 2000. A user-mode port of the linux kernel. In Proceedings of the Linux Showcase and Conference. Google ScholarDigital Library
- Hon. 2004. Honeyd security advisory 2004-001: Remonte detection via simple probe packet. http://www.honeyd.org/adv.2004-01.asc.Google Scholar
- Kalla, R., Sinharoy, B., and Tendler, J. M. 2004. IBM Power5 chip: A dual-core multithreaded processor. IEEE Micro 24, 2, 40--47. Google ScholarDigital Library
- Kataria, G., Anand, G., Araujo, R., Krishnan, R., and Perrig, A. 2006. A distributed stealthy coordination mechanism for worm synchronization. In Proceedings of the 2nd International Conference on Security and Privacy in Communication Networks (SecureComm’06).Google Scholar
- Kim, H. and Karp, B. 2004. Autograph: Toward automated distributed worm signature detection. In Proceedings of USENIX Security. Google ScholarDigital Library
- King, S., Dunlap, G., and Chen, P. 2003. Operating system support for virtual machines. In Proceedings of the Annual USENIX Technical Conference. Google ScholarDigital Library
- Kongetira, P., Aing-Aran, K., and Olukotun, K. 2005. Niagara: A 32-way multithreaded Sparc processor. IEEE Micro 25, 2. Google ScholarDigital Library
- Kreibich, C. and Crowcroft, J. 2003. Honeycomb - Creating intrusion detection signatures using honeypots. In Proceedings of HotNets.Google Scholar
- Li, Z., Sanghi, M., Chen, Y., Kao, M., and Chavez, B. 2006. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003. Inside the slammer worm. In Proceedings of the IEEE Symposium on Security and Privacy. Vol. 1.Google Scholar
- NSF. Malware immunization through deterrence and diversion. http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0650386.Google Scholar
- Paxson, V. 1999. Bro: A system for detecting network intruders in real time. Comput. Netw. 31. Google ScholarDigital Library
- Perdisci, R., Dagon, D., Lee, W., Fogla, P., and Sharif, M. 2006. Misleading worm signature generators using deliberate noise injection. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Roesch, M. 1999. Snort: Lightweight intrusion detection for networks. In Proceedings of the Conference on System Administration. Google ScholarDigital Library
- Seifried, K. 2002. Honeypotting with VMware basics. http://www.seifried.org/security/index.php.Google Scholar
- Singh, S., Estan, C., Varghese, G., and Savage, S. 2003. The earlybird system for real-time detection of unknown worms. Tech. rep., University of California, San Diego.Google Scholar
- Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In Proceedings of OSDI. Google ScholarDigital Library
- SLA. http://www.symantec.com/avcenter/venc/data/linux.slapper.worm.html.Google Scholar
- Staniford, S. 2004. Containment of scanning worms in enterprise networks. J. Comput. Secur.Google Scholar
- Sugerman, J., Venkitachalam, G., and Lim, B. 2001. Virtualizing I/O devices on VMware workstation’s hosted virtual machine monitor. In Proceedings of the USENIX Technical Conference. Google ScholarDigital Library
- Waldspurger, C. 2002. Memory resource management in wmware ESX server. In Proceedings of the Symposium on Operating Systems Design and Implementation. Google ScholarDigital Library
- Weaver, N., Staniford, B., and Paxson, V. 2004. Very fast containment of scanning worms. In Proceedings of USENIX Security. Google ScholarDigital Library
- Williamson, M. 2002. Throttling viruses: Restricting propagation to defeat mobile malicious code. In Proceedings of Annual Computer Security Applications Conference. Google ScholarDigital Library
- XEN (a). http://www.cl.cam.ac.uk/research/srg/netos/xen/.Google Scholar
- XEN (b). http://www.xensource.com/.Google Scholar
- Zou, C. and Cunningham, R. 2006. Honeybot-aware advanced botnet construction and maintenance. In Proceedings of the International Conference on Dependable Systems and Networks (DSN). Google ScholarDigital Library
Index Terms
- A Host-Based Approach for Unknown Fast-Spreading Worm Detection and Containment
Recommendations
Countermeasures against Worm Spreading: A New Challenge for Vehicular Networks
Vehicular ad hoc networks (VANETs) are essential components of the intelligent transport systems. They are attracting an increasing amount of interest in research and industrial sectors. Vehicular nodes are capable of transporting, sensing, processing ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Worm virulence estimation for the containment of local worm outbreak
A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as ...
Comments