Robust reactions to potential day-zero worms through cooperation and validation

Authors:
K. Anagnostakis;S. Ioannidis;A. D. Keromytis;M. B. Greenwald
Affiliations:
Institute for Infocomm Research, Singapore;Computer Science Department, Stevens Institute of Technology, Hoboken, NJ;Department of Computer Science, Columbia University, New York, NY;Bell Labs, Lucent Technologies, Inc., Murray Hill, NJ
Venue:
ISC'06 Proceedings of the 9th international conference on Information Security
Year:
2006

Citing 13
Cited 3

Open Packet Monitoring on FLAME: Safety, Performance, and Applications

IWAN '02 Proceedings of the IFIP-TC6 4th International Working Conference on Active Networks
MET: an experimental system for Malicious Email Tracking

Proceedings of the 2002 workshop on New security paradigms
Predators: good will mobile codes combat against computer viruses

Proceedings of the 2002 workshop on New security paradigms
A Network Worm Vaccine Architecture

WETICE '03 Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
Approaching Zero

IEEE Security and Privacy
A hybrid quarantine defense

Proceedings of the 2004 ACM workshop on Rapid malcode
Using Honeynets to Protect Large Enterprise Networks

IEEE Security and Privacy
The Blaster Worm: Then and Now

IEEE Security and Privacy
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Analyzing cooperative containment of fast scanning worms

SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
On the effectiveness of distributed worm monitoring

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14

A distributed host-based worm detection system

Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Optimal Cost, Collaborative, and Distributed Response to Zero-Day Worms - A Control Theoretic Approach

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Cross-Domain collaborative anomaly detection: so far yet so close

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently. In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to balance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.