Vigilante: end-to-end containment of internet worms

  • Authors:
  • Manuel Costa;Jon Crowcroft;Miguel Castro;Antony Rowstron;Lidong Zhou;Lintao Zhang;Paul Barham

  • Affiliations:
  • University of Cambridge, Cambridge, UK and Microsoft Research Ltd., Cambridge, UK;University of Cambridge, Cambridge, UK;Microsoft Research Ltd., Cambridge, UK;Microsoft Research Ltd., Cambridge, UK;Microsoft Research Silicon Valley, CA;Microsoft Research Silicon Valley, CA;Microsoft Research Ltd., Cambridge, UK

  • Venue:
  • Proceedings of the twentieth ACM symposium on Operating systems principles
  • Year:
  • 2005

Quantified Score

Hi-index 0.02

Visualization

Abstract

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end approach to contain worms automatically that addresses these limitations. Vigilante relies on collaborative worm detection at end hosts, but does not require hosts to trust each other. Hosts run instrumented software to detect worms and broadcast self-certifying alerts (SCAs) upon worm detection. SCAs are proofs of vulnerability that can be inexpensively verified by any vulnerable host. When hosts receive an SCA, they generate filters that block infection by analysing the SCA-guided execution of the vulnerable software. We show that Vigilante can automatically contain fast-spreading worms that exploit unknown vulnerabilities without blocking innocuous traffic.