Defending against hitlist worms using network address space randomization

Authors:
S. Antonatos;P. Akritidis;E. P. Markatos;K. G. Anagnostakis
Affiliations:
Institute of Computer Science, Foundation for Research and Technology, Hellas P.O. Box 1385 Heraklio, GR-711-10, Greece;Institute of Computer Science, Foundation for Research and Technology, Hellas P.O. Box 1385 Heraklio, GR-711-10, Greece;Institute of Computer Science, Foundation for Research and Technology, Hellas P.O. Box 1385 Heraklio, GR-711-10, Greece;Systems and Security Department, Institute for Infocomm Research, 21 Heng Mui Keng Terrace, Singapore 119613, Singapore
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2007

Citing 27
Cited 1

Computer viruses: theory and experiments

Computers and Security
Sharing and protection in a single-address-space operating system

ACM Transactions on Computer Systems (TOCS) - Special issue on computer architecture
An end-to-end approach to host mobility

MobiCom '00 Proceedings of the 6th annual international conference on Mobile computing and networking
DNS performance and the effectiveness of caching

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Code red worm propagation modeling and analysis

Proceedings of the 9th ACM conference on Computer and communications security
Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Adaptive Use of Network-Centric Mechanisms in Cyber-Defense

ISORC '03 Proceedings of the Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing
A Network Worm Vaccine Architecture

WETICE '03 Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises
Inside the Slammer Worm

IEEE Security and Privacy
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
Countering code-injection attacks with instruction-set randomization

Proceedings of the 10th ACM conference on Computer and communications security
Randomized instruction set emulation to disrupt binary code injection attacks

Proceedings of the 10th ACM conference on Computer and communications security
Accurate, scalable in-network identification of p2p traffic using application signatures

Proceedings of the 13th international conference on World Wide Web
Shield: vulnerability-driven network filters for preventing known vulnerability exploits

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
MobiDesk: mobile virtual desktop computing

Proceedings of the 10th annual international conference on Mobile computing and networking
Transport layer identification of P2P traffic

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
The top speed of flash worms

Proceedings of the 2004 ACM workshop on Rapid malcode
On the effectiveness of address-space randomization

Proceedings of the 11th ACM conference on Computer and communications security
An analysis of TCP reset behaviour on the internet

ACM SIGCOMM Computer Communication Review
Remote Physical Device Fingerprinting

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
REX: secure, extensible remote execution

ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Address obfuscation: an efficient approach to combat a board range of memory error exploits

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Accurate buffer overflow detection via abstract payload execution

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Exploiting the IPID field to infer network path and end-system characteristics

PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement

Openflow random host mutation: transparent moving target defense using software defined networking

Proceedings of the first workshop on Hot topics in software defined networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion. This paper examines a new proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against hitlist worms. The idea behind NASR is that hitlist information could be rendered stale if nodes are forced to frequently change their IP addresses. NASR limits or slows down hitlist worms and forces them to exhibit features that make them easier to contain at the perimeter. We explore the design space for NASR and present a prototype implementation as well as experiments examining the effectiveness and limitations of the approach.