skip to main content
article

Vigilante: end-to-end containment of internet worms

Published: 20 October 2005 Publication History

Abstract

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end approach to contain worms automatically that addresses these limitations. Vigilante relies on collaborative worm detection at end hosts, but does not require hosts to trust each other. Hosts run instrumented software to detect worms and broadcast self-certifying alerts (SCAs) upon worm detection. SCAs are proofs of vulnerability that can be inexpensively verified by any vulnerable host. When hosts receive an SCA, they generate filters that block infection by analysing the SCA-guided execution of the vulnerable software. We show that Vigilante can automatically contain fast-spreading worms that exploit unknown vulnerabilities without blocking innocuous traffic.

References

[1]
Pax team. http://pax.grsecurity.net/.
[2]
Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow I ntegrity: Principles, implementations, and applications. In ACM CCS (Nov. 2005). To appear.
[3]
Akamai. Press release: Akamai helps mcafee.com support flash crowds from iloveyou virus, May 2000.
[4]
Barrantes, E. G., Ackley, D. H., Palmer, T. S., Stefanovic, D., and Zov, D. D. Randomized instruction set emulation to disrupt binary code injection attacks. In ACM CCS (Oct. 2003).
[5]
Bruening, D., Duesterwald, E., and Amarasinghe, S. Design and implementation of a dynamic optimization framework for Windows. In ACM FDD0 (Dec. 2000).
[6]
Castro, M., Druschel, P., Ganesh, A., Rowstron, A., and Wallach, D. S. Security for structured peer-to-peer overlay networks. In OSDI (Dec. 2002).
[7]
Chen, P., Joshi, A., King, S., and Dunlap, G. Detecting past and present intrusions through vulnerability-specific predicates. In SOSP (Oct. 2005).
[8]
Chen, Z., Gao, L., and Kwiat, K. Modelling the spread of active worms. In IEEE INFOCOM (Apr. 2003).
[9]
Costa, M., Crowcroft, J., Castro, M., and Rowstron, A. Can we contain I nternet worms? In HotNets (Nov. 2004).
[10]
Cowan, C., Pu, C., Maier, D., Hinton, H., Wadpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. Stackguard: Automatic detection and prevention of buffer-overrun attacks. In USENIX Security Symposium (Jan. 1998).
[11]
Crandall, J. R., and Chong, F. T. Minos: Control data attack prevention orthogonal to memory model. In MICRO-37 (Dec. 2004).
[12]
Douceur, J. R. The Sybil attack. In IPTPS (Mar. 2002).
[13]
Dunlap, G. W., King, S. T., Cinar, S., Basrai, M. A., and Chen, P. M. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In OSDI (Dec. 2002).
[14]
Elnozahy, E. N., Alvisi, L., Wang, Y.-M., and Johnson, D. B. A survey of rollback-recovery protocols in message-passing systems. ACM Computing Surveys 34, 3 (Sept. 2002), 375--408.
[15]
Fraser, K., and Chang, F. Operating System I/O Speculation: How two invocations are faster than one. In USENIX Annual Technical Conference (Jun. 2003).
[16]
Garfinkel, T., and Rosenblum, M. A virtual machine introspection based architecture for intrusion detection. In NDSS (Feb. 2003).
[17]
Georgatos, F., Gruber, F., Karrenberg, D., Santcroos, M., Uijterwaal, H., and Wilhelm, R. Providing A ctive M easurements as a R egular S ervice for ISP s. In PAM2001 (Apr. 2001). http://www.ripe.net/ttm.
[18]
Heberlein, L. T., Dias, G., K, L., Wood, B. M. J., and Wolber, D. A network security monitor. In Proceedings of the IEEE Symposium on Research in Privacy (1990).
[19]
Hethcote, H. W. The mathematics of infectious deseases. SIAM Review 42, 4 (2000), 599--653.
[20]
Hunt, G., and Brubacher, D. Detours: Binary interception of W in32 functions. In USENIX Windows NT Symposium (July 1999).
[21]
Kc, G. S., Keromytis, A. D., and Prevelakis, V. Countering code-injection attacks with instruction-set randomization. In ACM CCS (Oct. 2003).
[22]
Kim, H., and Karp, B. Autograph: Toward automated, distributed worm signature detection. In USENIX Security Symposium (Aug. 2004).
[23]
Kiriansky, V., Bruening, D., and Amarasinghe, S. P. Secure execution via program shepherding. In USENIX Security Symposium (Aug. 2002).
[24]
Kreibich, C., and Crowcroft, J. Honeycomb - creating intrusion detection signatures using honeypots. In HotNets (Nov. 2003).
[25]
Microsoft. Nirvana. http://www.microsoft.com/windows/cse/bit.mspx.
[26]
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. Inside the Slammer worm. IEEE Security and Privacy 1, 4 (Jul. 2003).
[27]
Moore, D., Shannon, C., Voelker, G., and Savage, S. Internet quarantine: Requirements for containing self-propagating code. In IEEE INFOCOM (Apr. 2003).
[28]
Necula, G. C., McPeak, S., and Weimer, W. CCured: type-safe retrofitting of legacy code. In POPL (Jan. 2002).
[29]
Newsome, J., Karp, B., and Song, D. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy (May 2005).
[30]
Newsome, J., and Song, D. Dynamic taint analysis: Automatic detection and generation of software exploit attacks. In NDSS (Feb. 2005).
[31]
Paxson, V. Bro. a system for detecting network intruders in real time. Computer Networks 31, 23-24 (December 1999), 2435--2463.
[32]
Ptacek, T. H., and Newsham, T. N. Insertion, evasion, and denial of service: Eluding network intrusion detection. Tech. rep., Secure Networks, Inc, Jan. 1998.
[33]
Reps, T., and Rosay, G. Precise interprocedural chopping. In ACM SIGSOFT Symposium on Foundations of Software Engineering (1995).
[34]
Rinard, M., Cadar, C., Dumitran, D., Roy, D. M., Leu, T., and Jr., W. S. B. Enhancing server availability and security through failure-oblivious computing. In OSDI (Dec. 2004).
[35]
Roesch, M. Snort: Lightweight intrusion detection for networks.In Conference on Systems Administration (Nov. 1999).
[36]
Sidiroglou, S., and Keromytis, A. D. Countering network worms through automatic patch generation. IEEE Security and Privacy (2005).
[37]
Sidiroglou, S., Locasto, M. E., Boyd, S. W., and Keromytis, A. D. Building a reactive immune system for software services. In Usenix Technical Conference (Apr. 2005).
[38]
Singh, S., Estan, C., Varghese, G., and Savage, S. Automated worm fingerprinting. In OSDI (Dec. 2004).
[39]
Smirnov, A., and cker Chiueh, T. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In NDSS (Feb. 2005).
[40]
SPEC. Specweb99 benchmark. http://www.spec.org/osg/web99.
[41]
Staniford, S., Moore, D., Paxson, V., and Weaver, N. The top speed of flash worms. In WORM (Oct. 2004).
[42]
Staniford, S., Paxson, V., and Weaver, N. How to 0wn the internet in your spare time. In USENIX Security Symposium (Aug. 2002).
[43]
Suh, G. E., Lee, J., and Devadas, S. Secure program execution via dynamic information flow tracking. In ASPLOS XI (Oct. 2004).
[44]
TPC. Tpc-c online transaction processing benchmark. http://www.tpc.org/tpcc/default.asp.
[45]
Wang, H. J., Guo, C., Simon, D. R., and Zugenmaier, A. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In ACM SIGCOMM (Aug. 2004).
[46]
Weaver, N., Staniford, S., and Paxson, V. Very fast containment of scanning worms. In USENIX Security Symposium (Aug. 2004).
[47]
Wilander, J., and Kamkar, M. A comparison of publicly available tools for dynamic buffer overflow prevention. In NDSS (Feb. 2003).
[48]
Williamnson, M. M. Throttling viruses: Restricting propagation to defeat mobile malicious code. ACSAC (2002).
[49]
Zegura, E., Calvert, K., and Bhattacharjee, S. How to model an internetwork. In IEEE INFOCOM (Mar. 1996).
[50]
Zou, C. C., Gao, L., Gong, W., and Towsley, D. Monitoring and early warning for internet worms. In ACM CCS (Oct. 2003).

Cited By

View all
  • (2023)PolyDoc: Surveying PDF Files from the PolySwarm network2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00017(117-134)Online publication date: May-2023
  • (2022)A Survey of Detection Methods for Software Use-After-Free VulnerabilityData Science10.1007/978-981-19-5209-8_19(272-297)Online publication date: 10-Aug-2022
  • (2021)Context-Aware Privacy-Optimizing Address Tracing2021 International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED51797.2021.00027(150-162)Online publication date: Sep-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review
ACM SIGOPS Operating Systems Review  Volume 39, Issue 5
SOSP '05
December 2005
290 pages
ISSN:0163-5980
DOI:10.1145/1095809
Issue’s Table of Contents
  • cover image ACM Conferences
    SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles
    October 2005
    259 pages
    ISBN:1595930795
    DOI:10.1145/1095810
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 October 2005
Published in SIGOPS Volume 39, Issue 5

Check for updates

Author Tags

  1. control flow analysis
  2. data flow analysis
  3. self-certifying alerts
  4. worm containment

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)26
  • Downloads (Last 6 weeks)1
Reflects downloads up to 12 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)PolyDoc: Surveying PDF Files from the PolySwarm network2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00017(117-134)Online publication date: May-2023
  • (2022)A Survey of Detection Methods for Software Use-After-Free VulnerabilityData Science10.1007/978-981-19-5209-8_19(272-297)Online publication date: 10-Aug-2022
  • (2021)Context-Aware Privacy-Optimizing Address Tracing2021 International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED51797.2021.00027(150-162)Online publication date: Sep-2021
  • (2021)Cyber Autonomy in Software Security: Techniques and TacticsGame Theory and Machine Learning for Cyber Security10.1002/9781119723950.ch12(204-229)Online publication date: 12-Sep-2021
  • (2019)Security and Privacy Issues in Cloud-Based E-GovernmentCloud Security10.4018/978-1-5225-8176-5.ch092(1869-1897)Online publication date: 2019
  • (2019)SmartCrowd: Decentralized and Automated Incentives for Distributed IoT System Detection2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS.2019.00113(1106-1116)Online publication date: Jul-2019
  • (2018)PIITrackerProceedings of the 11th European Workshop on Systems Security10.1145/3193111.3193114(1-6)Online publication date: 23-Apr-2018
  • (2018)Automatic Software RepairACM Computing Surveys10.1145/310590651:1(1-24)Online publication date: 23-Jan-2018
  • (2018)Behavioral Detection of Scanning Worm in Cyber DefenseProceedings of the Future Technologies Conference (FTC) 201810.1007/978-3-030-02683-7_16(214-225)Online publication date: 20-Oct-2018
  • (2017)A review on signature-based detection for network threats2017 IEEE 9th International Conference on Communication Software and Networks (ICCSN)10.1109/ICCSN.2017.8230284(1117-1121)Online publication date: May-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media