Design space and analysis of worm defense strategies

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Design space and analysis of worm defense strategies

Full text

Pdf (723 KB)

Source

ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 2006 ACM Symposium on Information, computer and communications security table of contents

Taipei, Taiwan

SESSION: Intrusion detection and modeling table of contents

Pages: 125 - 137

Year of Publication: 2006

ISBN:1-59593-272-0

Authors

David Brumley	Carnegie Mellon University, Pittsburgh, Pennsylvania
Li-Hao Liu	Carnegie Mellon University, Pittsburgh, Pennsylvania
Pongsin Poosankam	Carnegie Mellon University, Pittsburgh, Pennsylvania
Dawn Song	Carnegie Mellon University, Pittsburgh, Pennsylvania

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 12, Downloads (12 Months): 93, Citation Count: 2

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1128817.1128837 What is a DOI?

ABSTRACT

We give the first systematic investigation of the design space of worm defense system strategies. We accomplish this by providing a taxonomy of defense strategies by abstracting away implementation-dependent and approach-specific details and concentrating on the fundamental properties of each defense category. Our taxonomy and analysis reveals the key parameters for each strategy that determine its effectiveness. We provide a theoretical foundation for understanding how these parameters interact, as well as simulation-based analysis of how these strategies compare as worm defense systems. Finally, we offer recommendations based upon our taxonomy and analysis on which worm defense strategies are most likely to succeed. In particular, we show that a hybrid approach combining Proactive Protection and Reactive Antibody Defense is the most promising approach and can be effective even against the fastest worms such as hitlist worms. Thus, we are the first to demonstrate with theoretic and empirical models which defense strategies will work against the fastest worms such as hitlist worms.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	PaX. http://pax.grsecurity.net/.
	2	Elena Gabriela Barrantes , David H. Ackley , Trek S. Palmer , Darko Stefanovic , Dino Dai Zovi, Randomized instruction set emulation to disrupt binary code injection attacks, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948147]
	3	Elena Gabriela Barrantes , David H. Ackley , Stephanie Forrest , Darko Stefanović, Randomized instruction set emulation, ACM Transactions on Information and System Security (TISSEC), v.8 n.1, p.3-40, February 2005 [doi>10.1145/1053283.1053286]
	4	S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of 12th USENIX Security Symposium, 2003.
	5	S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, 2005.
	6	Z. Chen, L. Gao, and K. Kwiat. Modeling the spread of active worms. 2003.
	7	M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical report, Carnegie Mellon University, 2002.
	8	C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, 2003.
	9	D. C. DuVarney, R. Sekar, and Y.-J. Lin. Benign software mutations: A novel approach to protect against large-scale network attacks. Center for Cybersecurity White Paper, October 2002.
	10	S. Forrest , A. Somayaji , D. Ackley, Building Diverse Computer Systems, Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), p.67, May 05-06, 1997
	11	Herbert W. Hethcote, The Mathematics of Infectious Diseases, SIAM Review, v.42 n.4, p.599-653, Dec. 2000 [doi>10.1137/S0036144500371907]
	12	Gaurav S. Kc , Angelos D. Keromytis , Vassilis Prevelakis, Countering code-injection attacks with instruction-set randomization, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948146]
	13	H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium, August 2004.
	14	C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.
	15	M. Liljenstam and D. Nicol. Comparing passive and active worm defenses. 2004.
	16	D. Moore, V. Paxson, C. Shannon, G. M. Voelker, and S. Savage. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of IEEE INFOCOM, March 2003.
	17	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003 [doi>10.1109/MSECP.2003.1219056]
	18	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637244]
	19	James Newsome , Brad Karp , Dawn Song, Polygraph: Automatically Generating Signatures for Polymorphic Worms, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.226-241, May 08-11, 2005 [doi>10.1109/SP.2005.15]
	20	J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Technical Report CMU-CS-04-140, Carnegie Mellon University, 2004.
	21	J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed Systems Security Symposium, February 2005.
	22	Phillip Porras , Linda Briesemeister , Keith Skinner , Karl Levitt , Jeff Rowe , Yu-Cheng Allen Ting, A hybrid quarantine defense, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA [doi>10.1145/1029618.1029630]
	23	Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA [doi>10.1145/1030083.1030124]
	24	S. Sidiroglou and A. D. Keromytis. Countering network worms through automatic patch generation. In Proceedings of IEEE Symposium on Security and Privacy, 2005.
	25	S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), December 2004.
	26	N. Sovarel, D. Evans, and N. Paul. Where's the feeb? the effectiveness of instruction set randomization. In 14th USENIX Security Symposium, August 2005.
	27	Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
	28	J. Twycross and M. M. Williamson. Implementing and testing a virus throttle. In Proceedings of 12th USENIX Security Symposium, August 2003.
	29	Matthew M. Williamson, Throttling Viruses: Restricting propagation to defeat malicious mobile code, Proceedings of the 18th Annual Computer Security Applications Conference, p.61, December 09-13, 2002
	30	J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. Technical report, Center for Reliable and Higher Performance Computing, University of Illinois at Urbana-Champaign, May 2003.
	31	Cliff C. Zou , Weibo Gong , Don Towsley , Lixin Gao, The monitoring and early detection of internet worms, IEEE/ACM Transactions on Networking (TON), v.13 n.5, p.961-974, October 2005 [doi>10.1109/TNET.2005.857113]
	32	Cliff C. Zou , Don Towsley , Weibo Gong, On the performance of internet worm scanning strategies, Performance Evaluation, v.63 n.7, p.700-723, July 2006 [doi>10.1016/j.peva.2005.07.032]

CITED BY 2

	Joseph Tucek , James Newsome , Shan Lu , Chengdu Huang , Spiros Xanthos , David Brumley , Yuanyuan Zhou , Dawn Song, Sweeper: a lightweight end-to-end system for defending against fast worms, ACM SIGOPS Operating Systems Review, v.41 n.3, June 2007
	Yi Yang , Sencun Zhu , Guohong Cao, Improving sensor network immunity under worm attacks: a software diversity approach, Proceedings of the 9th ACM international symposium on Mobile ad hoc networking and computing, May 26-30, 2008, Hong Kong, Hong Kong, China