IBM Software Group Self-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to plague the Internet community. Existing anti-virus and intrusion detection systems are clearly inadequate to defend against many recent fast-spreading worms. In this paper we explore an active counter-attack method-anti-worms. We propose a method that transforms a malicious worm into an anti-worm which disinfects its original. The method is evaluated using the CodeRed, Blaster and Slammer worms. We show through simulation the effectiveness of an anti-worm with several propagation schemes and its impact on the overall network. We also discuss important limitations of the proposed method.
|
350
|
How to 0wn the Internet in your spare time
– Staniford, Paxson, et al.
- 2002
|
|
197
|
Internet Quarantine: Requirements for Containing Self-Propagating Code
– Moore, Shannon, et al.
- 2003
|
|
143
|
Throttling viruses: Restricting propagation to defeat malicious mobile code
– Williamson
- 2002
|
|
138
|
Code Red Worm Propagation Modeling and Analysis
– Zou, Gong, et al.
- 2002
|
|
102
|
Modeling the Spread of Active Worms
– Chen, Gao, et al.
- 2003
|
|
102
|
A Virtual Honeypot Framework
– Provos
- 2004
|
|
95
|
With microscope and tweezers: an analysis of the internet virus of november 1988
– Eichin, Rochlis
- 1989
|
|
94
|
Honeycomb - Creating Intrusion Detection Signatures Using Honeypots
– Kreibich, Crowcroft
- 2003
|
|
80
|
Directed-graph Epidemiological Models of Computer Viruses
– Kephart, White
- 1991
|
|
48
|
Worm propagation modeling and analysis under dynamic quarantine defense
– Zou, Gong, et al.
- 2003
|
|
46
|
Measuring and Modeling Computer Virus Prevalence
– Kephart, White
- 1993
|
|
34
|
Directed-graph Epidemiological Models of Computer Viruses
– Kephart, White
- 1991
|
|
30
|
Computers and Epidemiology
– Kephart, Chess, et al.
- 1993
|
|
26
|
The spread of the Sapphire/Slammer worm,” http://www.cs.berkeley.edu/ nweaver/sapphire
– Moore, Paxson, et al.
- 2003
|
|
15
|
The “Worm” Programs—Early Experience with a Distributed System
– Shoch, Hupp
- 1982
|
|
15
|
Experiences with Worm Propagation Simulations
– Wagner, Dubendorfer, et al.
- 2003
|
|
12
|
Large Scale Malicious Code: A Research Agenda
– WEAVER, PAXSON, et al.
- 2003
|
|
11
|
A methodology for using intelligent agents to provide automated intrusion response
– Carver, Hill, et al.
- 2000
|
|
9
|
Computer virus propagation models
– Serazzi, Zanero
- 2003
|
|
4
|
Simulating and optimising worm propagation algorithms. http://web.lemuria.org/security/WormPropagation.pdf
– Vogt
- 2003
|
|
3
|
Defending your right to defend: Considerations of an automated strike-back technology. http://www.hammerofgod.com/strikeback.txt
– Mullen
- 2002
|
|
1
|
Microsoft ponders automatic patching. InfoWorld (www.infoworld.com
– Evers
- 2003
|
|
1
|
Reverse-engineering new exploits
– Farrow
- 2004
|
|
1
|
Next generation intrusion detection systems
– Gong
- 2002
|
|
1
|
Codegreen beta release (idq-patcher/antiCodeRed/etc.). http:// www.securityfocus.com/ archive
– HexXer
- 2001
|
|
1
|
Buffer overflow construction kit. http:// www.rootkit.com/ projects/ winblock
– Hoglund
- 2000
|
|
1
|
Re: Codegreen beta release (idq-patcher/antiCodeRed/etc.). http:// www.securityfocus.com/ archive
– Kern
- 2001
|
|
1
|
Blaster variant offers ’fix’ for pox-ridden pcs. http:// www.theregister.com/ 2003/ 08/ 19/ blaster variant offers fix
– Leyden
- 2003
|
|
1
|
Dcom exploit. http: // www.lsd-pl.net/ files/ get?WINDOWS/ win32 dcom
– LSD
- 2003
|
|
1
|
The spread of the code red worm. http:// www.caida.org/ analysis/ security/ code-red/ coderedv2 \ analysis.xml
– Moore
|
|
1
|
Codered analysis. http:// www.digitaloffense.net/ worms/ CodeRed/ code-red-original-eeye
– Permeh, Maiffret
- 2001
|
|
1
|
Opcode db. http:// www.metasploit.com/ opcode search.html
– Project
- 2003
|
|
1
|
Cheese: If it’s good (worm), let it be! ZDNet
– Rapoza
- 2001
|
|
1
|
Symantec Security Response. http:// securityresponse.symantec.com/ avcenter/ venc/ data/ w32.witty.worm.html
– MSBlaseter
- 2004
|
|
1
|
Symantec Security Response. http:// securityresponse.symantec.com
– Corp
- 2004
|
