End-to-End Containment of Internet Worm Epidemics
作者: Manuel Costa
DOI:
关键词: Overhead (computing) 、 Block (data storage) 、 Host (network) 、 Overlay network 、 Exploit 、 Computer security 、 Source code 、 The Internet 、 Computer science 、 End-to-end principle
摘要: Worms — programs that self-replicate automatically over computer networks are a serious threat to hosts connected the Internet. They infect by exploiting software vulnerabilities, and they can use their victims for many malicious activities. Past outbreaks show worms spread too fast humans respond, hence worm containment must be automatic. Recent work proposed network-level techniques automate containment, but these have limitations because there is no information about vulnerabilities at network level. We propose Vigilante: new end-to-end architecture contain addresses limitations. In Vigilante, detect instrumenting vulnerable analyze infection attempts. introduce dynamic data-flow analysis: broadcoverage host-based algorithm unknown worms, tracking flow of data from messages, disallowing unsafe uses data. also how integrate other detection mechanisms into Vigilante architecture. Upon detection, generate self-certifying alerts (SCAs), type security alert inexpensively verified any host. Using SCAs, cooperate an outbreak, without having trust each other. broadcasts SCAs overlay propagates rapidly resiliently. Hosts receiving SCA protect themselves generating filters with vulnerability condition slicing: performs analysis program identify control-flow conditions lead successful attacks. These block attack, including all mutations follow execution path identified SCA, while introducing negligible performance overhead. Our results spreading exploit false positives. does not require changes hardware, compilers, operating systems or source code programs; therefore, it used as exists today in binary form.
参考文章(143)
Ravishankar K. Iyer, Emre C. Sezer, Shuo Chen, Prachi Gauriar, Jun Xu, Non-control-data attacks are realistic threats usenix security symposium. pp. 12- 12 ,(2005)
Yoichi Shinoda, Ko Ikai, Motomu Itoh, Vulnerabilities of passive internet threat monitors usenix security symposium. pp. 14- 14 ,(2005)
Jon Crowcroft, Antony Rowstron, Miguel Castro, Manuel Costa, Can we contain Internet worms Association for Computing Machinery, Inc.. pp. 7- ,(2004)
Fay Chang, Keir Faser, Operating System I/O Speculation: How Two Invocations Are Faster Than One usenix annual technical conference. pp. 325- 338 ,(2003)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
S. C. Johnson, Murray Hill, Lint, a C Program Checker ,(1978)
Barton P. Miller, Somesh Jha, Jonathon T. Giffin, Efficient Context-Sensitive Intrusion Detection. network and distributed system security symposium. ,(2004)
Paul C. van Oorschot, Evangelos Kranakis, David Whyte, DNS-based Detection of Scanning Worms in an Enterprise Network. network and distributed system security symposium. ,(2005)
Rob Johnson, David Wagner, Finding user/kernel pointer bugs with type inference usenix security symposium. pp. 9- 9 ,(2004)
G. Portokalidis, H.J. Bos, J.M. Slowinska, Argos: an Emulator for Fingerprinting Zero-Day Attacks ,(2006)