Very Fast Containment of Scanning Worms

Nicholas Weaver; Stuart Staniford; Vern Paxson

Very Fast Containment of Scanning Worms

Computer worms—malicious, self-propagating programs—represent a significant threat to large networks. One possible defense, containment, seeks to limit a worm's spread by isolating it in a small subsection of the network. In this work we develop containment algorithms suitable for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host after fewer than 10 scans with a very low false-positive rate. We also augment this approach by devising mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection. Finally, we discuss ways that a worm can attempt to bypass containment techniques in general, and ours in particular.

Nicholas Weaver, International Computer Science Institute

Stuart Staniford, Nevis Networks

Vern Paxson, International Computer Science Institute and Lawrence Berkeley National Laboratory

BibTeX

@inproceedings {269620,
author = {Nicholas Weaver and Stuart Staniford and Vern Paxson},
title = {Very Fast Containment of Scanning Worms},
booktitle = {13th USENIX Security Symposium (USENIX Security 04)},
year = {2004},
address = {San Diego, CA},
url = {https://www.usenix.org/conference/13th-usenix-security-symposium/very-fast-containment-scanning-worms},
publisher = {USENIX Association},
month = aug
}

Download

Links

Paper:

http://usenix.org/publications/library/proceedings/sec04/tech/full_papers/weaver/weaver.pdf

Paper (HTML):

http://usenix.org/publications/library/proceedings/sec04/tech/full_papers/weaver/weaver_html/index.html

USENIX Conference Policies

Very Fast Containment of Scanning Worms

Nicholas Weaver, International Computer Science Institute

Stuart Staniford, Nevis Networks

Vern Paxson, International Computer Science Institute and Lawrence Berkeley National Laboratory

Links