Evaluation of worm containment algorithms and their effect on legitimate traffic

Abstract

Internet worm attacks have become increasingly more frequent and have had a major impact on the economy, making the detection and prevention of these attacks a top security concern. Several counter-measures have been proposed and evaluated in recent literature. However, the effect of these proposed defensive mechanisms on legitimate competing traffic has not been analyzed. Clearly a defensive approach that slows down or stops worm propagation at the expense of completely restricting any legitimate traffic is of little value. Here we perform a comparative analysis of the effectiveness of several of these proposed mechanisms, including a measure of their effect on normal Web browsing activities. In addition, we introduce a new defensive approach that can easily be implemented on existing hosts, and which significantly reduces the rate of spread of worms using TCP connections to perform the infiltration. Our approach has no measurable effect on legitimate traffic.