Slowing down Internet worms

24th International Conference on Distributed Computing Systems, 2004. Proceedings. Pub Date : 2004-03-24 DOI:10.1109/ICDCS.2004.1281596

Shigang Chen, Yong Tang

{"title":"Slowing down Internet worms","authors":"Shigang Chen, Yong Tang","doi":"10.1109/ICDCS.2004.1281596","DOIUrl":null,"url":null,"abstract":"An Internet worm automatically replicates itself to vulnerable systems and may infect hundreds of thousands of servers across the Internet. It is conceivable that the cyber-terrorists may use a wide-spread worm to cause major disruption to our Internet economy. While much recent research concentrates on propagation models, the defense against worms is largely an open problem. We propose a distributed antiworm architecture (DAW) that automatically slows down or even halts the worm propagation. New defense techniques are developed based on behavioral difference between normal hosts and worm-infected hosts. Particularly, a worm-infected host has a much higher connection-failure rate when it scans the Internet with randomly selected addresses. This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial rate-limit algorithm, which makes the speed of worm propagation configurable by the parameters of the defense system. DAW is designed for an Internet service provider to provide the anti-worm service to its customers. The effectiveness of the new techniques is evaluated analytically and by simulations.","PeriodicalId":348300,"journal":{"name":"24th International Conference on Distributed Computing Systems, 2004. Proceedings.","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"122","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"24th International Conference on Distributed Computing Systems, 2004. Proceedings.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICDCS.2004.1281596","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 122

Abstract

An Internet worm automatically replicates itself to vulnerable systems and may infect hundreds of thousands of servers across the Internet. It is conceivable that the cyber-terrorists may use a wide-spread worm to cause major disruption to our Internet economy. While much recent research concentrates on propagation models, the defense against worms is largely an open problem. We propose a distributed antiworm architecture (DAW) that automatically slows down or even halts the worm propagation. New defense techniques are developed based on behavioral difference between normal hosts and worm-infected hosts. Particularly, a worm-infected host has a much higher connection-failure rate when it scans the Internet with randomly selected addresses. This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial rate-limit algorithm, which makes the speed of worm propagation configurable by the parameters of the defense system. DAW is designed for an Internet service provider to provide the anti-worm service to its customers. The effectiveness of the new techniques is evaluated analytically and by simulations.

查看原文本刊更多论文

减缓互联网蠕虫

互联网蠕虫会自动将自身复制到易受攻击的系统中，并可能感染互联网上数十万台服务器。可以想象，网络恐怖分子可能会利用广泛传播的蠕虫病毒对我们的互联网经济造成重大破坏。虽然最近的许多研究集中在传播模型上，但对蠕虫的防御在很大程度上是一个开放的问题。我们提出了一种分布式防蠕虫架构(DAW)，可以自动减缓甚至停止蠕虫的传播。基于正常宿主与蠕虫感染宿主的行为差异，开发了新的防御技术。特别是，受蠕虫感染的主机在使用随机选择的地址扫描Internet时，连接失败率要高得多。此属性允许DAW将蠕虫与正常主机区分开来。提出了一种时间限速算法和一种空间限速算法，使得蠕虫的传播速度可以通过防御系统的参数来配置。DAW是为互联网服务提供商为其客户提供防蠕虫服务而设计的。通过分析和仿真对新技术的有效性进行了评价。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

24th International Conference on Distributed Computing Systems, 2004. Proceedings.

自引率

0.00%

发文量