Testbed for evaluating worm containment systems

Abstract

Dangerous worms like CodeRed or Slammer can spread millions of probe packets in just seconds which can result in thousands of infected hosts and large losses. Fast and effective containment strategies are crucially important to protect the Internet Infrastructure. Toward this goal of fast and effective worm containment, different techniques have been presented such as address blacklisting and content filtering [3], anomaly detection [6] and signature-based detection [5]. Meanwhile recently developed worm models [1] enable us to develop a testbed to accurately and quickly evaluate the efficiency of these defense mechanisms. In this paper, we present a testbed which utilizes software agents to allow large scale simulation with individual host functionality. We utilize this testbed to evaluate our containment systems in terms of security and performance tradeoff.