Stopping Internet Epidemics

Abstract

As we become increasingly dependent on computers connected to the Internet, we must protect them from worm attacks. Worms can gain complete control of millions of hosts in a few minutes, and they can use the infected hosts for malicious activities such as distributed denial of service attacks, relaying spam, corrupting data, and disclosing confidential information. Since worms spread too fast for humans to respond, systems that strive to contain worm epidemics must be completely automatic. We propose Vigilante, a new end-to-end architecture to contain worms automatically that addresses the limitations of network-centric systems. Vigilante relies on collaborative worm detection at end hosts, but does not require hosts to trust each other. In Vigilante, hosts run instrumented software to detect worms. We introduce dynamic dataflow analysis, a broad-coverage detection algorithm, and we show how to integrate other detection mechanisms into the Vigilante architecture. Upon worm detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. SCAs are then broadcast over a resilient overlay network that can propagate alerts with high probability, even when under active attack. Finally, hosts receiving an SCA generate protective filters with dynamic data and control flow analysis of the vulnerable software. Our results show that Vigilante can contain fast spreading worms that exploit unknown vulnerabilities without false positives. Vigilante does not require any changes to hardware, compilers, operating systems or to the source code of vulnerable programs, and therefore can be used to protect software as it exists today in binary form