Vigilante: End-to-end containment of Internet worm epidemics

IF 2 4区计算机科学 Q2 COMPUTER SCIENCE, THEORY & METHODS

ACM Transactions on Computer Systems Pub Date : 2006-10-01 DOI:10.1145/1455258.1455259

Manuel Costa, J. Crowcroft, M. Castro, A. Rowstron, Lidong Zhou, Lintao Zhang, P. Barham

{"title":"Vigilante: End-to-end containment of Internet worm epidemics","authors":"Manuel Costa, J. Crowcroft, M. Castro, A. Rowstron, Lidong Zhou, Lintao Zhang, P. Barham","doi":"10.1145/1455258.1455259","DOIUrl":null,"url":null,"abstract":"Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end architecture to contain worms automatically that addresses these limitations.\n In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms by tracking the flow of data from network messages and disallowing unsafe uses of this data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture. Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently. Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead to successful attacks. These filters block the worm attack and all its polymorphic mutations that follow the execution path identified by the SCA.\n Our results show that Vigilante can contain fast-spreading worms that exploit unknown vulnerabilities, and that Vigilante's filters introduce a negligible performance overhead. Vigilante does not require any changes to hardware, compilers, operating systems, or the source code of vulnerable programs; therefore, it can be used to protect current software binaries.","PeriodicalId":50918,"journal":{"name":"ACM Transactions on Computer Systems","volume":"64 1","pages":"9:1-9:68"},"PeriodicalIF":2.0000,"publicationDate":"2006-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"48","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Computer Systems","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/1455258.1455259","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 48

Abstract

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end architecture to contain worms automatically that addresses these limitations. In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms by tracking the flow of data from network messages and disallowing unsafe uses of this data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture. Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently. Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead to successful attacks. These filters block the worm attack and all its polymorphic mutations that follow the execution path identified by the SCA. Our results show that Vigilante can contain fast-spreading worms that exploit unknown vulnerabilities, and that Vigilante's filters introduce a negligible performance overhead. Vigilante does not require any changes to hardware, compilers, operating systems, or the source code of vulnerable programs; therefore, it can be used to protect current software binaries.

查看原文本刊更多论文

治安维持者:端到端遏制互联网蠕虫的流行

蠕虫的控制必须是自动的，因为蠕虫的传播速度太快，人类无法做出反应。最近的工作提出了网络级技术来自动遏制蠕虫;这些技术具有局限性，因为没有关于蠕虫在网络级别利用的漏洞的信息。我们提出了Vigilante，这是一种新的端到端架构，可以自动包含蠕虫，从而解决这些限制。在Vigilante中，主机通过检测易受攻击的程序来分析感染企图来检测蠕虫。我们介绍动态数据流分析:一种广泛覆盖的基于主机的算法，可以通过跟踪来自网络消息的数据流并禁止不安全使用这些数据来检测未知蠕虫。我们还展示了如何将其他基于主机的检测机制集成到Vigilante架构中。一旦检测到，主机就会生成自认证警报(sca)，这是一种新型的安全警报，任何易受攻击的主机都可以廉价地对其进行验证。使用sca，主机可以合作遏制爆发，而不必相互信任。Vigilante在覆盖网络上广播sca，该网络快速而有弹性地传播警报。接收SCA的主机通过生成带有漏洞条件切片的过滤器来保护自己:漏洞条件切片是一种算法，对易受攻击的程序执行动态分析，以识别导致成功攻击的控制流条件。这些过滤器阻止蠕虫攻击及其遵循SCA确定的执行路径的所有多态突变。我们的结果表明，Vigilante可以包含利用未知漏洞的快速传播蠕虫，并且Vigilante的过滤器引入的性能开销可以忽略不计。Vigilante不需要对硬件、编译器、操作系统或易受攻击程序的源代码进行任何更改;因此，它可以用来保护当前的软件二进制文件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Computer Systems 工程技术-计算机：理论方法

CiteScore

4.00

自引率

0.00%

发文量

审稿时长

1 months

期刊介绍： ACM Transactions on Computer Systems (TOCS) presents research and development results on the design, implementation, analysis, evaluation, and use of computer systems and systems software. The term "computer systems" is interpreted broadly and includes operating systems, systems architecture and hardware, distributed systems, optimizing compilers, and the interaction between systems and computer networks. Articles appearing in TOCS will tend either to present new techniques and concepts, or to report on experiences and experiments with actual systems. Insights useful to system designers, builders, and users will be emphasized. TOCS publishes research and technical papers, both short and long. It includes technical correspondence to permit commentary on technical topics and on previously published papers.