Automated detection and containment of worms and viruses into heterogeneous networks: a simple network immune system

While much recent research concentrates on propagation models, the defence against worms is largely an open problem. Classical containment strategies, based on manual application of traffic filters, will be almost totally ineffective in the wide area since the worms are able to spread at rates that effectively preclude any human-directed reaction. Consequently, developing an automated, flexible and adaptive containment strategy is the most viable way to defeat worm propagation in an acceptable time. As a case in point, we look to natural immune systems, which solve a similar problem, but in a radically different way. Accordingly, we present a cooperative immunisation system inspired in principles and structure by the natural immune system that helps in defending against these types of attacks. Our system automatically detects pathologic traffic conditions due to an infection and informs, according to a cooperative communication principle, all the reachable networked nodes about the ongoing attack, triggering the actions required to their defence. To evaluate our proposal, we formulated a simple worm propagation and containment model, and evaluated our system using numerical solution and sensitivity analysis. Our measurements show that our reaction strategy is sufficiently robust against all the most common malicious agents. We envision that the above solution will be an effective line of defence against more aggressive worms.

[1]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[2]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[3]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[4]  Karl N. Levitt,et al.  Cooperative response strategies for large scale attack mitigation , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[5]  David M. Nicol,et al.  A mixed abstraction level simulation model of large-scale Internet worm infestations , 2002, Proceedings. 10th IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems.

[6]  Eric Rescorla Security Holes . . . Who Cares? , 2003, USENIX Security Symposium.

[7]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[8]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[9]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[10]  Matthew C. Elder,et al.  On computer viral infection and the effect of immunization , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[11]  Dawn Xiaodong Song,et al.  Dynamic quarantine of Internet worms , 2004, International Conference on Dependable Systems and Networks, 2004.

[12]  R. May,et al.  Infectious Diseases of Humans: Dynamics and Control , 1991, Annals of Internal Medicine.

[13]  Daryl J. Daley,et al.  Epidemic Modelling: An Introduction , 1999 .

[14]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[15]  Carey Nachenberg The Evolving Virus Threat , 2000 .

[16]  Jose Nazario,et al.  The Future of Internet Worms , 2001 .

[17]  Gregory R. Ganger,et al.  Self-Securing Network Interfaces: What, Why and How (CMU-CS-02-144) , 2002 .

[18]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  David J. Albanese,et al.  The Case for Using Layered Defenses to Stop Worms Network Architecture and Applications Division of the Systems and Network Attack Center (SNAC) Information Assurance Directorate , 2004 .