Abstract

In this paper, we propose an automated approach for quickly detecting previously unknown worms and viruses based on two key behavioral characteristics—a common exploit sequence together with a range of unique sources generating infections and destinations being targeted. More importantly, our approach—called "content sifting"—automatically generates precise signatures that can then be used to filter or moderate the spread of the worm elsewhere in the network.

Using a combination of existing and novel algorithms we have developed a scalable content sifting implementation with low memory and CPU requirements. Over months of active use at UCSD, our Earlybird prototype system has automatically detected and generated signatures for all pathogens known to be active on our network as well as for several new worms and viruses which were unknown at the time our system identified them. Our initial experience suggests that, for a wide range of network pathogens, it may be practical to construct fully automated defenses—even against so-called "zero-day" epidemics.

• View the full text of this paper in HTML and PDF.
  Until December 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2004 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.

• If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.

To become a USENIX Member, please see our Membership Information.