OSDI '04 Abstract
Pp. 4560 of the Proceedings
Automated Worm Fingerprinting
Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage, University of California, San Diego
Abstract
Network worms are a clear and growing threat to the security
of today's Internet-connected hosts and networks.
The combination of the Internet's unrestricted connectivity
and widespread software homogeneity allows network
pathogens to exploit tremendous parallelism in
their propagation. In fact, modern worms can spread so
quickly, and so widely, that no human-mediated reaction
can hope to contain an outbreak.
In this paper, we propose an automated approach
for quickly detecting previously unknown worms and
viruses based on two key behavioral characteristicsa common exploit sequence together with a range of
unique sources generating infections and destinations being
targeted. More importantly, our approachcalled
"content sifting"automatically generates precise signatures
that can then be used to filter or moderate the
spread of the worm elsewhere in the network.
Using a combination of existing and novel algorithms
we have developed a scalable content sifting implementation
with low memory and CPU requirements. Over
months of active use at UCSD, our Earlybird prototype
system has automatically detected and generated signatures
for all pathogens known to be active on our network
as well as for several new worms and viruses which were
unknown at the time our system identified them. Our
initial experience suggests that, for a wide range of network
pathogens, it may be practical to construct fully
automated defenseseven against so-called "zero-day"
epidemics.
- View the full text of this paper in HTML and
PDF.
Until December 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2004 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
|