Check out the new USENIX Web site.

USENIX Home . About USENIX . Events . membership . Publications . Students
OSDI '04 — Abstract

Pp. 45–60 of the Proceedings

Automated Worm Fingerprinting

Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage, University of California, San Diego

Abstract

Network worms are a clear and growing threat to the security of today's Internet-connected hosts and networks. The combination of the Internet's unrestricted connectivity and widespread software homogeneity allows network pathogens to exploit tremendous parallelism in their propagation. In fact, modern worms can spread so quickly, and so widely, that no human-mediated reaction can hope to contain an outbreak.

In this paper, we propose an automated approach for quickly detecting previously unknown worms and viruses based on two key behavioral characteristics—a common exploit sequence together with a range of unique sources generating infections and destinations being targeted. More importantly, our approach—called "content sifting"—automatically generates precise signatures that can then be used to filter or moderate the spread of the worm elsewhere in the network.

Using a combination of existing and novel algorithms we have developed a scalable content sifting implementation with low memory and CPU requirements. Over months of active use at UCSD, our Earlybird prototype system has automatically detected and generated signatures for all pathogens known to be active on our network as well as for several new worms and viruses which were unknown at the time our system identified them. Our initial experience suggests that, for a wide range of network pathogens, it may be practical to construct fully automated defenses—even against so-called "zero-day" epidemics.

  • View the full text of this paper in HTML and PDF.
    Click here if you have forgotten your password Until December 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2004 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
To become a USENIX Member, please see our Membership Information.

 

?Need help? Use our Contacts page.

Last changed: 13 Oct. 2004 aw
Technical Program
OSDI '04 Home
USENIX home