|
13th USENIX Security Symposium — Abstract
Pp. 29–44 of the Proceedings
Very Fast Containment of Scanning Worms
Nicholas Weaver, International Computer Science Institute; Stuart Staniford, Nevis Networks; Vern Paxson, International
Computer Science Institute and Lawrence Berkeley National Laboratory
Abstract
Computer worms—malicious, self-propagating programs—represent a
significant threat to large networks. One possible defense,
containment, seeks to limit a worm's spread by isolating it in a
small subsection of the network. In this work we develop containment
algorithms suitable for deployment in high-speed, low-cost network hardware.
We show that these techniques can stop a scanning host after fewer than
10 scans with a very low false-positive rate. We also augment this approach
by devising mechanisms for cooperation that enable multiple containment
devices to more effectively detect and respond to an emerging infection.
Finally, we discuss ways that a worm can attempt to bypass containment
techniques in general, and ours in particular.
- View the full text of this paper in HTML and PDF.
Until August 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2004 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
|
Need help? Use our Contacts page.
