Internet worms present a serious threat to today's highly networked computing environment. Unlike viruses and Trojans, worms typically spread automatically without active human intervention, resulting in infection rates that are considerably higher than those of conventional viruses. For example, analysis determined the Slammer worm attained probe rates of as high as 26,000 scans per second. Additionally, the Witty worm outbreak demonstrated the insufficiency of patching techniques, given the worm appeared only one day after publication of the corresponding vulnerability.
Modeling worm-spread is closely related with worm-containment, as worm-spread models allow for the evaluation of the effectiveness of a worm-containment strategy. To this point, proposed models include differential equation models as well as Markov models. Barring some disagreements regarding networks that demonstrate localized interactions, researchers agree that worms spread at exponential rates after initial infection. This exponential spread-pattern allows the network administrators extremely short reaction time to take any countermeasures.
The need for fast response times emphasizes the need for an automated mechanism to locally detect and control the spread of a worm. Traditionally, network administrators have used host-based firewalls and various intrusion-detection systems for this purpose. Such systems attempt to prevent infection by scanning for worm signatures in network traffic. In addition, these firewalls prevent vulnerable services from being exposed to the network. Although these measures are effective against known worms, they are not effective against day-zero worm outbreaks. Moreover, most of these firewalls and intrusion-detection systems are software based, and are thus vulnerable to tampering and exploitation by worms themselves. An example of this vulnerability is the Witty worm that infected a host intrusion detection software package.
Worms typically spread by exploiting some software vulnerability in the target system. Numerous worms have exploited different types of buffer overflow vulnerabilities, including, for example, the Morris, Code Red I, and Code Red II worms. In response, researchers have proposed proactive mechanisms, such as using robust-programming practices and generating automated tools that generate robust code. However, these techniques require the existing software to be recompiled and/or rewritten. Also, such approaches mandate replacing entire software suites on the network, as any piece of software could expose a vulnerability. Moreover, such mechanisms may result in performance degradation.
Self-propagating worms spread by locating vulnerable hosts on the network and compromising a vulnerable services running on those hosts. A typical mechanism used by worms for this purpose is called random address scan, where a worm randomly generates Internet Protocol (IP) addresses, and attempts to compromise vulnerable services on the hosts with those IP addresses. For example, the Code Red and the Slammer worms used random address scan to find vulnerable machines on the network. Other methods of scan can be used, including serial scan (where a worm scans IP addresses in a serial fashion), local preference scan (where a worm generates local IP addresses with higher probability of validity), and divide-and-conquer scan (where a worm splits the range of IP addresses to scan when it propagates to a new computer). Examples of worms using these other scanning techniques include the Code Red II worm (local preference scan) and the Blaster worm (serial scan). Worm-containment systems leverage this scanning behavior to detect infected hosts and then mitigate the threat, either by throttling traffic from the infected host or by quarantining the infected host entirely. However, these systems are potentially vulnerable to tampering and/or exploitation by worms. For example, it is possible to bypass a connection throttling mechanism implemented in the operating system (OS) by sending out raw Ethernet frames onto the network.
Another problem with current worm-containment systems is that they are not capable of containing both fast and slow-spreading worms simultaneously.