Computer worms (i.e., malicious, self-propagating code) are a significant threat to Internet security. Since worm infection can spread more rapidly than human response, automated worm detection and containment techniques are essential. In addition, worm containment techniques need to be able to handle zero-day (unknown) worms.
Although [2] shows that AS-level or ISP-level worm containment could be more effective, almost all the existing worm containment mechanisms are either deployed at the perimeter of an enterprise network (or LAN), or embedded in the hosts within the enterprise, or a combination of both. Enterprise level worm containment has three basic goals: (1) prevent internal hosts from being infected; (2) block outgoing worm scans; (3) minimize the denial-of-service effects caused by worm containment controls.
Recently quite a few approaches have been proposed to do enterprise level worm containment, however, existing defenses are still quite limited in meeting four highly-desired requirements: (R1) timeliness in policing worm scans; (R2) resiliency to containment evading; (R3) minimal denial-of service costs; (R4) being agnostic to worm's scanning strategy to contain a wide spectrum of worms from uniformly randomly scanning worms to topologically aware scanning worms. To see how existing defenses are limited in meeting the four requirements, we break down the existing worm containment defenses into five classes and briefly summarize the limitations in terms of the four requirements as shown in Table I.
TABLE IWeaknesses of Existing Worm Containment DefensesExisting TechniqueR1R2R3R4Virus throttle [1]XAutomated worm fingerprinting [3]XXAutograph [4]XXXPolygraph [5]XXXHamsa [6]XXXFast and automated generation of attack signatures [7]XXVigilante [8]XXXAnomalous payload-based worm detection andXsignature generation [9]Anomalous payload-based network intrusionXdetection [10]Polymorphic worm detection using structural infor-Xmation of executables [11]Sigfree [12]XXVery fast containment of scanning worms [14]XXSlowing down Internet worms [15]X
Class A: Rate limiting. The idea of Class A techniques is to limit the sending rate of scan-like traffic at an infected host. The Virus Throttle proposed by Williamson et al. [1] uses a working set and a delay queue to limit the number of new machines that a host can connect to within unit time. In [15] connection failure rate is exploited, and, in [16], the number of unique IP addresses that a host can scan during each containment cycle is leveraged. Class A techniques may introduce longer delays for normal traffic.
Class B: Signature-based worm scan filtering. The idea is to generate the worm signature which can then be used to prevent scans from entering/leaving a LAN/host. Earlybird [3] is an efficient inline solution that integrates flow classification, signature generation and scan filtering. However, it can be easily evaded by polymorphic worms. Polygraph [5] can handle polymorphic worms, but it spends too much time in generating the signature. In [17], [18], [19], signatures are generated out of packets “captured” by a honeypot. However, network-level flow classification techniques used invariably suffer from false positives leading to noise in the worm traffic pool [6]. Although Hamsa [6] is a fast, noise-tolerant solution against network flows, the false negative and false positive of a signature depend on the accuracy of the flow classifier used. In addition, Hamsa and many other Class B solutions are vulnerable to Polymorphic Blending attacks [20].
Class C: Filter-based worm containment. Class C techniques shares the same spirit with Class B techniques except that a filter is a piece of code which is to check a message if it contains a worm. Shield [21] uses host-based filters to block vulnerabilities but these filters are generated manually. Vigilante [8] generates and distributes host-based filters automatically. But, its response time relies on the worm payload size, and some filters can be evaded by code obfuscation based on char shifting or insertion. To achieve high coverage, they need a complicated detection technique such as dynamic dataflow analysis [22], [23].
Class D: Payload-classification based worm containment. The idea of Class D techniques is to determine if a packet contains a worm. In [9], [10], [24], a set of anomaly detection techniques are proposed to detect worms. But, they suffer from false negatives or false positives, especially in the presence of code obfuscation. In [11] control flow structures are exploited to detect polymorphic worms, but, off-line analysis is required. In [25], [12], they detect if a data packet contains code or not, but, not all worms propagate through data packets.
Class E: Threshold Random Walk (TRW) scan detection. In [13], TRW exploits randomness in picking destinations to connect to, to detect if a host is a scanner. In [14], hardware implementation is investigated. TRW is suitable for deployment in high-speed, low-cost network hardware, and it is very effective in tackling the common way of worm scanning (i.e., random scanning with high failing likelihood).