Some network security threats, such as worms, viruses, and “stepping stone” attacks (hereinafter “spreading threats”), “spread” to other systems through a common network. Spreading threats first compromise a host, through a variety of means, and then proceed to attempt further compromise of other hosts that can be reached over a connected network. In many networks, once one or a small number of hosts are compromised, they can adversely affect the network despite existing security measures. For example, a compromised host may be able to subvert a trust relationship not accessible to the original attack host. Compromised hosts can also generate a denial of service effect, in some cases merely by attempting to spread, even to non-vulnerable hosts.
Quarantine is a general technique used to help mitigate these situations. Hosts that are determined to be infected are isolated from the other hosts to prevent further infection. The infected hosts are then “cured” (cleaned, reloaded, etc.) and returned to the general population. This technique is often implemented in an extremely manual way. First, a host or network is determined to be infected. This is typically accomplished by having a human review firewall, IDS, or antivirus logs, and estimate which hosts are infected by what. Next, the infected population is detached from the network, often through physical means, such as power-offs or removing network cables. This approach is slow, error prone, labor intensive, and not likely to work without constant, and sometimes considerable, human staffing. The existing non-labor-intensive techniques for detecting and mitigating spreading threats require significant time, effort, and expertise to respond to new threats and are often very disruptive to other components of network and security infrastructure. Therefore, it would be desirable to have a better way to neutralize spreading threats.