CS-558. Vigilante: End-to-End Containment of Internet Worms. Manuel Costa, Jon Crowcroft , Miguel Castro, Antony Rowstron , Lidong Zhou, Lintao Zhang, Paul Barham. Smyrnaki Ourania. Problems with Worm Containment. Worms spread too fast for humans to respond.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham
No information about the vulnerabilities exploited by worms at the network level.
Hard for worms to avoid detection
Hard to disable them with denial-of-service attacks.
Generation of SCAs
Step 2:Verification manager uses the data in the SCA to identify the vulnerable service
Step 4:If Verified is executed, the Verification Manager signals SUCCESS to the SCA Verifier.
Otherwise the SCA Verifier declares failure after timeout.
2 Detection engines
Worm propagation Vs SCA Distribution
Secure Overlay network called Pastry with super peers in order to broadcast the alerts
Detectors generate arbritaryexecution control alert for Slammer and Blaster and arbritary code execution alert for CodeRed.
Both detectors generate SCAs fast.
Generation is higher in CodeRed since the number of instructions executed is larger.
NX detector performs best:
Instrumentation is less intrusive and less general.
SCA generation time in milliseconds for real worms using two detectors
Size of SCAs is small
Mostly determined by the size of the worm probe messages
SCAsizes in bytes for real worms
Verification is fast.
Keep a VM running, ready to verify SCAs when they arrive
Starting VMs on demand resulted in additional delay
SCAverification time in ms for real worms
Infected percentage of vulnerable hosts with different fractions of p detectors.
A small fraction of detectors p=0.001 is enough to contain the worm infection to less than 5% of the vulnerable population, even under DoS attacks.
Filter generation for CodeRed more expensive
Number of instructions analysed is larger
Filter generation time for real worms
Effect of SCA Verification time, infection rate and number of initially infected hosts.