vigilante end to end containment of internet worms n.
Skip this Video
Download Presentation
Vigilante: End-to-End Containment of Internet Worms

Loading in 2 Seconds...

play fullscreen
1 / 25

Vigilante: End-to-End Containment of Internet Worms - PowerPoint PPT Presentation

  • Uploaded on

CS-558. Vigilante: End-to-End Containment of Internet Worms. Manuel Costa, Jon  Crowcroft , Miguel Castro, Antony  Rowstron ,  Lidong  Zhou,  Lintao  Zhang, Paul  Barham. Smyrnaki Ourania. Problems with Worm Containment. Worms spread too fast for humans to respond.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Vigilante: End-to-End Containment of Internet Worms' - arav

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
vigilante end to end containment of internet worms


Vigilante: End-to-End Containment of Internet Worms

Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham


problems with worm containment
Problems with Worm Containment
  • Worms spread too fast for humans to respond.
  • Recent network-level techniques have limitations:

No information about the vulnerabilities exploited by worms at the network level.

introduction proposal
  • Propose a new system called Vigilante used for automatic Worm Containment.
  • Detector hosts distributed all over the network.

Hard for worms to avoid detection

Hard to disable them with denial-of-service attacks.

  • End-to-end approach that contains worms automatically
  • Collaborative worm detection at end hosts, does not require hosts to trust each other.
  • Hosts detect worms and broadcast SCAs upon worm detection
components in vigilante
Components in Vigilante
  • Detection of Worms
  • Generation of SCAs
  • Verification Process
  • Distribution Process
  • Protection Process by generating filters to protect themselves






Vulnerable Application

Generation of SCAs


Detection Engine


SCA Verification


SCA Verification

SCA Distribution

SCA Distribution

Vulnerable host

Detector host

self certifying alert sca
Self-Certifying Alert (SCA)
  • Three different types of SCAs (describe vulerability)
  • Arbitrary Execution Control Alert:
  • Identifies vulnerabilities that allow worms to redirect execution to arbitrary pieces of code.
  • Arbitrary Code Execution Alert:
  • Describes code-injection vulnerabilities
  • Arbitrary Function argument:
  • Identify data-injection vulnerabilities that allow worms to to change the values of arguments to critical functions
self certifying alert sca for slammer worm
Self-Certifying Alert (SCA) for Slammer Worm
  • All three types of SCAs have a common format
alert cerification
Alert cerification
  • Reproduce the infection process in a Virtual Machine.
  • Each host runs a VM with a verification manager.

Step 2:Verification manager uses the data in the SCA to identify the vulnerable service

Step 4:If Verified is executed, the Verification Manager signals SUCCESS to the SCA Verifier.

Otherwise the SCA Verifier declares failure after timeout.

alert generation
Alert generation

2 Detection engines

  • Non-executable pages
  • Dynamic DataFlow Analysis
non executable pages
Non-executable pages
  • Non-execute protection on stack and heap pages.
  • When a worm attempts to execute code in a protected page  exception is thrown.
  • Detector catches exception and tries to generate a SCA.
  • Traverses the message logs searching for the code to be executed or for the address of the faulting instructions  Generates a SCA
dynamic dataflow analysis
Dynamic-Dataflow Analysis
  • Dynamic information flow tracking is a hardware mechanism to protect programs against malicious attacks by identifying spurious information flows and restricting the usage of spurious information
  • Track flow data received in certain network/input operations.
  • Instrument every control transfer instruction RET,CALL,JPM and every push instruction MOV,PUSH
dynamic dataflow analysis1
Dynamic-Dataflow Analysis
  • Simple algorithm:
  • Whenever an instruction moves data from a source to a destination, the Destinations becomes dirty if the source is dirty, or clean otherwise
  • .
distribution of scas
Distribution of SCAs


Worm propagation Vs SCA Distribution

distribution process
Distribution process

Secure Overlay network called Pastry with super peers in order to broadcast the alerts

  • Flooding in order to broadcast alerts to ALL the hosts in the overlay.
  • Each hosts maintains 15log16N neighbors and the expected length is log16N
  • Vigilante overlay extremely effective  once a detector is probed, it takes 2.5 secs to reach almost all the vulnerable hosts
  • Evaluated Vigilante with Real Worms
  • Slammer:
  • Infected approximately 75,000 Microsoft SQL Servers.
  • Fastest computer worm in History
  • During its outbreak, the number of infected machines doubled every 8.5 seconds


  • Infected approximately 360,000 Microsoft IIS Servers.
  • Speads much slower than Slammer.
  • Took 37 minutes to double the infected population


  • Infected the RPC service on Microsoft Windows machines.
  • Infected 500,000 hosts
  • Spread rate similar to CodeRed’s.
evaluation alert generation
Evaluation- Alert Generation

Detectors generate arbritaryexecution control alert for Slammer and Blaster and arbritary code execution alert for CodeRed.

Both detectors generate SCAs fast.

Generation is higher in CodeRed since the number of instructions executed is larger.

NX detector performs best:

Instrumentation is less intrusive and less general.

SCA generation time in milliseconds for real worms using two detectors

evaluation alert generation1
Evaluation- Alert Generation

Size of SCAs is small

Mostly determined by the size of the worm probe messages

SCAsizes in bytes for real worms

evaluation alert verification
Evaluation- Alert Verification

Verification is fast.

Keep a VM running, ready to verify SCAs when they arrive

Starting VMs on demand resulted in additional delay

SCAverification time in ms for real worms

modeling of worm propagation infection
Modeling of Worm propagation/Infection
  • S: Susceptible hosts
  • Fraction p for detectors
  • β : infection rate
  • It total number of infected hosts at time t
  • Pt number of distinct susceptible hosts that have been probed by worm at time t
evaluation containment
Evaluation- Containment

Infected percentage of vulnerable hosts with different fractions of p detectors.

A small fraction of detectors p=0.001 is enough to contain the worm infection to less than 5% of the vulnerable population, even under DoS attacks.

evaluation filter generation
Evaluation- Filter generation

Filter generation for CodeRed more expensive

Number of instructions analysed is larger

Filter generation time for real worms

evaluation containment1
Evaluation- Containment

Effect of SCA Verification time, infection rate and number of initially infected hosts.

  • When is ffectiveness of Vigilante reduced ?
  • Verification time is 1000 ms
  • Infection rate is 8β
  • 10000 initially infected nodes