skip to main content
research-article

Vigilante: End-to-end containment of Internet worm epidemics

Published:19 December 2008Publication History
Skip Abstract Section

Abstract

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end architecture to contain worms automatically that addresses these limitations.

In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms by tracking the flow of data from network messages and disallowing unsafe uses of this data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture. Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently. Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead to successful attacks. These filters block the worm attack and all its polymorphic mutations that follow the execution path identified by the SCA.

Our results show that Vigilante can contain fast-spreading worms that exploit unknown vulnerabilities, and that Vigilante's filters introduce a negligible performance overhead. Vigilante does not require any changes to hardware, compilers, operating systems, or the source code of vulnerable programs; therefore, it can be used to protect current software binaries.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. 2005. Control-Flow Integrity: Principles, implementations, and applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Akamai. 2000. Press release: Akamai helps mcafee.com support flash crowds from iloveyou virus.Google ScholarGoogle Scholar
  3. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. 2008. Preventing memory error exploits with WIT. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Avots, D., Dalton, M., Livshits, V. B., and Lam, M. S. 2005. Improving software security with a C pointer analysis. In Proceedings of the 27th International Conference on Software Engineering. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Bailey, M., Cooke, E., Jahanian, F., Watson, D., and Nazario, J. 2005. The Blaster worm: Then and now. IEEE Secur. Privacy 3, 4, 26--31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Baratloo, A., Singh, N., and Tsai, T. 2000. Transparent runtime defense against stack smashing attacks. In Proceedings of the USENIX Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Barrantes, E. G., Ackley, D. H., Palmer, T. S., Stefanovic, D., and Zov, D. D. 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Bethencourt, J., Franklin, J., and Vernon, M. 2005. Mapping Internet sensors with probe response attacks. In Proceedings of 14th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Bhansali, S., Chen, W.-K., de Jong, S., Edwards, A., Murray, R., Drinic, M., Mihocka, D., and Chau, J. 2006. Framework for instruction-level tracing and analysis of program executuions. In Proceedings of the 2nd International Conference on Virtual Execution Environments. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Bhatkar, S., DuVarney, D. C., and Sekar, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of 12th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Bhatkar, S., Sekar, R., and DuVarney, D. C. 2005. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of 14th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Biba, K. J. 1977. Integrity considerations for secure computer systems. Tech. Rep. TR-3153, MITRE. April.Google ScholarGoogle Scholar
  14. blexim. 2002. Basic integer overflows. Phrack 60.Google ScholarGoogle Scholar
  15. Bochs. 2006. Bochs ia-32 emulator. http://bochs.sourceforge.net.Google ScholarGoogle Scholar
  16. Boyer, R. S., Elspas, B., and Levitt, K. N. 1975. SELECT—A formal system for testing and debugging programs by symbolic execution. In Proceedings of the International Conference on Reliable Software. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Bruening, D., Duesterwald, E., and Amarasinghe, S. 2001. Design and implementation of a dynamic optimization framework for Windows. In Proceedings of the 4th ACM Workshop on Feedback-Directed and Dynamic Optimization.Google ScholarGoogle Scholar
  18. Brumley, D., Newsome, J., Song, D., Wang, H., and Jha, S. 2006. Towards automatic generation of vulnerability signatures. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Bulba and Kil3r. 2000. Bypassing stackguard and stackshield. Phrack 10, 46 (May).Google ScholarGoogle Scholar
  20. Bush, W. R., Pincus, J. D., and Sielaff, D. J. 2000. A static analyzer for finding dynamic programming errors. Softw. Practice Exper. 30, 775--802. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Cardelli, L. 2004. Type systems. In The Computer Science and Engineering Handbook. CRC Press.Google ScholarGoogle Scholar
  22. Castro, M., Costa, M., and Harris, T. 2006. Securing software by enforcing data-flow integrity. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Castro, M., Costa, M., and Rowstron, A. 2004. Performance and dependability of structured peer-to-peer overlays. In Proceedings of the International Conference on Dependable Systems and Networks. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Castro, M., Druschel, P., Ganesh, A., Rowstron, A., and Wallach, D. S. 2002. Security for structured peer-to-peer overlay networks. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. CERT. 2001. Cert advisory ca-2001-26 nimda worm. http://www.cert.org/advisories/ca-2001-26.html.Google ScholarGoogle Scholar
  26. CERT. 2005. Technical cyber security alerts. http://www.us-cert.gov.Google ScholarGoogle Scholar
  27. Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., and Iyer, R. K. 2005. Defeating memory corruption attacks via pointer taintedness detection. In Proceedings of the International Conference on Dependable Systems and Networks. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. K. 2005. Non-Control-Data attacks are realistic threats. In Proceedings of 14th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Chen, Z., Gao, L., and Kwiat, K. 2003. Modelling the spread of active worms. In Proceedings of the 22th IEEE Conference on Computer Communications.Google ScholarGoogle Scholar
  30. Cheswick, W. R., Bellovin, S. M., and Rubin, A. D. 2003. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Chinchani, R. and van den Berg, E. 2005. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.Google ScholarGoogle Scholar
  32. Chiueh, T. and Hsu, F. 2001. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st International Conference on Distributed Computing Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole system simulation. In Proceedings of 13th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Cohen, F. 1987. Computer viruses, theory and experiments. Comput. Secur. 6, 22--35. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Cormen, T. H., Leiserson, C. E., and Rivest, R. L. 1990. Introduction to Algorithms. MIT Electrical Engineering and Computer Science Series. MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Costa, M., Castro, M., Zhou, L., Zhang, L., and Peinado, M. 2007. Bouncer: Securing software by blocking bad input. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Costa, M., Crowcroft, J., Castro, M., and Rowstron, A. 2004. Can we contain Internet worms? In Proceedings of the 3rd Workshop on Hot Topics in Networks.Google ScholarGoogle Scholar
  38. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., and Barham, P. 2005. Vigilante: End-to-End containment of Internet worms. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., and Lokier, J. 2001. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Cowan, C., Beattie, S., Johansen, J., and Wagle, P. 2003. Pointguard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Cowan, C., Pu, C., Maier, D., Hinton, H., Wadpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. 1998. Stackguard: Automatic detection and prevention of buffer-overrun attacks. In Proceedings of the 7th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Crandall, J. R. and Chong, F. T. 2004. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Crandall, J. R., Su, Z., Wu, S. F., and Chong, F. T. 2005. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Dark Spyrit. 1999. Win32 buffer overflows. Phrack 9, 55.Google ScholarGoogle Scholar
  45. Denning, D. 1976. A lattice model of secure information flow. ACM Trans. Commun. 19, 5, 236--243. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Dijkstra, E. W. 1975. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18, 8 (Aug.), 453--457. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Douceur, J. R. 2002. The Sybil attack. In Proceedings of the 1st International Workshop on Peer-to-Peer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Dunlap, G. W., King, S. T., Cinar, S., Basrai, M. A., and Chen, P. M. 2002. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Durden, T. 2002. Bypassing pax aslr protection. Phrack 59 (Jul.).Google ScholarGoogle Scholar
  50. Eichin, M. W. and Rochlis, J. A. 1989. With microscope and tweezers: An analysis of the Internet virus of November 1988. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  51. Elnozahy, E. N., Alvisi, L., Wang, Y.-M., and Johnson, D. B. 2002. A survey of rollback-recovery protocols in message-passing systems. ACM Comput. Surv. 34, 3 (Sept.), 375--408. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Engler, D., Chen, D. Y., Hallem, S., Chou, A., and Chelf, B. 2001. Bugs as deviant behaviour: A general approach to inferring errors in systems code. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Evans, D. and Larochelle, D. 2002. Improving security using extensible lightweight static analysis. IEEE Softw. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Feng, H., Kolesnikov, O., Fogla, P., Lee, W., and Gong, W. 2003. Anomaly detection using system call information. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Fenton, J. 1973. Information protection systems. Ph.D. thesis, University of Cambridge.Google ScholarGoogle Scholar
  56. Fenton, J. 1974a. An abstract computer model demonstrating directional information flow. University of Cambridge, Cambridge, UK.Google ScholarGoogle Scholar
  57. Fenton, J. S. 1974b. Memoryless subsystems. Comput. J. 17, 2, 143--147.Google ScholarGoogle ScholarCross RefCross Ref
  58. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., and Lee, W. 2006. Polymorphic blending attacks. In Proceedings of 15th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Forescout. 2006. Wormscout. http://www.forescout.com/wormscout.html.Google ScholarGoogle Scholar
  60. Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Forrest, S., Somayaji, A., and Ackley, D. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Fraser, K. and Chang, F. 2003. Operating System I/O Speculation: How two invocations are faster than one. In Proceedings of the USENIX Annual Technical Conference.Google ScholarGoogle Scholar
  63. Ganesh, A., Gunawardena, D., Key, P., Massoulie, L., and Scott, J. 2006. Efficient quarantining of scanning worms: Optimal detection and coordination. In Proceedings of the 25th IEEE Conference on Computer Communications.Google ScholarGoogle Scholar
  64. Ganger, G., Economu, G., and Bielski, S. 2002. Self-Securing network interfaces: What, why and how. Tech. Rep. CS-02-144, Carnegie Mellon University. May.Google ScholarGoogle Scholar
  65. Georgatos, F., Gruber, F., Karrenberg, D., Santcroos, M., Uijterwaal, H., and Wilhelm, R. 2001. Providing Active Measurements as a Regular Service for ISPs. http://www.ripe.net/ttm.Google ScholarGoogle Scholar
  66. gera and riq. 2002. Advances in format string exploitation. Phrack 59 (Jul.).Google ScholarGoogle Scholar
  67. Giffin, J., Jha, S., and Miller, B. P. 2004. Efficient context-sensitive intrusion detection. In Proceedings of the 11th Annual Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  68. Goldenberg, J., Shavitt, Y., Shir, E., and Solomon, S. 2005. Distributive immunization of networks against viruses using the ‘honey pot’ architecture. Nature Phys. 1, 184--188.Google ScholarGoogle ScholarCross RefCross Ref
  69. Heberlein, L. T., Dias, G., K, L., Wood, B. M. J., and Wolber, D. 1990. A network security monitor. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  70. Hethcote, H. W. 2000. The mathematics of infectious deseases. SIAM Rev. 42, 4, 599--653. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Ho, A., Fetterman, M., Clark, C., Warfield, A., and Hand, S. 2006. Practical taint-based protection using demand emulation. In Proceedings of the SiGOPS European Conference on Computer Systems (EuroSys). Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. Hofmeyr, S. A. and Forrest, S. 2000. Architecture for an artificial immune system. Evolutionary Comput. 8, 4(Dec.), 443--473. Google ScholarGoogle ScholarDigital LibraryDigital Library
  73. Holz, T. and Raynal, F. 2005. Detecting honeypots and other suspicious environments. In Workshop on Information Assurance and Security.Google ScholarGoogle Scholar
  74. Hsu, F. and Chiueh, T. 2004. CTCP: A centralized TCP architecture for networking security. In Proceedings of the Annual Computer Society Applications Conference (ACSAC). Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. Hua, W., Ohlund, J., and Butterklee, B. 1999. Unraveling the mysteries of writing a winsock 2 layered service provider. Microsoft Syst. J.Google ScholarGoogle Scholar
  76. Hunt, G. and Brubacher, D. 1999. Detours: Binary interception of Win32 functions. In USENIX Windows NT Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. Intel. 1999. Intel architecture software developer's manual, vol. 2: Instruction set reference.Google ScholarGoogle Scholar
  78. Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., and Wang, Y. 2002. Cyclone: A safe dialect of C. In Proceedings of the USENIX Annual Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. Johnson, R. and Wagner, D. 2004. Finding user/kernel pointer bugs with type inference. In Proceedings of 13th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. Johnson, S. C. 1984. Lint, a C program checker. In Unix Programmer's Manual, 4.2. Berkeley Software Distribution Supplementary Documents.Google ScholarGoogle Scholar
  81. Jones, R. and Kelly, P. 1997. Backwards-Compatible bounds checking for arrays and pointers in C programs. In Proceedings of the International Workshop on Automatic Debugging.Google ScholarGoogle Scholar
  82. Joshi, A., King, S., Dunlap, G., and Chen, P. 2005. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  83. jp. 2003. Advanced doug lea's malloc exploits. Phrack 61 (Sept.).Google ScholarGoogle Scholar
  84. Jung, J. 2006. Real-Time detection of malicious network activity using stochastic models. Ph.D. thesis, Massachusetts Institute of Technology. Google ScholarGoogle ScholarDigital LibraryDigital Library
  85. Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. 2004. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  86. Kc, G. S., Keromytis, A. D., and Prevelakis, V. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  87. Kephart, J. O. and Arnold, W. C. 1994. Automatic extraction of computer virus signatures. In International Virus Bulletin Conference.Google ScholarGoogle Scholar
  88. Kephart, J. O., Sorkin, G. B., Swimmer, M., and White, S. R. 1997. Blueprint for a computer immune system. In International Virus Bulletin Conference.Google ScholarGoogle Scholar
  89. Kephart, J. O. and White, S. R. 1991. Directed-Graph epidemiological models of computer viruses. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  90. Kim, H. and Karp, B. 2004. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  91. King, J. C. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (Jul.), 385--394. Google ScholarGoogle ScholarDigital LibraryDigital Library
  92. Kiriansky, V., Bruening, D., and Amarasinghe, S. P. 2002. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  93. Kreibich, C. and Crowcroft, J. 2003. Honeycomb Creating intrusion detection signatures using honeypots. In Proceedings of the 2nd Workshop on Hot Topics in Networks.Google ScholarGoogle Scholar
  94. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., and Vigna, G. 2005. Polymorphic worm detection using structural information of executables. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.Google ScholarGoogle Scholar
  95. Kruegel, C., Kirda, E., Mutz, D., Robertsonand, W., and Vigna, G. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  96. Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  97. Liang, Z. and Sekar, R. 2005a. Automatic generation of buffer overflow signatures: An approach based on program behavior models. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarGoogle ScholarDigital LibraryDigital Library
  98. Liang, Z. and Sekar, R. 2005b. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  99. Livshits, V. B. and Lam, M. S. 2005. Finding security vulnerabilities in java applications using static analysis. In Proceedings of the 14th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  100. Locasto, M., Sidiroglou, S., and Keromytis, A. 2006. Software self-healling using collaborative application communities. In Proceedings of the 13th Annual Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  101. Madhavapeddy, A. 2006. Creating high-performance statically type-safe network applications. Ph.D. thesis, University of Cambridge.Google ScholarGoogle Scholar
  102. Mirage. 2006. Mirage networks. http://www.miragenetworks.com.Google ScholarGoogle Scholar
  103. Mockapetris, P. 1987. Domain names: Concepts and facilities. Tech. Rep. RFC-1034, Internet Engineering Task Force. November. Google ScholarGoogle ScholarDigital LibraryDigital Library
  104. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003. Inside the Slammer worm. IEEE Secur. Privacy 1, 4 (Jul.). Google ScholarGoogle ScholarDigital LibraryDigital Library
  105. Moore, D., Shannon, C., and Brown, J. 2002. Code-Red: A case study on the spread and victims of an Internet worm. In ACM Internet Measurement Workshop. Google ScholarGoogle ScholarDigital LibraryDigital Library
  106. Moore, D., Shannon, C., Voelker, G., and Savage, S. 2003. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of the 22th IEEE Conference on Computer Communications.Google ScholarGoogle Scholar
  107. Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2004. Network telescopes: Tech. Rep. CS2004-0795, University of California at San Diego. July.Google ScholarGoogle Scholar
  108. Moore, D., Voelker, G. M., and Savage, S. 2001. Inferring Internet denial of service activity. In Proceedings of the 10th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  109. Myers, A. C. 1999. Jflow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  110. Necula, G. C. and Lee, P. 1996. Safe kernel extensions without run-time checking. In Proceedings of the ACM USENIX Symposium on Operating Systems Design and Implementation (OSDI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  111. Necula, G. C., McPeak, S., and Weimer, W. 2002. CCured: Type-Safe retrofitting of legacy code. In 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  112. nergal. 2001. The advanced return-into-lib(c) exploits: Pax case study. Phrack 58.Google ScholarGoogle Scholar
  113. Nethercote, N. and Seward, J. 2003. Valgrind: A program supervision framework. In Proceedings of the 3rd Workshop on Runtime Verification (RV).Google ScholarGoogle Scholar
  114. Newsome, J., Karp, B., and Song, D. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  115. Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  116. One, A. 1996. Smashing the stack for fun and profit. Phrack 7, 49 (Nov.).Google ScholarGoogle Scholar
  117. Pasupulati, A., Coit, J., Levitt, K., Wu, S. F., Li, S. H., Kuo, J. C., and Fan, K. P. 2004. Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In Proceedings of the IEEE IFIP Network Operations and Management Symposium (NOMS).Google ScholarGoogle Scholar
  118. PAX. 2001. PaX system. http://pax.grsecurity.net/.Google ScholarGoogle Scholar
  119. Paxson, V. 1999. Bro. A system for detecting network intruders in real time. Comput. Netw. 31, 23--24 (Dec.), 2435--2463. Google ScholarGoogle ScholarDigital LibraryDigital Library
  120. Perdisci, R., Dagon, D., Lee, W., Fogla, P., and Sharif, M. 2006. Misleading worm signature generators using deliberate noise injection. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  121. PERL. 2006. Perl security manual page. http://www.perldoc.com.Google ScholarGoogle Scholar
  122. Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of the SIGOPS European Conference on Computer Systems (EuroSys). Google ScholarGoogle ScholarDigital LibraryDigital Library
  123. Provos, N. 2004. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  124. Ptacek, T. H. and Newsham, T. N. 1998. Insertion, evasion, and denial of service: Eluding network intrusion detection. Tech. Rep., Secure Networks, Inc. January.Google ScholarGoogle Scholar
  125. QEMU. 2006. Qemu open source processor emulator. http://fabrice.bellard.free.fr/qemu/.Google ScholarGoogle Scholar
  126. Qin, F., Tucek, J., Sundaresan, J., and Zhou, Y. 2005. Rx: Treating bugs as allergies: A safe method to survive software failures. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  127. Raiciu, C., Handley, M., and Rosenblum, D. S. 2006. Exploit hijacking: Side effects of smart defenses. In Proceedings of the SIGCOMM Workshops. Google ScholarGoogle ScholarDigital LibraryDigital Library
  128. Rinard, M., Cadar, C., Dumitran, D., Roy, D. M., Leu, T., and Jr., W. S. B. 2004. Enhancing server availability and security through failure-oblivious computing. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  129. rix@hert.org. 2001. Writing ia32 alphanumeric shellcodes. Phrack 11, 57 (Aug.).Google ScholarGoogle Scholar
  130. Roesch, M. 1999. Snort: Lightweight intrusion detection for networks. In Conference on Systems Administration. Google ScholarGoogle ScholarDigital LibraryDigital Library
  131. Ruwase, O. and Lam, M. 2004. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  132. Schechter, S., Jung, J., and Berger, A. 2004. Fast detection of scanning worm infections. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection.Google ScholarGoogle Scholar
  133. SecurityFocus. 2002. Microsoft jvm class loader buffer overrun vulnerability. http://www.securityfocus.com/bid/6134.Google ScholarGoogle Scholar
  134. Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. 2001. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  135. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  136. Shankar, U., Talwar, K., Foster, J. S., and Wagner, D. 2001. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  137. Shannon, C. and Moore, D. 2004. The spread of the Witty worm. IEEE Secur. Privacy 2, 4 (Jul.). Google ScholarGoogle ScholarDigital LibraryDigital Library
  138. Shinoda, Y., Ikai, K., and Itoh, M. 2005. Vulnerabilities of passive Internet threat monitors. In Proceedings of the 14th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  139. Shoch, J. F. and Hupp, J. A. 1982. The worm programs: Early experience with a distributed computation. Commun. ACM 25, 3 (Mar.), 172--180. Google ScholarGoogle ScholarDigital LibraryDigital Library
  140. Sidiroglou, S., Locasto, M. E., Boyd, S. W., and Keromytis, A. D. 2005. Building a reactive immune system for software services. In Proceedings of the USENIX Annual Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  141. Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  142. Smirnov, A. and Chiueh, T. 2005. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  143. Somayaji, A. and Forrest, S. 2000. Automated response using system-call delays. In Proceedings of the 9th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  144. Sovarel, N., Evans, D., and Paul, N. 2005. Where's the FEEB? The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  145. Spafford, E. H. 1989. The Internet worm: Crisis and aftermath. Commun. ACM 32, 6 (Jun.), 678--687. Google ScholarGoogle ScholarDigital LibraryDigital Library
  146. SPEC. Specweb99 benchmark. http://www.spec.org/osg/web99.Google ScholarGoogle Scholar
  147. Staniford, S. 2004. Containment of scanning worms in enterprise networks. J. Comput. Secur.Google ScholarGoogle Scholar
  148. Staniford, S., Hoagland, J., and McAlerney, J. 2002. Practical automated detection of stealthy portscans. J. Comput. Secur. 10, 105--136. Google ScholarGoogle ScholarDigital LibraryDigital Library
  149. Staniford, S., Moore, D., Paxson, V., and Weaver, N. 2004. The top speed of flash worms. In Proceedings of the 2nd Workshop on Rapid Malcode. Google ScholarGoogle ScholarDigital LibraryDigital Library
  150. Staniford, S., Paxson, V., and Weaver, N. 2002. How to 0wn the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  151. Staniford-Chen, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., and Zerkle, D. 1996. GrIDS: A graph-based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference.Google ScholarGoogle Scholar
  152. Suh, G. E., Lee, J., and Devadas, S. 2004. Secure program execution via dynamic information flow tracking. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  153. Szor, P. and Ferrie, P. 2001. Hunting for metamorphic. In the International Virus Bulletin Conference.Google ScholarGoogle Scholar
  154. Tang, Y. and Chen, S. 2005. Defending against Internet worms: A signature-based approach. In Proceedings of the 24th IEEE Conference on Computer Communications.Google ScholarGoogle Scholar
  155. Toth, T. and Kruegel, C. 2002a. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection.Google ScholarGoogle Scholar
  156. Toth, T. and Kruegel, C. 2002b. Connection-History based anomaly detection. In the IEEE Information Assurance Workshop.Google ScholarGoogle Scholar
  157. TPC. 1999. TPC-C online transaction processing benchmark. http://www.tpc.org/tpcc/default.asp.Google ScholarGoogle Scholar
  158. Vendicator. 2001. Stack shield technical info. http://www.angelfire.com/sk/stackshield.Google ScholarGoogle Scholar
  159. Vojnović, M. and Ganesh, A. 2005. On the race of worms, alerts and patches. In Proceedings of the 3rd Workshop on Rapid Malcode.Google ScholarGoogle Scholar
  160. Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A. C., Voelker, G. M., and Savage, S. 2005. Scalability, fidelity and containment in the potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  161. Wagner, D., Foster, J. S., Brewer, E. A., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the 7th Annual Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  162. Wagner, D. and Soto, P. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  163. Wang, C., Knight, J., and Elder, M. 2000. On computer viral infection and the effect of immunization. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarGoogle ScholarDigital LibraryDigital Library
  164. Wang, H. J., Guo, C., Simon, D. R., and Zugenmaier, A. 2004. Shield: Vulnerability-Driven network filters for preventing known vulnerability exploits. In Proceedings of the ACM SIGCOMM Data Communications Festival. Google ScholarGoogle ScholarDigital LibraryDigital Library
  165. Wang, K., Cretu, G., and Stolfo, S. J. 2005. Anomalous payload-based worm detection and signature generation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.Google ScholarGoogle Scholar
  166. Wang, X., Pan, C.-C., Liu, P., and Zhu, S. 2006. Sigfree: A signature-free buffer overflow attack blocker. In Proceedings of the 15th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  167. Weaver, N., Ellis, D., Staniford, S., and Paxson, V. 2004. Worms vs. perimeters: The case for hard-LANs. In Hot Interconnects 2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  168. Weaver, N., Staniford, S., and Paxson, V. 2004. Very fast containment of scanning worms. In Proceedings of the 13th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  169. Weiser, M. 1984. Program slicing. IEEE Trans. Softw. Eng. 10, 4, 352--357.Google ScholarGoogle ScholarDigital LibraryDigital Library
  170. Whyte, D., Kranakis, E., and Oorschot, P. C. V. 2005. Dns-Based detection of scanning worms in an enterprise network. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  171. Wilander, J. and Kamkar, M. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10th Annual Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  172. Williamnson, M. M. 2002. Throttling viruses: Restricting propagation to defeat mobile malicious code. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarGoogle ScholarDigital LibraryDigital Library
  173. Winskel, G. 1993. The Formal Semantics of Programming Languages. MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  174. Xie, Y. and Aiken, A. 2005. Scalable error detection using Boolean satisfiability. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  175. Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the IEEE Symposium on Reliability in Distributed Software (SRDS).Google ScholarGoogle Scholar
  176. Yang, J., Twohey, P., Engler, D., and Musuvathi, M. 2004. Using model checking to find serious file system errors. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  177. Yegneswaran, V., Giffin, J. T., Barford, P., and Jha, S. 2005. An architecture for generating semantics aware signatures. In Proceedings of the 14th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  178. Zegura, E., Calvert, K., and Bhattacharjee, S. 1996. How to model an internetwork. In Proceedings of the Annual Joint Conference of the IEEE Computer Communications Societies (IEEE INFOCOM).Google ScholarGoogle Scholar
  179. Zheng, L., Chong, S., Myers, A. C., and Zdancewic, S. 2003. Using replication and partitioning to build secure distributed systems. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  180. Zou, C. C., Gao, L., Gong, W., and Towsley, D. 2003. Monitoring and early warning for Internet worms. In Proceedings of the 10th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Vigilante: End-to-end containment of Internet worm epidemics

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!