Abstract
Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end architecture to contain worms automatically that addresses these limitations.
In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms by tracking the flow of data from network messages and disallowing unsafe uses of this data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture. Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently. Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead to successful attacks. These filters block the worm attack and all its polymorphic mutations that follow the execution path identified by the SCA.
Our results show that Vigilante can contain fast-spreading worms that exploit unknown vulnerabilities, and that Vigilante's filters introduce a negligible performance overhead. Vigilante does not require any changes to hardware, compilers, operating systems, or the source code of vulnerable programs; therefore, it can be used to protect current software binaries.
- Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. 2005. Control-Flow Integrity: Principles, implementations, and applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Akamai. 2000. Press release: Akamai helps mcafee.com support flash crowds from iloveyou virus.Google Scholar
- Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. 2008. Preventing memory error exploits with WIT. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Avots, D., Dalton, M., Livshits, V. B., and Lam, M. S. 2005. Improving software security with a C pointer analysis. In Proceedings of the 27th International Conference on Software Engineering. Google Scholar
Digital Library
- Bailey, M., Cooke, E., Jahanian, F., Watson, D., and Nazario, J. 2005. The Blaster worm: Then and now. IEEE Secur. Privacy 3, 4, 26--31. Google Scholar
Digital Library
- Baratloo, A., Singh, N., and Tsai, T. 2000. Transparent runtime defense against stack smashing attacks. In Proceedings of the USENIX Technical Conference. Google Scholar
Digital Library
- Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP). Google Scholar
Digital Library
- Barrantes, E. G., Ackley, D. H., Palmer, T. S., Stefanovic, D., and Zov, D. D. 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Bethencourt, J., Franklin, J., and Vernon, M. 2005. Mapping Internet sensors with probe response attacks. In Proceedings of 14th USENIX Security Symposium. Google Scholar
Digital Library
- Bhansali, S., Chen, W.-K., de Jong, S., Edwards, A., Murray, R., Drinic, M., Mihocka, D., and Chau, J. 2006. Framework for instruction-level tracing and analysis of program executuions. In Proceedings of the 2nd International Conference on Virtual Execution Environments. Google Scholar
Digital Library
- Bhatkar, S., DuVarney, D. C., and Sekar, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of 12th USENIX Security Symposium. Google Scholar
Digital Library
- Bhatkar, S., Sekar, R., and DuVarney, D. C. 2005. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of 14th USENIX Security Symposium. Google Scholar
Digital Library
- Biba, K. J. 1977. Integrity considerations for secure computer systems. Tech. Rep. TR-3153, MITRE. April.Google Scholar
- blexim. 2002. Basic integer overflows. Phrack 60.Google Scholar
- Bochs. 2006. Bochs ia-32 emulator. http://bochs.sourceforge.net.Google Scholar
- Boyer, R. S., Elspas, B., and Levitt, K. N. 1975. SELECT—A formal system for testing and debugging programs by symbolic execution. In Proceedings of the International Conference on Reliable Software. Google Scholar
Digital Library
- Bruening, D., Duesterwald, E., and Amarasinghe, S. 2001. Design and implementation of a dynamic optimization framework for Windows. In Proceedings of the 4th ACM Workshop on Feedback-Directed and Dynamic Optimization.Google Scholar
- Brumley, D., Newsome, J., Song, D., Wang, H., and Jha, S. 2006. Towards automatic generation of vulnerability signatures. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Bulba and Kil3r. 2000. Bypassing stackguard and stackshield. Phrack 10, 46 (May).Google Scholar
- Bush, W. R., Pincus, J. D., and Sielaff, D. J. 2000. A static analyzer for finding dynamic programming errors. Softw. Practice Exper. 30, 775--802. Google Scholar
Digital Library
- Cardelli, L. 2004. Type systems. In The Computer Science and Engineering Handbook. CRC Press.Google Scholar
- Castro, M., Costa, M., and Harris, T. 2006. Securing software by enforcing data-flow integrity. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- Castro, M., Costa, M., and Rowstron, A. 2004. Performance and dependability of structured peer-to-peer overlays. In Proceedings of the International Conference on Dependable Systems and Networks. Google Scholar
Digital Library
- Castro, M., Druschel, P., Ganesh, A., Rowstron, A., and Wallach, D. S. 2002. Security for structured peer-to-peer overlay networks. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- CERT. 2001. Cert advisory ca-2001-26 nimda worm. http://www.cert.org/advisories/ca-2001-26.html.Google Scholar
- CERT. 2005. Technical cyber security alerts. http://www.us-cert.gov.Google Scholar
- Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., and Iyer, R. K. 2005. Defeating memory corruption attacks via pointer taintedness detection. In Proceedings of the International Conference on Dependable Systems and Networks. Google Scholar
Digital Library
- Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. K. 2005. Non-Control-Data attacks are realistic threats. In Proceedings of 14th USENIX Security Symposium. Google Scholar
Digital Library
- Chen, Z., Gao, L., and Kwiat, K. 2003. Modelling the spread of active worms. In Proceedings of the 22th IEEE Conference on Computer Communications.Google Scholar
- Cheswick, W. R., Bellovin, S. M., and Rubin, A. D. 2003. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley. Google Scholar
Digital Library
- Chinchani, R. and van den Berg, E. 2005. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.Google Scholar
- Chiueh, T. and Hsu, F. 2001. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st International Conference on Distributed Computing Systems. Google Scholar
Digital Library
- Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole system simulation. In Proceedings of 13th USENIX Security Symposium. Google Scholar
Digital Library
- Cohen, F. 1987. Computer viruses, theory and experiments. Comput. Secur. 6, 22--35. Google Scholar
Digital Library
- Cormen, T. H., Leiserson, C. E., and Rivest, R. L. 1990. Introduction to Algorithms. MIT Electrical Engineering and Computer Science Series. MIT Press. Google Scholar
Digital Library
- Costa, M., Castro, M., Zhou, L., Zhang, L., and Peinado, M. 2007. Bouncer: Securing software by blocking bad input. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP). Google Scholar
Digital Library
- Costa, M., Crowcroft, J., Castro, M., and Rowstron, A. 2004. Can we contain Internet worms? In Proceedings of the 3rd Workshop on Hot Topics in Networks.Google Scholar
- Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., and Barham, P. 2005. Vigilante: End-to-End containment of Internet worms. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP). Google Scholar
Digital Library
- Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., and Lokier, J. 2001. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium. Google Scholar
Digital Library
- Cowan, C., Beattie, S., Johansen, J., and Wagle, P. 2003. Pointguard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium. Google Scholar
Digital Library
- Cowan, C., Pu, C., Maier, D., Hinton, H., Wadpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. 1998. Stackguard: Automatic detection and prevention of buffer-overrun attacks. In Proceedings of the 7th USENIX Security Symposium. Google Scholar
Digital Library
- Crandall, J. R. and Chong, F. T. 2004. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture. Google Scholar
Digital Library
- Crandall, J. R., Su, Z., Wu, S. F., and Chong, F. T. 2005. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Dark Spyrit. 1999. Win32 buffer overflows. Phrack 9, 55.Google Scholar
- Denning, D. 1976. A lattice model of secure information flow. ACM Trans. Commun. 19, 5, 236--243. Google Scholar
Digital Library
- Dijkstra, E. W. 1975. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18, 8 (Aug.), 453--457. Google Scholar
Digital Library
- Douceur, J. R. 2002. The Sybil attack. In Proceedings of the 1st International Workshop on Peer-to-Peer Systems. Google Scholar
Digital Library
- Dunlap, G. W., King, S. T., Cinar, S., Basrai, M. A., and Chen, P. M. 2002. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- Durden, T. 2002. Bypassing pax aslr protection. Phrack 59 (Jul.).Google Scholar
- Eichin, M. W. and Rochlis, J. A. 1989. With microscope and tweezers: An analysis of the Internet virus of November 1988. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Elnozahy, E. N., Alvisi, L., Wang, Y.-M., and Johnson, D. B. 2002. A survey of rollback-recovery protocols in message-passing systems. ACM Comput. Surv. 34, 3 (Sept.), 375--408. Google Scholar
Digital Library
- Engler, D., Chen, D. Y., Hallem, S., Chou, A., and Chelf, B. 2001. Bugs as deviant behaviour: A general approach to inferring errors in systems code. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP). Google Scholar
Digital Library
- Evans, D. and Larochelle, D. 2002. Improving security using extensible lightweight static analysis. IEEE Softw. Google Scholar
Digital Library
- Feng, H., Kolesnikov, O., Fogla, P., Lee, W., and Gong, W. 2003. Anomaly detection using system call information. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Fenton, J. 1973. Information protection systems. Ph.D. thesis, University of Cambridge.Google Scholar
- Fenton, J. 1974a. An abstract computer model demonstrating directional information flow. University of Cambridge, Cambridge, UK.Google Scholar
- Fenton, J. S. 1974b. Memoryless subsystems. Comput. J. 17, 2, 143--147.Google Scholar
Cross Ref
- Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., and Lee, W. 2006. Polymorphic blending attacks. In Proceedings of 15th USENIX Security Symposium. Google Scholar
Digital Library
- Forescout. 2006. Wormscout. http://www.forescout.com/wormscout.html.Google Scholar
- Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Forrest, S., Somayaji, A., and Ackley, D. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. Google Scholar
Digital Library
- Fraser, K. and Chang, F. 2003. Operating System I/O Speculation: How two invocations are faster than one. In Proceedings of the USENIX Annual Technical Conference.Google Scholar
- Ganesh, A., Gunawardena, D., Key, P., Massoulie, L., and Scott, J. 2006. Efficient quarantining of scanning worms: Optimal detection and coordination. In Proceedings of the 25th IEEE Conference on Computer Communications.Google Scholar
- Ganger, G., Economu, G., and Bielski, S. 2002. Self-Securing network interfaces: What, why and how. Tech. Rep. CS-02-144, Carnegie Mellon University. May.Google Scholar
- Georgatos, F., Gruber, F., Karrenberg, D., Santcroos, M., Uijterwaal, H., and Wilhelm, R. 2001. Providing Active Measurements as a Regular Service for ISPs. http://www.ripe.net/ttm.Google Scholar
- gera and riq. 2002. Advances in format string exploitation. Phrack 59 (Jul.).Google Scholar
- Giffin, J., Jha, S., and Miller, B. P. 2004. Efficient context-sensitive intrusion detection. In Proceedings of the 11th Annual Network and Distributed System Security Symposium.Google Scholar
- Goldenberg, J., Shavitt, Y., Shir, E., and Solomon, S. 2005. Distributive immunization of networks against viruses using the ‘honey pot’ architecture. Nature Phys. 1, 184--188.Google Scholar
Cross Ref
- Heberlein, L. T., Dias, G., K, L., Wood, B. M. J., and Wolber, D. 1990. A network security monitor. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Hethcote, H. W. 2000. The mathematics of infectious deseases. SIAM Rev. 42, 4, 599--653. Google Scholar
Digital Library
- Ho, A., Fetterman, M., Clark, C., Warfield, A., and Hand, S. 2006. Practical taint-based protection using demand emulation. In Proceedings of the SiGOPS European Conference on Computer Systems (EuroSys). Google Scholar
Digital Library
- Hofmeyr, S. A. and Forrest, S. 2000. Architecture for an artificial immune system. Evolutionary Comput. 8, 4(Dec.), 443--473. Google Scholar
Digital Library
- Holz, T. and Raynal, F. 2005. Detecting honeypots and other suspicious environments. In Workshop on Information Assurance and Security.Google Scholar
- Hsu, F. and Chiueh, T. 2004. CTCP: A centralized TCP architecture for networking security. In Proceedings of the Annual Computer Society Applications Conference (ACSAC). Google Scholar
Digital Library
- Hua, W., Ohlund, J., and Butterklee, B. 1999. Unraveling the mysteries of writing a winsock 2 layered service provider. Microsoft Syst. J.Google Scholar
- Hunt, G. and Brubacher, D. 1999. Detours: Binary interception of Win32 functions. In USENIX Windows NT Symposium. Google Scholar
Digital Library
- Intel. 1999. Intel architecture software developer's manual, vol. 2: Instruction set reference.Google Scholar
- Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., and Wang, Y. 2002. Cyclone: A safe dialect of C. In Proceedings of the USENIX Annual Technical Conference. Google Scholar
Digital Library
- Johnson, R. and Wagner, D. 2004. Finding user/kernel pointer bugs with type inference. In Proceedings of 13th USENIX Security Symposium. Google Scholar
Digital Library
- Johnson, S. C. 1984. Lint, a C program checker. In Unix Programmer's Manual, 4.2. Berkeley Software Distribution Supplementary Documents.Google Scholar
- Jones, R. and Kelly, P. 1997. Backwards-Compatible bounds checking for arrays and pointers in C programs. In Proceedings of the International Workshop on Automatic Debugging.Google Scholar
- Joshi, A., King, S., Dunlap, G., and Chen, P. 2005. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP). Google Scholar
Digital Library
- jp. 2003. Advanced doug lea's malloc exploits. Phrack 61 (Sept.).Google Scholar
- Jung, J. 2006. Real-Time detection of malicious network activity using stochastic models. Ph.D. thesis, Massachusetts Institute of Technology. Google Scholar
Digital Library
- Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. 2004. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Kc, G. S., Keromytis, A. D., and Prevelakis, V. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Kephart, J. O. and Arnold, W. C. 1994. Automatic extraction of computer virus signatures. In International Virus Bulletin Conference.Google Scholar
- Kephart, J. O., Sorkin, G. B., Swimmer, M., and White, S. R. 1997. Blueprint for a computer immune system. In International Virus Bulletin Conference.Google Scholar
- Kephart, J. O. and White, S. R. 1991. Directed-Graph epidemiological models of computer viruses. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Kim, H. and Karp, B. 2004. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium. Google Scholar
Digital Library
- King, J. C. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (Jul.), 385--394. Google Scholar
Digital Library
- Kiriansky, V., Bruening, D., and Amarasinghe, S. P. 2002. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium. Google Scholar
Digital Library
- Kreibich, C. and Crowcroft, J. 2003. Honeycomb Creating intrusion detection signatures using honeypots. In Proceedings of the 2nd Workshop on Hot Topics in Networks.Google Scholar
- Kruegel, C., Kirda, E., Mutz, D., Robertson, W., and Vigna, G. 2005. Polymorphic worm detection using structural information of executables. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.Google Scholar
- Kruegel, C., Kirda, E., Mutz, D., Robertsonand, W., and Vigna, G. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th USENIX Security Symposium. Google Scholar
Digital Library
- Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th USENIX Security Symposium. Google Scholar
Digital Library
- Liang, Z. and Sekar, R. 2005a. Automatic generation of buffer overflow signatures: An approach based on program behavior models. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google Scholar
Digital Library
- Liang, Z. and Sekar, R. 2005b. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Livshits, V. B. and Lam, M. S. 2005. Finding security vulnerabilities in java applications using static analysis. In Proceedings of the 14th USENIX Security Symposium. Google Scholar
Digital Library
- Locasto, M., Sidiroglou, S., and Keromytis, A. 2006. Software self-healling using collaborative application communities. In Proceedings of the 13th Annual Network and Distributed System Security Symposium.Google Scholar
- Madhavapeddy, A. 2006. Creating high-performance statically type-safe network applications. Ph.D. thesis, University of Cambridge.Google Scholar
- Mirage. 2006. Mirage networks. http://www.miragenetworks.com.Google Scholar
- Mockapetris, P. 1987. Domain names: Concepts and facilities. Tech. Rep. RFC-1034, Internet Engineering Task Force. November. Google Scholar
Digital Library
- Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003. Inside the Slammer worm. IEEE Secur. Privacy 1, 4 (Jul.). Google Scholar
Digital Library
- Moore, D., Shannon, C., and Brown, J. 2002. Code-Red: A case study on the spread and victims of an Internet worm. In ACM Internet Measurement Workshop. Google Scholar
Digital Library
- Moore, D., Shannon, C., Voelker, G., and Savage, S. 2003. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of the 22th IEEE Conference on Computer Communications.Google Scholar
- Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2004. Network telescopes: Tech. Rep. CS2004-0795, University of California at San Diego. July.Google Scholar
- Moore, D., Voelker, G. M., and Savage, S. 2001. Inferring Internet denial of service activity. In Proceedings of the 10th USENIX Security Symposium. Google Scholar
Digital Library
- Myers, A. C. 1999. Jflow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- Necula, G. C. and Lee, P. 1996. Safe kernel extensions without run-time checking. In Proceedings of the ACM USENIX Symposium on Operating Systems Design and Implementation (OSDI). Google Scholar
Digital Library
- Necula, G. C., McPeak, S., and Weimer, W. 2002. CCured: Type-Safe retrofitting of legacy code. In 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- nergal. 2001. The advanced return-into-lib(c) exploits: Pax case study. Phrack 58.Google Scholar
- Nethercote, N. and Seward, J. 2003. Valgrind: A program supervision framework. In Proceedings of the 3rd Workshop on Runtime Verification (RV).Google Scholar
- Newsome, J., Karp, B., and Song, D. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.Google Scholar
- One, A. 1996. Smashing the stack for fun and profit. Phrack 7, 49 (Nov.).Google Scholar
- Pasupulati, A., Coit, J., Levitt, K., Wu, S. F., Li, S. H., Kuo, J. C., and Fan, K. P. 2004. Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In Proceedings of the IEEE IFIP Network Operations and Management Symposium (NOMS).Google Scholar
- PAX. 2001. PaX system. http://pax.grsecurity.net/.Google Scholar
- Paxson, V. 1999. Bro. A system for detecting network intruders in real time. Comput. Netw. 31, 23--24 (Dec.), 2435--2463. Google Scholar
Digital Library
- Perdisci, R., Dagon, D., Lee, W., Fogla, P., and Sharif, M. 2006. Misleading worm signature generators using deliberate noise injection. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- PERL. 2006. Perl security manual page. http://www.perldoc.com.Google Scholar
- Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of the SIGOPS European Conference on Computer Systems (EuroSys). Google Scholar
Digital Library
- Provos, N. 2004. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium. Google Scholar
Digital Library
- Ptacek, T. H. and Newsham, T. N. 1998. Insertion, evasion, and denial of service: Eluding network intrusion detection. Tech. Rep., Secure Networks, Inc. January.Google Scholar
- QEMU. 2006. Qemu open source processor emulator. http://fabrice.bellard.free.fr/qemu/.Google Scholar
- Qin, F., Tucek, J., Sundaresan, J., and Zhou, Y. 2005. Rx: Treating bugs as allergies: A safe method to survive software failures. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP). Google Scholar
Digital Library
- Raiciu, C., Handley, M., and Rosenblum, D. S. 2006. Exploit hijacking: Side effects of smart defenses. In Proceedings of the SIGCOMM Workshops. Google Scholar
Digital Library
- Rinard, M., Cadar, C., Dumitran, D., Roy, D. M., Leu, T., and Jr., W. S. B. 2004. Enhancing server availability and security through failure-oblivious computing. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- rix@hert.org. 2001. Writing ia32 alphanumeric shellcodes. Phrack 11, 57 (Aug.).Google Scholar
- Roesch, M. 1999. Snort: Lightweight intrusion detection for networks. In Conference on Systems Administration. Google Scholar
Digital Library
- Ruwase, O. and Lam, M. 2004. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium.Google Scholar
- Schechter, S., Jung, J., and Berger, A. 2004. Fast detection of scanning worm infections. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection.Google Scholar
- SecurityFocus. 2002. Microsoft jvm class loader buffer overrun vulnerability. http://www.securityfocus.com/bid/6134.Google Scholar
- Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. 2001. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Shankar, U., Talwar, K., Foster, J. S., and Wagner, D. 2001. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium. Google Scholar
Digital Library
- Shannon, C. and Moore, D. 2004. The spread of the Witty worm. IEEE Secur. Privacy 2, 4 (Jul.). Google Scholar
Digital Library
- Shinoda, Y., Ikai, K., and Itoh, M. 2005. Vulnerabilities of passive Internet threat monitors. In Proceedings of the 14th USENIX Security Symposium. Google Scholar
Digital Library
- Shoch, J. F. and Hupp, J. A. 1982. The worm programs: Early experience with a distributed computation. Commun. ACM 25, 3 (Mar.), 172--180. Google Scholar
Digital Library
- Sidiroglou, S., Locasto, M. E., Boyd, S. W., and Keromytis, A. D. 2005. Building a reactive immune system for software services. In Proceedings of the USENIX Annual Technical Conference. Google Scholar
Digital Library
- Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- Smirnov, A. and Chiueh, T. 2005. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.Google Scholar
- Somayaji, A. and Forrest, S. 2000. Automated response using system-call delays. In Proceedings of the 9th USENIX Security Symposium. Google Scholar
Digital Library
- Sovarel, N., Evans, D., and Paul, N. 2005. Where's the FEEB? The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium. Google Scholar
Digital Library
- Spafford, E. H. 1989. The Internet worm: Crisis and aftermath. Commun. ACM 32, 6 (Jun.), 678--687. Google Scholar
Digital Library
- SPEC. Specweb99 benchmark. http://www.spec.org/osg/web99.Google Scholar
- Staniford, S. 2004. Containment of scanning worms in enterprise networks. J. Comput. Secur.Google Scholar
- Staniford, S., Hoagland, J., and McAlerney, J. 2002. Practical automated detection of stealthy portscans. J. Comput. Secur. 10, 105--136. Google Scholar
Digital Library
- Staniford, S., Moore, D., Paxson, V., and Weaver, N. 2004. The top speed of flash worms. In Proceedings of the 2nd Workshop on Rapid Malcode. Google Scholar
Digital Library
- Staniford, S., Paxson, V., and Weaver, N. 2002. How to 0wn the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium. Google Scholar
Digital Library
- Staniford-Chen, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., and Zerkle, D. 1996. GrIDS: A graph-based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference.Google Scholar
- Suh, G. E., Lee, J., and Devadas, S. 2004. Secure program execution via dynamic information flow tracking. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XI). Google Scholar
Digital Library
- Szor, P. and Ferrie, P. 2001. Hunting for metamorphic. In the International Virus Bulletin Conference.Google Scholar
- Tang, Y. and Chen, S. 2005. Defending against Internet worms: A signature-based approach. In Proceedings of the 24th IEEE Conference on Computer Communications.Google Scholar
- Toth, T. and Kruegel, C. 2002a. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection.Google Scholar
- Toth, T. and Kruegel, C. 2002b. Connection-History based anomaly detection. In the IEEE Information Assurance Workshop.Google Scholar
- TPC. 1999. TPC-C online transaction processing benchmark. http://www.tpc.org/tpcc/default.asp.Google Scholar
- Vendicator. 2001. Stack shield technical info. http://www.angelfire.com/sk/stackshield.Google Scholar
- Vojnović, M. and Ganesh, A. 2005. On the race of worms, alerts and patches. In Proceedings of the 3rd Workshop on Rapid Malcode.Google Scholar
- Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A. C., Voelker, G. M., and Savage, S. 2005. Scalability, fidelity and containment in the potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP). Google Scholar
Digital Library
- Wagner, D., Foster, J. S., Brewer, E. A., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the 7th Annual Network and Distributed System Security Symposium.Google Scholar
- Wagner, D. and Soto, P. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Wang, C., Knight, J., and Elder, M. 2000. On computer viral infection and the effect of immunization. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google Scholar
Digital Library
- Wang, H. J., Guo, C., Simon, D. R., and Zugenmaier, A. 2004. Shield: Vulnerability-Driven network filters for preventing known vulnerability exploits. In Proceedings of the ACM SIGCOMM Data Communications Festival. Google Scholar
Digital Library
- Wang, K., Cretu, G., and Stolfo, S. J. 2005. Anomalous payload-based worm detection and signature generation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.Google Scholar
- Wang, X., Pan, C.-C., Liu, P., and Zhu, S. 2006. Sigfree: A signature-free buffer overflow attack blocker. In Proceedings of the 15th USENIX Security Symposium. Google Scholar
Digital Library
- Weaver, N., Ellis, D., Staniford, S., and Paxson, V. 2004. Worms vs. perimeters: The case for hard-LANs. In Hot Interconnects 2. Google Scholar
Digital Library
- Weaver, N., Staniford, S., and Paxson, V. 2004. Very fast containment of scanning worms. In Proceedings of the 13th USENIX Security Symposium. Google Scholar
Digital Library
- Weiser, M. 1984. Program slicing. IEEE Trans. Softw. Eng. 10, 4, 352--357.Google Scholar
Digital Library
- Whyte, D., Kranakis, E., and Oorschot, P. C. V. 2005. Dns-Based detection of scanning worms in an enterprise network. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.Google Scholar
- Wilander, J. and Kamkar, M. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10th Annual Network and Distributed System Security Symposium.Google Scholar
- Williamnson, M. M. 2002. Throttling viruses: Restricting propagation to defeat mobile malicious code. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google Scholar
Digital Library
- Winskel, G. 1993. The Formal Semantics of Programming Languages. MIT Press. Google Scholar
Digital Library
- Xie, Y. and Aiken, A. 2005. Scalable error detection using Boolean satisfiability. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the IEEE Symposium on Reliability in Distributed Software (SRDS).Google Scholar
- Yang, J., Twohey, P., Engler, D., and Musuvathi, M. 2004. Using model checking to find serious file system errors. In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- Yegneswaran, V., Giffin, J. T., Barford, P., and Jha, S. 2005. An architecture for generating semantics aware signatures. In Proceedings of the 14th USENIX Security Symposium. Google Scholar
Digital Library
- Zegura, E., Calvert, K., and Bhattacharjee, S. 1996. How to model an internetwork. In Proceedings of the Annual Joint Conference of the IEEE Computer Communications Societies (IEEE INFOCOM).Google Scholar
- Zheng, L., Chong, S., Myers, A. C., and Zdancewic, S. 2003. Using replication and partitioning to build secure distributed systems. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Zou, C. C., Gao, L., Gong, W., and Towsley, D. 2003. Monitoring and early warning for Internet worms. In Proceedings of the 10th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
Index Terms
Vigilante: End-to-end containment of Internet worm epidemics
Recommendations
Vigilante: end-to-end containment of internet worms
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principlesWorm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the ...
Vigilante: end-to-end containment of internet worms
SOSP '05Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...






Comments