Internet quarantine: requirements for containing self-propagating code
read more
Citations
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
How to Own the Internet in Your Spare Time
Inside the Slammer worm
Anomalous Payload-Based Network Intrusion Detection
Autograph: toward automated, distributed worm signature detection
References
The Mathematics of Infectious Diseases
Proof-carrying code
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
Inferring internet denial-of-service activity
How to Own the Internet in Your Spare Time
Related Papers (5)
Frequently Asked Questions (16)
Q2. What are the future works in "Internet quarantine: requirements for containing self-propagating code" ?
To support this capability, the authors encourage network equipment vendors to provide flexible high-speed packet classification and filtering services – extending into the application layer. As a result, cooperation and coordination among ISPs will need to be extensive. From these results, the authors conclude that it will be very challenging to build Internet containment systems that prevent widespread infection from worm epidemics. And the inevitable emergence of significantly more aggressive worms further complicates the problem.
Q3. What are the main technologies used to prevent a worm outbreak?
containment technologies, as exemplified by firewalls, content filters, and automated routing blacklists, can be used to block infectious communication between infected and uninfected hosts.
Q4. What is the way to prevent a worm from spreading to 1% of the hosts?
at high probe rates the worm is able to infect enough vulnerable hosts before it is detected and blocked that it continues to exploit the 0.3%unblocked paths and spread further.
Q5. How long does it take to install a security update?
The time required to design, develop and test a security update is limited by human time scales – usually measured in days – far too slow to have significant impact on an actively spreading Internet worm.
Q6. How many pairs of ASes were connected by equal-cost paths?
the authors found that many pairs of ASes were connected by multiple equal-cost shortest paths (with an average of 6.3 equal-cost paths for every AS pair).
Q7. What is the way to analyze the spread of a worm?
Using a susceptible host population inferred from the Code-Red epidemic, and an empirical Internet topology data set, the authors use simulation to analyze how such a worm would spread under various defenses, ranging from the existing Internet to an Internet using idealized defense technology.
Q8. How long does the worm take to reach the 1% of the host?
The authors select a reaction time of 2 hours, which contains the worm to less than 1% of vulnerable hosts in the idealized deployment scenario described earlier.
Q9. How can containment systems be effective against worms?
In particular, the authors find that for such systems to be successful against realistic worms they must react automatically in a matter of minutes and must interdict nearly all Internet paths.
Q10. Why does the deployment scenario not cover all of the paths among all of the vulnerable hosts?
The reason why containment cannot achieve low infection rates for aggressive worms is due to the fact that the deployment scenarios do not cover all of the paths among all of the vulnerable hosts.
Q11. What is the effect of a larger reaction time on the worm?
With larger reaction times, however, the system crosses a threshold where the expected time to locate a new susceptible host is smaller than the reaction time, allowing the worm to continue spreading.
Q12. How long does content filtering prevent a worm from spreading?
In terms of effectiveness, content filtering prevents the worm from spreading with a reaction time of less than 2 hours, a factor of six difference compared to blacklisting.
Q13. How many hosts can be contained to a worm?
From these results, the authors see that a worm can be contained to a minority of hosts if the top 20 ISPs cooperate, and including the top 40 ISPs is sufficient to limit the worm to less than 5% of all hosts.
Q14. How many probes/second can contain an aggressive worm?
With the ideal model in Section IV-C the authors found that using content filtering could contain an aggressive worm spreading at 100 probes/second to 1% of vulnerable hosts with a reaction time of 18 minutes.
Q15. How long does it take to infect all vulnerable hosts?
though, with a large enough reaction time the worm will infect all vulnerable hosts within the 24 hour period; although not shown, this happens with a reaction time of 2 hours or longer.
Q16. What is the definition of the reaction time of a containment system?
The authors define the reaction time of a containment system to include the time necessary for detection of malicious activity, propagation of the information to all hosts participating in the system, and the time required to activate any containment strategy once this information has been received.