A Network Worm Vaccine Architecture

Short Description
Worm vaccination architecture: sensors deployed at various locations in the network detect a … ing potential worm probes and, more importantly, infection …

Website: www.cs.columbia.edu | Filesize: 70kb

Content
A NetworkWorm Vaccine Architecture
Stelios Sidiroglou
Columbia University
stelios@cs.columbia.edu
Angelos D. Keromytis
Columbia University
angelos@cs.columbia.edu
Abstract
The ability of worms to spread at rates that effectively
preclude human-directed reaction has elevated them to a
first-class security threat to distributed systems. We present
the first reaction mechanism that seeks to automatically
patch vulnerable software. Our system employs a collection
of sensors that detect and capture potential worm infection
vectors. We automatically test the effects of these vectors
on appropriately-instrumented sandboxed instances of the
targeted application, trying to identify the exploited software
weakness. Our heuristics allow us to automatically
generate patches that can protect against certain classes of
attack, and test the resistance of the patched application
against the infection vector. We describe our system architecture,
discuss the various components, and propose directions
for future research.
1 Introduction
Recent incidents [4, 5] have demonstrated the ability of
self-propagating code, also known as “network worms” [31,
9], to infect large numbers of hosts, exploiting vulnerabilities
in the largely homogeneous deployed software
base [6, 41]. Even when the worm carries no malicious payload,
the direct cost of recovering from the…