Automatically deducing propagation sequences that circumvent a collaborative worm defense

We present an approach to the question of evaluating worm defenses against future, yet unseen, and possibly defense-aware worm behavior. Our scheme employs model checking to produce worm propagation sequences that defeat a worm defense of interest. We demonstrate this approach using an exemplar collaborative worm defense, in which LANs share alerts about encountered infections. Through model checking experiments, we then generate propagation sequences that are able to infect the whole population in the modeled network. We discuss these experimental results and also identify open problems in applying formal methods more generally in the context of worm quarantine research

[1]  George F. Riley,et al.  Evaluation of worm containment algorithms and their effect on legitimate traffic , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[2]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[3]  Gregory R. Ganger,et al.  Self-Securing Network Interfaces: What, Why and How (CMU-CS-02-144) , 2002 .

[4]  Phillip A. Porras,et al.  Microscopic simulation of a group defense strategy , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[5]  Kai Hwang,et al.  Collaborative Internet worm containment , 2005, IEEE Security & Privacy Magazine.

[6]  George Kesidis,et al.  Preliminary results using scale-down to explore worm dynamics , 2004, WORM '04.

[7]  Randy H. Katz,et al.  Analyzing Cooperative Containment of Fast Scanning Worms , 2005, SRUTI.

[8]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .

[9]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[10]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[11]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[12]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[13]  Karl N. Levitt,et al.  Cooperative response strategies for large scale attack mitigation , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[14]  Yu-Qing Zhang,et al.  Worm propagation modeling and analysis based on quarantine , 2004, InfoSecu '04.

[15]  Jeannette M. Wing,et al.  Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[16]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[17]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[18]  Angelos D. Keromytis,et al.  A cooperative immunization system for an untrusting Internet , 2003, The 11th IEEE International Conference on Networks, 2003. ICON2003..

[19]  David M. Nicol,et al.  A mixed abstraction level simulation model of large-scale Internet worm infestations , 2002, Proceedings. 10th IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems.

[20]  Jeannette M. Wing CHAPTER 9 – Scenario Graphs Applied to Network Security , 2008 .