Feedback Email Worm Defense System for Enterprise Networks

As email becomes one of the most convenient and indispensable communication mediums in our life, it is very important to protect email users from increasing email worm attacks. In this paper, we present the architecture and system design of a “feedback email worm defense system” to protect email users in enterprise networks. The defense system is flexible and able to integrate many existing detection techniques to provide effective and efficient email worm defense. First, in response to a “detection score” of a detected worm email and information on the possible appearance of a malicious email worm in the global Internet, the defense system adaptively chooses a cost-effective defense action that can range from simply labelling this email to aggressively deleting it from an email server. Second, the system uses “honeypot” [13] to thoroughly detect worm emails received by email servers and also to early detect the presence of an email worm in the global Internet. Third, the defense system implements a “multi-sifting detection” technique and “differential email service” to achieve accurate detection without causing much delay on most emails. Furthermore, the defense system separates email attachments from email texts and saves attachments in separate “attachment caching servers”, which facilitate both email worm detection and email service efficiency.

[1]  Patrick Lincoln,et al.  Epidemic profiles and defense of scale-free networks , 2003, WORM '03.

[2]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[3]  Eleazar Eskin,et al.  MET: an experimental system for Malicious Email Tracking , 2002, NSPW '02.

[4]  R. Balzer Assuring the safety of opening email attachments , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[6]  Weibo Gong,et al.  Email Virus Propagation Modeling and Analysis , 2003 .

[7]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[8]  Donald F. Towsley,et al.  Modeling malware spreading dynamics , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[9]  R. Sekar,et al.  An Approach for Detecting Self-propagating Email Using Anomaly Detection , 2003, RAID.

[10]  Stephanie Forrest,et al.  Email networks and the spread of computer viruses. , 2002, Physical review. E, Statistical, nonlinear, and soft matter physics.

[11]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  M. Newman,et al.  Random graphs with arbitrary degree distributions and their applications. , 2000, Physical review. E, Statistical, nonlinear, and soft matter physics.

[13]  Guofei Gu,et al.  Worm Detection Using Local Networks , 2004 .