Boundary Detection and Containment of Local Worm Infections
نویسندگان
چکیده
We propose a system for detecting scanning-worm infected machines in a local network. Infected machines are detected after a few unsuccesful connection attempts, and in cooperation with the border router, their traffic is redirected to a honeypot for worm identification and capture. We discuss the architecture of the system and present a sample implementation based on a Linux router. We discuss future improvements for increasing the detection abilities and coverage of the sensor. While the system was developed based on the Billy Goat worm-detection system, it can easily be used with other honeypot systems.
منابع مشابه
Worm virulence estimation for the containment of local worm outbreak
A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as failed scan detection, honeypot, and dark port detection are proposed. However, for a stealthier worm limiting its scan inside an enterprise netwo...
متن کاملEvaluation of collaborative worm containment on the DETER testbed
The advantage of collaborative containment over independent block or address blacklisting on worm defense has been advocated in previous worm studies. In this work, we will evaluate two collaborative worm containment proposals and present some of the results of our DETER emulation experiments. In the first one, proactive worm containment (PWC), security agents block all suspicious hosts on the ...
متن کاملDNS-based Detection of Scanning Worms in an Enterprise Network
Worms are arguably the most serious security threat facing the Internet. Seeking a detection technique that is both sufficiently efficient and accurate to enable automatic containment of worm propagation at the network egress points, we propose a new technique for the rapid detection of worm propagation from an enterprise network. It relies on the correlation of Domain Name System (DNS) queries...
متن کاملA Survey of Worm Detection and Containment
The self-duplicating, self-propagating malicious codes, known as computer worms, spread themselves without any human interaction and launch the most destructive attacks against computer networks. At the same time, being fully automated makes their behavior repetitious and predictable. This paper presents a survey an d comparison of Internet worm detection and containment schemes. We first ident...
متن کاملOnline Accumulation: Reconstruction of Worm Propagation Path
Knowledge of the worm origin is necessary to forensic analysis, and knowledge of the initial causal flows supports diagnosis of how network defenses were breached. Fast and accurate online tracing network worm during its propagation, help to detect worm origin and the earliest infected nodes, and is essential for large-scale worm containment. This paper introduces the Accumulation Algorithm whi...
متن کامل