An OS Independent Heuristics-based Worm-containment System

We present an operating system independent and tamper-resistant worm-containment end-system. This system continuously observes outgoing network traffic over a finite-duration traffic window, and using heuristic rules executing in a secondary environment, detects infections. It automatically quarantines the infected host to stop further spread of the worm. We present four heuristic rules, and using network traffic traces collected from an enterprise network demonstrate that a port/protocol-tuned version of the heuristic provides lowest false-positives rate for different settings. Using simulations, we further evaluate the effectiveness of this heuristic in containing the spread of a worm in a medium-sized network. We then demonstrate that different window sizes are required for containing worms with different spread rates. Consequently, to be effective across a broad range of worms, we show it is advisable to use a heuristic that uses multiple window sizes. We also demonstrate that by effectively tuning the heuristic parameters and Dynamic Host Configuration Protocol (DHCP) server settings, one can contain worms with spread rates from 2 scans per second to upwards of 100,000 scans per second.