An Automated Defense System to Counter Internet Worms

Our society is highly dependent on network services such as the Web, email, and collaborative P2P enterprise applications. But what if such infrastructures were suddenly torn down? Both past incidents and research studies show that a well-engineered Internet worm can accomplish such a task in a fairly simple way and, most notably, in a matter of a few minutes. This clearly rules out the possibility of manually countering worm outbreaks. We present a testbed that operates on a cluster of computers and emulates very large networks for purposes of experimentation. A wide variety of worm properties can be studied and network topologies of interest constructed. A reactive control system, based on the Willow architecture, operates on top of the testbed and provides a monitor/analyze/respond approach to deal with infections automatically. The logic driving the control system is synthesized from a formal specification, which is based on control rules that correlate sensor events. Details of our highly configurable testbed, the theory of operation of the Willow architecture, the features of the specification language, and various experimental performance results are presented. Index Terms Internet worm, emulation platform, defense system, Willow architecture, reactive control, policy rules Submission category Regular paper Approximate word count 10510 The material included in this paper has been cleared through the authors’ affiliations