Can we contain Internet worms?

MSR-TR-2004-83 |

Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed a network centric approach to automate worm containment: network traffic is analyzed to derive a packet classifier that blocks (or rate-limits) worm propagation. This approach has fundamental limitations because the analysis has no information about the application vulnerabilities exploited by worms. This paper proposes Vigilante, a new host centric approach for automatic worm containment that addresses these limitations. Vigilante relies on collaborative worm detection at end hosts in the Internet but does not require hosts to trust each other. Hosts detect worms by analysing attempts to infect applications and broadcast self-certifying alerts (SCAs) when they detect a worm. SCAs are automatically generated machine-verifiable proofs of vulnerability; they can be independently and inexpensively verified by any host. Hosts can use SCAs to generate filters or patches that prevent infection. We present preliminary results showing that Vigilante can effectively contain fast spreading worms that exploit unknown vulnerabilities.