Network worms are a clear and growing threat to the se curity of today’s Internetconnected hosts and networks. The combination of the Internet’s unrestricted connec tivity and widespread software homogeneity allows net work pathogens to exploit tremendous parallelism in their propagation. In fact, modern worms can spread so quickly, and so widely, that no humanmediated reaction can hope to contain an outbreak. In this paper, we propose an automated approach for quickly detecting previously unknown worms and viruses based on two key behavioral characteristicsa common exploit sequence together with a range of unique sources generating infections and destinations be ing targeted. More importantly, our approachcalled “content sifting”automatically generates precise sig natures that can then be used to filter or moderate the spread of the worm elsewhere in the network. Using a combination of existing and novel algorithms we have developed a scalable content sifting implemen tation with low memory and CPU requirements. Over months of active use at UCSD, our Earlybird prototype system has automatically detected and generated signa tures for all pathogens known to be active on our network as well as for several newworms and viruses which were unknown at the time our system identified them. Our initial experience suggests that, for a wide range of net work pathogens, it may be practical to construct fully automated defenseseven against socalled “zeroday”
PDF
download
878987797
028-85220240
