Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author: Matthew M. Williamson, HP Labs Bristol

Published bySybil Hart Modified over 6 years ago

Similar presentations

Presentation on theme: "Author: Matthew M. Williamson, HP Labs Bristol"— Presentation transcript:

1 Throttling Viruses: Restricting propagation to defeat malicious mobile code
Author: Matthew M. Williamson, HP Labs Bristol Published at the 18th Annual Computer Security Applications Conference (ACSAC), 2002 Presenter: Walter Mundt

2 Slowing Down Worms Limit outgoing connections to unique machines
Normal traffic tends to made repeat connections to a small set of servers Worm traffic connects to many different servers Benign filter design exploits this difference to slow worm traffic selectively.

3 Why Bother? Why only slow worm traffic?
Primary threat of worms is their speed Human response is too slow Automated responses can cause damage due to false positives Need a “benign” automated response that does not interfere with normal traffic.

4 How to tell the difference?
HTTP Traffic Worm Traffic

5 What Not to Do Drop connections classified as “worm traffic”
Slow down normal traffic unnecessarily Fail to slow down worm traffic

6 How? Set a limit on the rate of outgoing connections to “new” machines to r “New” machines are those not connected to recently A buffer of 4-5 remote hosts is sufficient Queue connections that are too fast Constantly de-queue and send connection attempts, at a rate of r

7 Algorithm Flow On connection attempt Delay queue loop

8 Behavior for normal traffic
Normal traffic has bursts of new connections followed by repeated connections to the same hosts New connections get queued briefly, but delay is minimal Reconnections are allowed as normal

9 Behavior for worm traffic
Worm traffic connections attempts are much faster than allowed rate A few connections go through, but most will be stuck in delay queue When the queue fills, the user can be notified and take action against the offending process

10 Contribution of the paper
This paper provides an effective way to slow down worm traffic from an infected machine. The effects of false positive results are minimal. If widely implemented, could effectively limit worm spread rate enough to allow human intervention. Implementation would be fairly simple on most platforms

11 Weaknesses in Paper Tests few types of “normal” traffic
Too much focus on HTTP Would need to be implemented very widely to significantly effect worm spread Does not stop worm spread, ineffective against slow-spread or “stealth” worms No future work discussed

12 Possible Improvements
Experiment with more types of data Discuss future work Consider limitations, possible issues Test an implementation on an actual network environment Combine with other methods of identifying worm traffic and limiting worm effectiveness.

Download ppt "Author: Matthew M. Williamson, HP Labs Bristol"

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.

1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Low-Rate TCP-Targeted Denial of Service Attacks Presenter: Juncao Li Authors: Aleksandar Kuzmanovic Edward W. Knightly.

Low-Rate TCP-Targeted Denial of Service Attacks Presenter: Juncao Li Authors: Aleksandar Kuzmanovic Edward W. Knightly.
1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.

1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.

Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.

Similar presentations

Ads by Google