Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
Can we contain Internet worms?

Manuel Costa, Jon Crowcroft, Miguel castro, and Antony Rowstron


Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed a network centric approach to automate worm containment: network traffic is analyzed to derive a packet classifier that blocks (or rate-limits) wormpropagation. This approach has fundamental limitations because the analysis has no information about the application vulnerabilities exploited by worms. This paper proposesVigilante, a new host centric approach for automatic worm containment that addresses these limitations. Vigilante relies on collaborative worm detection at end hosts in the Internet but does not require hosts to trust each other. Hosts detect worms by analysing attempts to infect applications and broadcast self-certifying alerts (SCAs) when they detect a worm. SCAs are automatically generated machine-verifiable proofs of vulnerability; they can be independently and inexpensively verified by any host. Hosts can use SCAs to generate filters or patches that prevent infection. We present preliminary results showing that Vigilante can effectively contain fast spreading worms that exploit unknown vulnerabilities.


Publication typeInproceedings
Published inProceedings of the Third Workshop on Hot Topics in Networks (HotNets III)
PublisherAssociation for Computing Machinery, Inc.
> Publications > Can we contain Internet worms?