Worm detection at the Spectator proxy works by looking for long propagation chains. Our detection algorithm is designed to scale to propagation graphs consisting of thousands of nodes with minimal overhead on every request. Whenever a long propagation chain is detected, Spectator disallows further uploads that are caused by that chain, thereby containing further worm propagation. The Spectator detection algorithm is designed to detect propagation activity that affects multiple users.
With every HTML upload, we also record the IP address of the user issuing the request. Worm detection relies on sufficiently many users adopting Spectator. However, since Spectator relies on no additional client-side support, it can be deployed almost instantaneously to a multitude of users.
To make the discussion above more concrete, a diagram of Spectator’s architecture is shown above. Whenever a user attempts to download a page containing Spectator tags previously injected there by Spectator, the following steps are taken, as shown in the figure:
- The tagged page is retrieved from the server.
- The Spectator proxy examines the page. If the page contains tags, a new session ID is created and associated with the list of tags in the page. The tags are stripped from the page and are never seen by the browser or any malicious content executing therein.
- The modified page augmented with the session ID stored in a cookie (referred to below as “Spectator cookie”) is passed to the browser.
Whenever an upload containing HTML is observed, the following steps are taken:
- A user issues an HTTP request containing HTML and a new tag is created for that upload. If a Spectator cookie is found on the client, it is automatically sent to Spectator by the browser.
- If the request has a valid session ID contained in a Spectator cookie attached to the request, the list of tags it corresponds to is looked up and, for every tag, causality links are added to the propagation graph. The request is not propagated further if the Spectator detection algorithm decides that the request is part of worm propagation.
- Finally, the request augmented with the newly created tag is uploaded and stored at the server.