Use this URL to cite or link to this record in EThOS:
Title: End-to-end containment of internet worm epidemics
Author: Costa, M.
Awarding Body: University of Cambridge
Current Institution: University of Cambridge
Date of Award: 2007
Availability of Full Text:
Full text unavailable from EThOS.
Please contact the current institution’s library for further details.
Worms – programs that self-replicate automatically over computer networks – are a serious threat to hosts connected to the Internet. They infect hosts by exploiting software vulnerabilities, and they can use their victims for many malicious activities. Past outbreaks show that worms can spread too fast for humans to respond, hence worm containment must be automatic. We propose Vigilante: a new end-to-end architecture to contain worms automatically. In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms, by tracking the flow of data from network messages, and disallowing unsafe uses of that data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture. Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently. Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead to successful attacks. These filters block the worm attack, including all mutations that follow the execution path identified by the SCA, while introducing a negligible performance overhead. Our results show that Vigilante can contain fast spreading worms that exploit unknown vulnerabilities without false positives. Vigilante does not require any changes to hardware, compilers, operating systems or the source code of vulnerable programs; therefore, it can be used to protect software as it exists today in binary form.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available