10 pages

Français

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

A hybrid quarantine defense

jjggi - Phil Porras

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

10 pages

Français

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

A Hybrid Quarantine Defense Phillip Porras, Linda Briesemeister, Karl Levitt, Jeff Rowe, Yu-Cheng Allen Ting Department of Computer Science Keith Skinner University of California, Davis SRI International One Shields Avenue 333 Ravenswood Avenue Davis, CA 95616 Menlo Park, CA 94025 {levitt, rowe, yting}@cs.ucdavis.edu {phillip.porras, linda.briesemeister, keith.skinner}@sri.com We report on an ongoing study, in which we assess the com-ABSTRACT parative strengths of complementary quarantine philosophies, We study the strengths, weaknesses, and potential synergies of and explore the potential benefits of merging them to offer pro-two complementary worm quarantine defense strategies under tection that is significantly more effective than either approach various worm attack profiles. We observe their abilities to de- alone. Our current study examines two complementary worm lay or suppress infection growth rates under two propagation quarantine strategies: one relying on autonomous gateway pro-techniques and three scan rates, and explore the potential syner- tection devices, and the other relying on peer-based coordinated gies in combining these two complementary quarantine strate- sharing. Several variations of the algorithms discussed here gies.

Sujets

Sciences et techniques

Informations

Publié par	jjggi
Nombre de lectures	157
Langue	Français

Extrait

A Hybrid Quarantine Defense

Phillip Porras, Linda Briesemeister,

Keith Skinner

SRI International

333 Ravenswood Avenue

Menlo Park, CA 94025

{phillip.porras, linda.briesemeister,

keith.skinner}@sri.com

Karl Levitt, Jeff Rowe, Yu-Cheng Allen Ting

Department of Computer Science

University of California, Davis

One Shields Avenue

Davis, CA 95616

{levitt, rowe, yting}@cs.ucdavis.edu

ABSTRACT

We study the strengths, weaknesses, and potential synergies of

two complementary worm quarantine defense strategies under

various worm attack profiles. We observe their abilities to de-

lay or suppress infection growth rates under two propagation

techniques and three scan rates, and explore the potential syner-

gies in combining these two complementary quarantine strate-

gies. We compare the performance of the individual strategies

against a hybrid combination strategy, and conclude that the

hybrid strategy yields substantial performance improvements,

beyond what either technique provides independently.

This

result offers potential new directions in hybrid quarantine de-

fenses.

Categories and Subject Descriptors

C.2 [Computer and Communication Networks]: Security and

Protection – Worms; C.2.3 [Network Operations]: Network

monitoring – Worm Detection; C.2.5 [Local and Wide-Area

Networks]: Internet; C.4 [Performance of Systems]: Modeling

Techniques Simulation;

General Terms

Algorithms, Experimentation, Security, Performance

Keywords

Network Security, Network Modeling and Simulation, Worms,

Worm Detection Systems

1. INTRODUCTION

In recent years we have witnessed the disturbingly high fre-

quency with which outbreaks of self-propagating malicious code

have plagued public networks, and have observed these epidem-

ics penetrate into even well-protected enterprises, particularly as

computing assets become more mobile.

To combat this prob-

lem, there has been a surge of research in developing techniques

to recognize and defend networks from emerging malicious

code epidemics.

We report on an ongoing study, in which we assess the com-

parative strengths of complementary quarantine philosophies,

and explore the potential benefits of merging them to offer pro-

tection that is significantly more effective than either approach

alone. Our current study examines two complementary worm

quarantine strategies: one relying on autonomous gateway pro-

tection devices, and the other relying on peer-based coordinated

sharing.

Several variations of the algorithms discussed here

have been published elsewhere; however, here we focus on

comparing the effectiveness of these quarantine strategies across

a range of worm infection algorithms.

We also propose a novel hybrid defense, which combines the

two complementary quarantine strategies. Our assessment re-

veals that this hybrid approach offers substantial infection

growth rate reductions, greater than either technique can achieve

alone.

Our results suggest the potential value in developing

hybrid quarantine solutions that operate both autonomously at

network domains, but can also coordinate to provide group-wide

protection.

2. Ongoing Research in Malicious Code De-

fense

Over the last decade large-scale malicious code epidemics have

evolved from rare nuisance applications and research curiosities

into the most well recognized information-based global security

threat known today. The field of worm countermeasure devel-

opment is active, with several new and derivative strategies

being proposed yearly.

Moore et.al. [8] propose various re-

quirements for consideration in developing containment strate-

gies (e.g., network filtering), discussing issues such as reaction

time, infection countermeasures, and deployment strategies, and

explores how these factors impact worm propagation dynamics.

Substantial effort has been performed in techniques that we

classify as

Resource Limiting (RL) Solutions

RL solutions

explore ways in which local systems and domains may delay

worm propagation through the limiting of resources that aggres-

sive worms are known to consume at high rates. Williamson

[16] suggests that throttling the volume of outbound connections

that a host is allowed to initiate to new machines can produce a

significant reduction in the infection rate, without significantly

hindering normal communications. Staniford [12] refines the

outbound connection-throttling concept and provides extensive

assessment of its behavior, while moving the throttling mecha-

nism from the individual host to the domain gateway. Gualtieri

and Mosse [6] propose to dynamically calculate outbound con-

nection rate limits on a per process basis, through the observa-

Permission to make digital or hard copies of all or part of this work for

personal or classroom use is granted without fee provided that copies

are not made or distributed for profit or commercial advantage and that

copies bear this notice and the full citation on the first page. To copy

otherwise, or republish, to post on servers or to redistribute to lists,

requires prior specific permission and/or a fee.

WORM’04,

OCTOBER 29, 2004, WASHINGTON, DC, USA.

Univers
Ebooks
Livres audio
Presse
Podcasts
BD
Documents

A hybrid quarantine defense

Sciences et techniques

YouScribe

Le catalogue

Le service

Les conditions