Skip navigation

Towards automated distributed containment of zero-day network worms

Towards automated distributed containment of zero-day network worms

Shahzad, Khurram and Woodhead, Steve (2014) Towards automated distributed containment of zero-day network worms. In: Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT). IEEE, pp. 1-7. ISBN 978-1-4799-2695-4 (doi:https://doi.org/10.1109/ICCCNT.2014.6963119)

[img]
Preview
PDF (Author Accepted Manuscript)
12803_WOODHEAD_Towards_automated_distributed_(conf.)_(2014).pdf - Accepted Version
Available under License Creative Commons Attribution.

Download (642kB)

Abstract

Worms are a serious potential threat to computer network security. The high potential speed of propagation of worms and their ability to self-replicate make them highly infectious. Zero-day worms represent a particularly challenging class of such malware, with the cost of a single worm outbreak estimated to be as high as US$2.6 Billion. In this paper, we present a distributed automated worm detection and containment scheme that is based on the correlation of Domain Name System (DNS) queries and the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary. The proposed countermeasure scheme also utilizes cooperation between different communicating scheme members using a custom protocol, which we term Friends. The absence of a DNS lookup action prior to an outgoing TCP SYN or UDP datagram to a new destination IP addresses is used as a behavioral signature for a rate limiting mechanism while the Friends protocol spreads reports of the event to potentially vulnerable uninfected peer networks within the scheme. To our knowledge, this is the first implementation of such a scheme. We conducted empirical experiments across six class C networks by using a Slammer-like pseudo-worm to evaluate the performance of the proposed scheme. The results show a significant reduction in the worm infection, when the countermeasure scheme is invoked.

Item Type: Conference Proceedings
Title of Proceedings: Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT)
Additional Information: © 2014 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. International Conference on Computing, Communication and Networking Technologies (ICCCNT), 11-13 July 2014, Hefei, China.
Uncontrolled Keywords: malware, countermeasure, network worm, rate limiting
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science
Last Modified: 08 Nov 2019 13:07
URI: http://gala.gre.ac.uk/id/eprint/12803

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics