Modern computer viruses spread incredibly quickly, far faster than human-mediated responses. This greatly increases the damage that they cause. This paper presents an approach to restricting this high speed propagation automatically. The approach is based on the observation that during virus propagation, an infected machine will connect to as many different machines as fast as possible. An uninfected machine has a different behaviour: connections are made at a lower rate, and are locally correlated (repeat connections to recently accessed machines are likely).

Buffer overflow attacks are the predominant threat to the secure operation of network and in particular, Internetbased applications. Stack smashing is a common mode of buffer overflow attack for hijacking system control. This paper evaluates two architecture-based techniques to defend systems against such attacks: (1) the split control and data stack, and (2) secure return address stack (SRAS). The split stack approach separates control and data stack to prevent the function return address from being overwritten. This approach can be implemented with compiler support or with architectural support by modifying the semantics of call and return instructions. The compiler implementation shows slight performance overhead (e.g., 2% for ftp server), and the architectural support eliminates the overhead of the software solution. The SRAS is a hardware-based solution for detecting attacks. It uses the redundant copy of the return address maintained by the processor to validate return addresses and thereby detect malicious attacks. SRAS has been implemented in the SimpleScalar processor simulator. Simulation results show that the maximum overhead is 0.02% with a SRAS size of 64 entries for SPECINT 2000 benchmarks.

This paper presents Netbait, a planetary-scale service for distributed detection of Internet worms. Netbait allows users to pose queries that identify which machines on a given network have been compromised based on the collective view of a geographically distributed set of machines. It is based on a distributed query processing architecture that evaluates queries expressed using a subset of SQL against a single logical database table. This single logical table is realized using a distributed set of relational databases, each populated by local intrusion detection systems running on Netbait server nodes. For speed, queries in Netbait are processed in parallel by distributing them over dynamically constructed query processing trees built over Tapestry, a distributed object and location routing (DOLR) layer. For e#ciency, query results are compressed using application-specific aggregation and compact encodings.

Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that, depending mostly on the popularity of a malicious Web site and user browsing patterns, attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.

Self-securing network interfaces (NIs) examine the packets that they move between network links and host software, looking for and potentially blocking malicious network activity. This paper describes self-securing network interfaces, their features, and examples of how these features allow administrators to more effectively spot and contain malicious network activity. We present a software architecture for self-securing NIs that separates scanning software into applications (called scanners) running on an NI kernel. The resulting scanner API simplifies the construction of scanning software and allows its powers to be contained even if it is subverted. We illustrate the potential via a prototype selfsecuring NI and two example scanners: one that identifies and blocks known e-mail viruses and one that identifies and inhibits rapidly-propagating worms like Code-Red.

Signature based anti-virus technologies are widely used to fight computer viruses. It is difficult to evaluate such systems because they work in the wild and few companies would be willing to turn them off to be part of a control group! This paper presents a new model of these technologies that can be used to predict and evaluate their effectiveness.

Abstract. An unexpected consequence of recent worm attacks on the Internet was that the routing infrastructure showed evidence of increased BGP announcement churn. As worm propagation dynamics are a function of the topology of a very large-scale network, a faithful simulation model must capture salient features at a variety of resolution scales. This paper describes our efforts to model worm propagation and its affect on routers and application traffic. Using our implementations of the Scalable Simulation Framework (SSF) API, we model worm propagation, its affect on the routing infrastructure and its affect on application traffic using multiscale traffic models. 1

Self-securing network interfaces (NIs) examine the packets that they move between network links and host software, looking for and potentially blocking malicious network activity. This paper describes how self-securing network interfaces can help administrators to identify and contain compromised machines within their intranet. By shadowing host state, self-securing NIs can better identify suspicious traffic originating from that host, including many explicitly designed to defeat network intrusion detection systems. With normalization and detection-triggered throttling, selfsecuring NIs can reduce the ability of compromised hosts to launch attacks on other systems inside (or outside) the intranet. We describe a prototype self-securing NI and example scanners for detecting such things as TTL abuse, fragmentation abuse, "SYN bomb" attacks, and random-propagation worms like Code-Red.

During the last few years, the amount of malicious traffic on the Internet has increased due to the spreading of worms, various port scanning activities, intrusion attempts or spammers. Collecting and analyzing this malicious traffic is an important issue. It can teach us what are the latest trends in computer misuse, it can help us discovering new kinds of attacks or it can be used to automatically generate signatures for network-based intrusion detection systems. In this paper, we propose an efficient method for collecting large amounts of malicious traffic running over TCP. The key advantage of our method is that it does not need to maintain any state to emulate TCP services running on a large number of emulated end-systems. We implemented a prototype on the ASAX IDS and provide in this paper several examples of the malicious activities which were collected on a campus network attached to the Internet. We explain how we implemented various protocols in a stateless way and we discuss limitations of our approach. We also discuss how our method can be improved to make an accurate but still stateless emulation of stateful protocols.

The easy access and wide usage of the Internet make it more convenient for technical research and information exchange. However, malicious codes, such as Code Red, Nimda, SQL Slammer and W32/Blaster, also occur more frequently and severely than ever. These self-propagating malicious codes can invade network and paralyze normal network operation. These Internet worms could, in a very short time, cause great damage to network and information infrastructure. Therefore, Internet worms have become vital threats to network and security management. In this paper, we present a pro-active responding scheme to deal with Internet worms. Based on this scheme, we designed and implemented a pro-active defending system against Internet worms. This pro-active defending system will monitor network traffic, detect hosts with abnormal network behavior and isolate these hosts from the managed network. The results show that it can efficiently mitigate the impact caused by Internet worms and stop the widespreading of Internet worms. 1.