To detect and defend against Internet worms, researchers have long hoped to have a safe convenient environment to unleash and run real-world worms for close observation of their infection, damage, and propagation. However, major challenges exist in realizing such “worm playgrounds”, including the playgrounds ’ fidelity, confinement, scalability, as well as convenience in worm experiments. In this paper, we present a virtualizationbased platform to create virtual worm playgrounds, called vGrounds, on top of a physical infrastructure. A vGround is an all-software virtual environment dynamically created for a worm attack. It has realistic end-hosts and network entities, all realized as virtual machines (VMs) and confined in a virtual network (VN). The salient features of vGround include: (1) high fidelity supporting real worm codes exploiting real vulnerable services, (2) strict confinement making the real Internet totally invisible and unreachable from inside a vGround, (3) high resource efficiency achieving sufficiently large scale of worm experiments, and (4) flexible and efficient worm experiment control enabling fast (tens of seconds) and automatic generation, re-installation, and final teardown of vGrounds. Our experiments with real-world worms (including multi-vector worms and polymorphic worms) have successfully exhibited their probing and propagation patterns, exploitation steps, and malicious payloads, demonstrating the value of vGrounds for worm detection and defense research.

Millions of Internet users are using large-scale peerto-peer (P2P) networks to share content files today. Many other mission-critical applications, such as Internet telephony and Domain Name System (DNS), have also found P2P networks appealing due to their scalability and reliability properties. These P2P networks, however, could be leveraged by automatic-propagating Internet worms to quickly infect a large vulnerable population and inflict tremendous damages to information infrastructure and end systems. While much work has been done to study randomscanning worms, such as CodeRed and Slammer, we have less understanding of non-scanning worms that are potentially stealthy. In this paper, we identify three strategies a non-scanning worm could use to propagate through P2P systems. To understand their behaviors, we provide a workload-driven simulation framework to characterize these worms and identify the parameters influencing their propagations. The non-scanning nature allows P2P worms to evade many of today’s detection methods aimed at random-scanning worms. We propose and evaluate an online detection algorithm against these P2P worms using statistical detection of change-points in streaming sensor data. 1

host infection Once a host is infected by an Internet worm, prompt action must be taken before that host does more harm to its local network and the rest of the Internet. It is therefore critical to quickly detect that a worm has infected a host. In this paper, we enhance our SWORD system to allow for the detection of infected hosts and evaluate its performance. This enhanced version of SWORD inherits the advantages of the original SWORD—it does not rely on inspecting traffic payloads to search for worm byte patterns or setting up a honeypot to lure worm traffic. Furthermore, while acting as a host-level detection system, it runs at a network’s gateway and stays transparent to individual hosts. We show that our enhanced SWORD system is able to quickly and accurately detect if a host is infected by a zero-day worm. Furthermore, the detection is shown to be effective against worms of different types and speeds, including polymorphic worms. 1

To detect and defend against Internet worms, researchers have long hoped to have a safe convenient environment to unleash and run real-world worms for close observation of their infection, damage, and propagation. However, major challenges exist in realizing such “worm playgrounds”, including the playgrounds ’ fidelity, confinement, scalability, as well as convenience in worm experiments. In this paper, we present a virtualizationbased platform to create virtual worm playgrounds, called vGrounds, on top of a physical infrastructure. A vGround is an all-software virtual environment dynamically created for a worm attack. It has realistic end-hosts and network entities, all realized as virtual machines (VMs) and confined in a virtual network (VN). The salient features of vGround include: (1) high fidelity supporting real worm codes exploiting real vulnerable services, (2) strict confinement making the real Internet totally invisible and unreachable from inside a vGround, (3) high resource efficiency achieving sufficiently large scale of worm experiments, and (4) flexible and efficient worm experiment control enabling fast (tens of seconds) and automatic generation, re-installation, and final teardown of vGrounds. Our experiments with real-world worms (including multi-vector worms and polymorphic worms) have successfully exhibited their probing and propagation patterns, exploitation steps, and malicious payloads, demonstrating the value of vGrounds for worm detection and defense research.