Can we contain Internet worms?
Worm containment must be automatic because worms can spread too fast for
humans to respond. Recent work has proposed a network centric approach
to automate worm containment: network traffic is analyzed to derive a
packet classifier that blocks (or rate-limits) worm propagation. This
approach has fundamental limitations because the analysis has no
information about the application vulnerabilities exploited by worms.
This paper proposes Vigilante, a new host centric approach for automatic
worm containment that addresses these limitations. Vigilante relies on
collaborative worm detection at end hosts in the Internet but does not
require hosts to trust each other. Hosts detect worms by analysing
attempts to infect applications and broadcast self-certifying alerts
(SCAs) when they detect a worm. SCAs are automatically generated
machine-verifiable proofs of vulnerability; they can be independently
and inexpensively verified by any host. Hosts can use SCAs to generate
filters or patches that prevent infection. We present preliminary
results showing that Vigilante can effectively contain fast spreading
worms that exploit unknown vulnerabilities.