Defending against hitlist worms using network address space randomization

WORM'05 - Proceedings of the 2005 ACM Workshop on Rapid Malcode

Volumn , Issue , 2005, Pages 30-40

  Antonatos, S ^a   Akritidis, R ^a   Markatos, E P ^a   Anagnostakis, K G ^b  

^a INSTITUTE OF COMPUTER SCIENCE   (Greece)

^b INSTITUTE FOR INFOCOMM RESEARCH   (Singapore)

Author keywords

Internet Worms; Network Security; Randomization; Traffic Analysis

Indexed keywords

COMPUTER NETWORKS; INTERNET; RANDOM PROCESSES; SECURITY OF DATA; TELECOMMUNICATION TRAFFIC;

INTERNET WORMS; NETWORK SECURITY; RANDOMIZATION; TRAFFIC ANALYSIS;

COMPUTER VIRUSES;

EID: 31844445856     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1103626.1103633     Document Type: Conference Paper

References (53)

1. DShield: Distributed Intrusion Detection System. http://www.dshield.org.
2. CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow in US Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html, July 2001.
3. NLANR-PMA Traffic Archive: Bell Labs-I trace. http://pma.nlanr.net/ Traces/Traces/long/bell/1, 2002.
4. NLANR-PMA Traffic Archive: Leipzig-I trace. http.//pma.nlanr.net/Traces/ Traces/long/leip/1, 2002.
5. DISCO: The Passive IP Discovery Tool. http://www.altmode.com/disco/, 2004.
6. Fingerprinting: The complete documentation. http://www.10t3k.org/ security/docs/fingerprinting/, 2004.
7. Fingerprinting: The complete toolsbox. http://www.10t3k.org/security/ tools/fingerprinting/, 2004.
8. Net Worm Uses Google to Spread. http://it.slashdot.org/it/04/12/21/ 2135235.shtml, Dec. 2004.
9. THC-Amap. http://thc.org/releases.php, 2004.
10. K. G. Anagnostakis, M. B. Greenwald, S. Ioannidis, A. D. Keromytis, and D. Li. A Cooperative Immunization System for an Untrusting Internet. In Proceedings of the 11th IEEE International Conference on Networking (ICON), pages 403-408, Sept./Oct. 2003.
11. M. Arlitt and C. Williamson. An Analysis of TCP Reset Behaviour on the Internet. ACM SIGCOMM Computer Communication Review, 35(1):37-44, 2005.
12. M. Atighetchi, P. Pal, F. Webber, R. Schantz, and C. Jones. Adaptive use of network-centric mechanisms in cyber-defense. In Proceedings of the 6th IEEE International Symposium on Object-oriented Real-time Distributed Computing, May 2003.
13. R. A. Baratto, S. Potter, G. Su, and J. Nieh. Mobidesk: mobile virtual desktop computing. In Proceedings of the 10th Annual International Conference on Mobile Computing and Networking (MOBICOM), pages 1-15. ACM Press, 2004.
14. E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, Oct. 2003.
15. S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, pages 105-120, Aug. 2003.
16. J. S. Chase, H. M. Levy, M. J. Feeley, and E. D. Lazowska. Sharing and protection in a single-address-space operating system. ACM Transactions on Computer Systems, 12(4):271-307, 1994.
17. W. Chen, Y. Huang, B. F. Ribeiro, K. Suh, H. Zhang, E. de Souza e Silva, J. Kurose, and D. Towsley. Exploiting the IPID field to infer network path and end-system characteristics. In Proceedings of the 6th Passive and Active Measurement Workshop (PAM 2005), Mar. 2005.
18. B. Croft and J. Gilmore. Bootstrap Protocol (BOOTP). RFC 951, http://www.rfc-editor.org/, Sept. 1985.
19. R. Droms. Dynamic Host Configuration Protocol. RFC 2131, http://www.rfc-editor.org/, Mar. 1997.
20. Internet Systems Consortium Inc. Dynamic host configuration protocol (DHCP) reference implementation, http://www.isc.org/sw/dhcp/.
21. J. Ioannidis and G. Q. Maguire Jr. The design and implementation of a mobile internetworking architecture. In USENIX Winter, pages 489-502, 1993.
22. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proceedings of the IEEE Symposium on Security and Privacy, May 2004.
23. J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS performance and the effectiveness of caching. In Proceedings of the 1st ACM SIGCOMM Internet Measurement Workshop (IMW), Nov. 2001.
24. M. Kaminsky, E. Peterson, D. B. Giffin, K. Fu, D. Mazires, and M. F. Kaashoek. REX: Secure, extensible remote execution. In In Proceedings of the 2004 USENIX Technical Conference, pages 199-212, June-July 2004.
25. T. Karagiannis, A. Broido, M. Faloutsos, and K. claffy. Transport layer identification of P2P traffic. In IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 121-134, New York, NY, USA, 2004. ACM Press.
26. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. In Proceedings of the ACM Computer and Communications Security Conference (CCS), pages 272-280, Oct. 2003.
27. D. Kewley, J. Lowry, R. Fink, and M. Dean. Dynamic approaches to thwart adversary intelligence gathering. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX), 2001.
28. T. Kohno, A. Broido, and kc Claffy. Remote physical device fingerprinting. In IEEE Symposium on Security and Privacy, May 2005.
29. J. Michalski, C. Price, E. Stanton, E. L. Chua, K. Seah, W. Y. Heng, and T. C. Pheng. Final Report for the Network Security Mechanisms Utilizing Network Address Translation LDRD Project. Technical Report SAND2002-3613, Sandia National Laboratories, November 2002.
30. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security & Privacy, pages 33-39, July/Aug. 2003.
31. D. Moore, C. Shannon, and J. Brown. Code-Red: a case study on the spread and victims of an Internet worm. In Proceedings of the 2nd Internet Measurement Workshop (IMW), pages 273-284, Nov. 2002.
32. D. Nojiri, J. Rowe, and K. Levitt. Cooperative response strategies for large scale attack mitigation. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX), Apr. 2003.
33. A. Pasupulati, J. Coit, K. Levitt, S. F. Wu, S. H. Li, J. C. Kuo, and K. P. Fan. Buttercup: On Network-based Detection of Polymorphic Buffer Overflow Vulnerabilities. In Proceedings of the Network Operations and Management Symposium (NOMS), pages 235-248, vol. 1, Apr. 2004.
34. th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 59-81, Oct. 2004.
35. S. Sen, O. Spatscheck, and D. Wang. Accurate, scalable in-network identification of P2P traffic using application signatures. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 512-521, New York, NY, USA, 2004. ACM Press.
36. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298-307, New York, NY, USA, 2004. ACM Press.
37. S. Sidiroglou and A. D. Keromytis. A network worm vaccine architecture. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, June 2003.
38. th Symposium on Operating Systems Design & Implementation (OSDI), Dec. 2004.
39. A. C. Snoeren and H. Balakrishnan. An end-to-end approach to host mobility. In MobiCom '00: Proceedings of the 6th annual international conference on Mobile computing and networking, pages 155-166, New York, NY, USA, 2000. ACM Press.
40. S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, 2004.
41. S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In Proc. ACM CCS WORM, Oct. 2004
42. S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, pages 149-167, Aug. 2002.
43. T. Toth and C, Krügel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Oct. 2002.
44. H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of ACM SIGCOMM'04, pages 193-204, 2004.
45. th International Symposium on Recent Advanced in Intrusion Detection (RAID), pages 201-222, Sept. 2004.
46. N. Weaver and V. Paxson. A worst-case worm. In Proc. Third Annual Workshop on Economics and Information Security (WEIS'04), May 2004.
47. th USENIX Security Symposium, pages 29-44, Aug. 2004.
48. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. Technical Report HPL-2002-172, HP Laboratories Bristol, 2002.
49. J. Wu, S. Vangala, L. Gao, and K. Kwiat. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the Network and Distributed System Security Symposium (NDSS), pages 143-156, Feb. 2004.
50. J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In A. Fantechi, editor, Proc. 22nd Symp. on Reliable Distributed Systems -SRDS 2003, pages 260-269, Oct. 2003.
51. C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In In Proc. USENIX Summer 1993 Technical Conference, pages 175-186, June 1993.
52. V. Yegneswaran, P. Barford, and S. Jha. Global Intrusion Detection in the DOMINO Overlay System. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Feb. 2004.
53. th ACM International Conference on Computer and Communications Security (CCS), pages 190-199, Oct. 2003.