[show abstract][hide abstract] ABSTRACT: The advantage of collaborative containment over independent block or address blacklisting on worm defense has been advocated in previous worm studies. In this work, we will evaluate two collaborative worm containment proposals and present some of the results of our DETER emulation experiments. In the first one, proactive worm containment (PWC), security agents block all suspicious hosts on the network on receiving alerts of a worm and run "relaxation analysis" on those blocked hosts afterwards. Emulation experiments will evaluate PWC's ability to stop the propagation of fast local worms and to reduce scan traffic of fast global scanning worms. The second proposal, which detects and contains a scanning worm based on the concept of dark port, focuses on stealthy worms that target only specific local networks or enterprise networks. Emulation experiments run on the DETER testbed demonstrate the efficiency of local scanning worms and their elevated threat to enterprise networks. The effectiveness of a collaborative containment strategy based on dark port detection is evaluated using DETER emulation and compared with that of individual address blacklisting.
[show abstract][hide abstract] ABSTRACT: Internet worm security threats have increased with their more advanced scanning strategies and malicious payloads. In this article, we extend our existing KMSim worm model to account for the self-destructive or removal/death behavior of worms. The modified model is then used to simulate the Witty and Blaster worms. Also in this paper we describe our experi-ence of running worm emulation experiments on a clustered network testbed (DETER) and introduce the associated exper-iment specification and visualization tool (ESVT). The virtual node approach of network scaling-down and the design of In-ternet scan injection problem are presented with the exam-ple of the Blaster worm. Preliminary experimental results of Blaster enterprise network emulation are reported as well.