Automated Worm Fingerprinting
Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage
Network worms are a clear and growing threat to the security of today's Internet-connected hosts and networks. The combination of the Internet's unrestricted connectivity and widespread software homogeneity allows network pathogens to exploit tremendous parallelism in their propagation. In fact, modern worms can spread so quickly, and so widely, that no human-mediated reaction can hope to contain an outbreak.
In this paper, we propose an automated approach for quickly detecting previously unknown worms and viruses based on two key behavioral characteristics—a common exploit sequence together with a range of unique sources generating infections and destinations being targeted. More importantly, our approach—called "content sifting"—automatically generates precise signatures that can then be used to filter or moderate the spread of the worm elsewhere in the network.
Using a combination of existing and novel algorithms we have developed a scalable content sifting implementation with low memory and CPU requirements. Over months of active use at UCSD, our Earlybird prototype system has automatically detected and generated signatures for all pathogens known to be active on our network as well as for several new worms and viruses which were unknown at the time our system identified them. Our initial experience suggests that, for a wide range of network pathogens, it may be practical to construct fully automated defenses—even against so-called "zero-day" epidemics.