Thwarting Network Stealth Worms in Computer Networks through Biological Epidemiology
Hall, Kristopher Joseph
MetadataShow full item record
This research developed a system, Rx, to provide early identification and effective control of network stealth worms in digital networks through techniques based on biological epidemiology. Network stealth worms comprise a class of surreptitious, self-propagating code that spread over network connections by exploiting security vulnerabilities in hosts. Past outbreaks due to traditional worms subverted hundreds of thousands of machines. Network stealth worms exacerbate that threat by using clandestine methods to maintain a persistent presence in the network. Biological epidemiology was shown to support the real-time detection, characterization, forecasting, and containment of network stealth worms. Epidemiology describes a scientific methodology in biology that seeks to understand, explain, and control disease. Bio-mathematical modeling led to the development of a mechanism for digital networks to identify worm infection behavior buried in anomaly data, to characterize a worm, and to forecast the temporal spread of a worm. Demographic analysis of the infected hosts revealed the subset of vulnerable machines within the population. The automated response of advanced quarantine used this information to control the spread of an identified worm by isolating both infected and vulnerable machines. The novel contributions of this research included the identification of a network stealth worm at the network-level based on end-host reports while simultaneously characterizing and forecasting the spread of the worm. Additionally, this task offered the technique of advanced quarantine through demographic analysis of the population. This work resulted in a scalable, fault-tolerant strategy that dramatically enhanced the survival rate of network hosts under attack by a stealth worm. Moreover, this approach did not require new hardware, changes to existing protocols, or participation outside the implementing organization. This research showed application to a wider range of challenges. The bio-mathematical models are extensible, allowing Rx to respond to variations on the self-propagating code presented here. The approach is applicable to other forms of malware beyond self-propagating code by interchanging the epidemic model with one more appropriate. Lastly, the strategy allowed anomaly detectors to be sensitive to lower reporting thresholds and a variety of often benign yet potentially useful events.
- Doctoral Dissertations