The International Computer Science Institute
is pleased to present a talk:
"Very Fast Scanning-Worm Containment"
(joint work with Stuart Staniford and Vern Paxson)
nweaver
![[Graphic]](http://www.icsi.berkeley.edu/icons/14pxdk.gif){kind=icon}
icsi.berkeley.edu
"Very Fast Scanning-Worm Containment"
icsi.berkeley.edu
Worms are a substantial threat to our computing infrastructure. Due to their speed, they require automatic defenses. One such defense, scanning-worm containment, attempts to detect scanning and then limit the detected infection to a small portion of the protected network. We offer three substantial enhancements to scanning-worm containment: a highly accurate, online scan-detection algorithm, the use of cooperation to enhance containment, and new attacks on containment systems.
Our approximate scan-detection algorithm is fast, requiring at most 4 memory accesses per packet, and can work effectively using just 5 MB of memory when tested on a large access link trace. It is also sensitive, able to detect scanning after less than 10 attempts, while being suitable for both hardware and software implementation. By adding cooperation, containment grows more effective as now a second sensor, the knowledge and spread of an infection, can be used to enhance detection and response. By developing and evaluating attacks on containment systems, it now becomes possible to develop counter-countermeasures for the countermeasures future malcode-authors could employ.