Very Fast Containment of Scanning Worms
ICSI & LBNL
Computer worms — malicious, self-propagating pro-
grams — represent a significant threat to large networks.
One possible defense, containment, seeks to limit a worm’s
spread by isolating it in a small subsection of the network.
In this work we develop containment algorithms suitable
for deployment in high-speed, low-cost network hardware.
We show that these techniques can stop a scanning host af-
ter fewer than 10 scans with a very low false-positive rate.
We also augment this approach by devising mechanisms
for cooperation that enable multiple containment devices
to more effectively detect and respond to an emerging in-
fection. Finally, we discuss ways that a worm can attempt
to bypass containment techniques in general, and ours in
Computer worms — malicious, self propagating programs
— represent a substantial threat to large networks. Since
these threats can propagate more rapidly than human re-
sponse [24, 12], automated defenses are critical for detect-
ing and responding to infections . One of the key de-
fenses against scanning worms which spread throughout
an enterprise is containment [28, 23, 21, 7, 14]. Worm
containment, also known as virus throttling, works by de-
tecting that a worm is operating in the network and then
blocking the infected machines from contacting further
hosts. Currently, such containment mechanisms only work
against scanning worms  because they leverage the
anomaly of a local host attempting to connect to multiple
other hosts as the means of detecting an infectee.
Within an enterprise, containment operates by break-
ing the network into many small pieces, or cells. Within
each cell (which might encompass just a single machine),
a worm can spread unimpeded. But between cells, con-
tainment attempts to limit further infections by blocking
outgoing connections fr