Proactive Worm Containment

 

Group 5

 

Ciera Brown, Jacob Hall, Tyeshia McDaniel, and Stacy Thompson

 

Key Words: Worms, Anti-Malware Technology, Proactive Worm Containment

 

Proactive Worm Containment (PWC) is a new software technology developed by researchers at Penn State University.  It can detect and quarantine worms in milliseconds rather than minutes, which greatly limits how far they spread and how much damage they cause. PWC analyzes packet rates, frequency of connections, and the diversity of connections to other networks. Proactive Worm Containment can also release any information it quarantines if it turns out that it was ungrounded.

 

 

A worm is a computer program that has the ability to copy itself from machine to machine. A worm can use up computer time and network bandwidth. A worm does not need an existing program to attach to. A worm uses a network to send copies of itself to other computer terminals on that network, and then on to other networks that network is connected to.

 

 

Currently, the systems that are used for detection of worms focuses mainly on signature or pattern identification to determine whether or not to block the traffic. The drawback of using this method is that it is a very slow process. Several minutes can pass between when a signature-based system first recognizes a new worm and when it creates a new signature to stop it. Seeing as how a worm needs to spread quickly in order to do the most damage, this can be a big problem. “Our software looks for anomalies in the rate of diversity of connection requests going out of hosts,” says Peng Liu, lead researcher on PWC. In other words, the Proactive Worm Containment software looks for many different kinds of files, such as emails, coming out of computer terminals. When a host (computer terminal) with an abnormally high rate of connections is identified, the PWC software contains that host so that no packets with the worm code can be sent out. 

 

 

To avoid dangerous false positives, the PWC system uses algorithmic techniques to double-check the initial diagnosis. After all, not all traffic showing these patterns is illegitimate. Any host identified as spreading a worm is disconnected from the host to which it is attempting to connect and spread.

 

 

Another great aspect of the Proactive Worm Containment system is that the software can be seamlessly integrated with existing signature-based worm filtering systems. This can save businesses money and trouble by eliminating the need for IT specialists to remove the old method of worm security. Not only that, but PWC researchers are currently beta testing the system. This will accommodate more businesses.

 

 

Although the PWC software can pick up on and identify worms with fast moving connection rates, it may miss slow-spreading worms. So, it is not a 100% efficient technology. Peng Liu said that there were current technologies out there that would pick up on the slow-moving worms, so he and his team were more focused on the worms that spread extremely quickly and cause the most damage.

 

 

In the last two years, the threat of Internet worms has receded. Criminals are now focused on more profitable types of malware, such as, spam and spyware. Instead, the bad guys are using worms to infiltrate specific Internet channels. Yamanner is a worm that spread last year and only affected people with e-mail addresses at Yahoo.com or other Yahoo! Groups. The Storm worm affected people using AOL Messenger, Google Talk, and Yahoo Messenger.

 

 

The last computer worm to cause extreme monetary damage was called Mydoom. This worm hit in January of 2004 and impacted Windows operating systems. It targeted hundreds of thousands of e-mails worldwide. Computer security technicians estimated that Mydoom replicated itself over 250,000 times over a nine hour period. In February 2004, analysts figured the Mydoom worm cost billions of dollars worth of damage worldwide.

 

 

Proactive Worm Containment software will impact businesses by giving them the security they need with their computer networks. With employee abuses of the Internet on the rise, businesses are more vulnerable to all kinds of threats, including worms. With software designed to detect worm activity within milliseconds, IT people within a company can save valuable information.

 

 

The Proactive Worm Containment software promises to solve computer worms from spreading so quickly and causing so much damage. Penn State researcher, Peng Liu, estimates that if a computer network is infected with a worm, installing the PWC system could save them a lot of time and money by stopping the worm before it can replicate itself over and over. Instead of affecting 600,000 computer terminals and/or networks, perhaps only a few dozen infected packets may be sent out to other networks. This not only saves IT specialists a big headache, it can also save businesses tons of money.

 

 

 

 

 

 

 

 

References

 

 

Dunn, John E. (2007) U.S. Researchers Claim New System Kills Worm Outbreaks.

            Retrieved Monday, April 16, 2007, from

            http://www.pcworld.com/article/id,129037-page,1-c,topics/article.html

 

 

Gaudin, Sharon. (2007) Penn State Researchers Develop New Worm-Stopping

            Technology. Retrieved Monday, April 16, 2007, from

            http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleI

            D=197005431

 

 

Hopkins, Margaret. (2007) Researchers Invent System to Control and Quarantine Worms   

            Attacking Computer Networks. Retrieved Monday, April 16, 2007, from

            http://www.psu.edu/ur/2007/computerworms.html

 

 

Millman, Rene. (2007) Security researchers probe Proactive Worm Containment.

            Retrieved Monday, April 16, 2007, from

            http://www.pcpro.cp.uk/buyer/news/104977/security-researchers-probe-proactive-

            worm-containment.html

 

 

 

 

                                                             

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Question about Proactive Worm Containment (Group 5)

 

 

  1. What does PWC stand for?

A. Packed Worm Constraint                 B. Parallel Worm Corridor

C. Proactive Worm Containment          D. Packet Worm Control

 

 

  1. How does Proactive Worm Containment identify worms?

A. Packet Rate Analyses                       B. Frequency of connections

C. Diversity of connections                  D. ALL OF THE ABOVE

 

 

  1. What university developed Proactive Worm Containment?

A. Penn State University                       B. UCA

C. Harvard                                             D. MIT

 

 

  1. How does a computer worm cause the most damage?

A. Spreading quickly                            B. Email

C. Only affecting one terminal             D. Instant messaging

 

 

  1. What’s one drawback to Proactive Worm Containment?

A. Cost                                                   B. It doesn’t detect slow-spreading worms

C. Isn’t compatable with other systems D. It’s too slow

 

 

  1. Proactive Worm Containment can detect worms within:

A. Hours                                                 B. Days

C. Seconds                                             D. Milliseconds

 

 

  1. Which worm affected Windows operating systems in January 2004 and caused

billions of dollars worth of damage?

A. Kama Sutra                                        B. LoveBug

C. Mydoom                                             D. Slammer