We propose PWC, a proactive worm containment solution for enterprises. PWC can stop - instead of slowing down - an infected host from releasing worm scans as early as after merely 4 scans. Motivated by the observation that a worm uses a sustained outgoing packet rate, PWC gains infection awareness seconds before a signature or filter can be generated. To overcome denial-of-service possibly caused by such smoking signs of infection, PWC develops two new white detection (detecting who are uninfected) techniques: (a) the vulnerability time window lemma, and (b) the relaxation analysis. PWC is signature-free thus it is immunized from polymorphic worms and timely in containing. PWC is also resilient to containment evading. PWC is not sensitive to worm scan rate, and not protocol specific. Due to white detection, PWC causes minimal denial-of-service. Evaluation based on real traces and worm simulations demonstrates that PWC significantly outperforms Virus Throttle [1] in terms of number of released worm scans, number of hosts infected by local scans, and availability.
展开▼
