Security and Performance Aspects of an Agent-Based Link-Layer Vulnerability Discovery Mechanism

The identification of vulnerable hosts and subsequent deployment of mitigation mechanisms such as service disabling or installation of patches is both time-critical and error-prone. This is in part owing to the fact that malicious worms can rapidly scan networks for vulnerable hosts, but is further exacerbated by the fact that network topologies are becoming more fluid and vulnerable hosts may only be visible intermittently for environments such as virtual machines or wireless edge networks. In this paper we therefore describe and evaluate an agent-based mechanism which uses the spanning tree protocol (STP) to gain knowledge of the underlying network topology to allow both rapid and resource-efficient traversal of the network by agents as well as residual scanning and mitigation techniques on edge nodes. We report performance results, comparing the mechanism against a random scanning worm and demonstrating that network immunity can be largely achieved despite a very limited warning interval. We also discuss mechanisms to protect the agent mechanism against subversion, noting that similar approaches are also increasingly deployed in case of malicious code.