On the Development of an Internetwork-Centric Defense for Scanning Worms

The speed with which Internet worms propagate, and their potential for carrying devastating payloads makes them a significant threat to the stability of the Internet. Current approaches for containing these worms are ineffective due to their completely local protection mechanisms - requiring complete deployment for global worm containment. This paper suggests an alternate approach wherein the containment mechanisms are moved within the network itself rather than at end-points. This internetwork-centric approach allows networks within the Internet to not only protect themselves, but also other networks that may not have the containment technology deployed. A novel reputation-based alerting mechanism is used to ensure fair and fast information sharing. The combination of the internetwork-centric containment and reputation-based alerting allows for the creation of an Internet-wide containment mechanism that provides greater protection against fast scanning worms than any previously proposed system, and at the same time providing unequaled resilience to false positives and malicious nodes