DAW: A Distributed Antiworm System

A worm automatically replicates itself across networks and may infect millions of servers in a short period of time. It is conceivable that the cyberterrorists may use a widespread worm to cause major disruption to the Internet economy. Much recent research concentrates on propagation models and early warning, but the defense against worms is largely an open problem. We propose a distributed antiworm architecture (DAW) that automatically slows down or even halts the worm propagation within an Internet service provider (ISP) network. New defense techniques are developed based on the behavioral difference between normal hosts and worm-infected hosts. Particularly, a worm-infected host has a much higher connection-failure rate when it randomly scans the Internet. This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial rate-limit algorithm, which makes the speed of worm propagation configurable by the parameters of the defense system. The effectiveness of the new techniques is evaluated analytically and by simulations.