Events - Colloquia & Seminars

CCIS Colloquium Spring 2005

"And you thought you were safe after SLAMMER, not so, Swarms not Zombies present the greatest risk to Our National Internet Infrastructure"

Speaker: Fernando C. Colon Osorio and Zachi Klopman (WPI System Security Research Laboratory)

Date: April 29, 2005

Talk: 11:00 a.m. 206 Egan Center

Abstract

In the early morning hours (05:30 GMT) of January 25, 2003 the fastest computer worm in recorded history began spreading throughout the Internet. Within 10 minutes after the first infected host (patient zero), 90 percent of all vulnerable hosts had been compromised creating significant disruption to the global Internet infrastructure. Vern Paxson of the International Computer Science Institute and Lawrence Berkeley National Laboratory in its analysis of SLAMMER commented: "The Slammer worm spread so quickly that human response was ineffective."

The interesting part from our perspective about the spread of SLAMMER is that it was a relatively unsophisticated worm with benign behavior, namely self-reproduction. Since SLAMMER, researchers across the United States and overseas have explored the behaviors of fast spreading worms, and have designed countermeasures strategies based primarily on rate detection and limiting algorithms. For example, Zhou, et al. proposed a scheme where a Kalman filter is used to detect the early propagation of a worm. Other researchers have proposed the use of detectors where rates of "Destination Unreachable" messages are monitored by firewalls, and a significant increase beyond "normal", alerts the organization to the potential presence of a worm. However, such strategies suffer from the "fighting the last WAR" syndrome. That is, systems are being designed and developed to effectively contain worms whose behaviors are similar to that of SLAMMER.

In this work, we put forth the hypothesis that next generation worms will be radically different, and therefore such techniques will prove ineffective. Specifically, we propose to study a new generation of worms called "Swarm Worms", whose behavior is predicated on the concept of "emergent intelligence". Emergent Intelligence is the behavior of systems, very much like biological swarms such as ants or bees, where simple local interactions of autonomous swarm members, with simple primitives, gives rise to complex and intelligent global behavior. In this talk we will introduce the basic principles behind the idea of "Swarm Worms", the nature of the intelligent behavior that emerges, as well as the basic structure required in order to be considered a "swarm worm", based on our definition. In addition, we will present preliminary results on the propagation speeds of one such swarm worm, called the ZachiK worm. We will show that ZachiK is capable of propagating at a rate 9,000 times faster that previously known worms.

* This work was conducted as part of a larger effort in the development of next generation Intrusion Detection & Countermeasure Systems at WSSRL. The work is conducted under the auspices of Grant ACG-2004-06 by the Acumen Consulting Group, Inc., Marlboro, Massachusetts.

Biography

Information on the speaker can be found at: http://www.cs.wpi.edu/People/faculty/fcco.html