@inproceedings{BriesemeisterPorras2005,
optkey = {XX},
author = {Linda Briesemeister and Phillip Porras},
title = {Microscopic Simulation of a Group Defense Strategy},
booktitle = {Proceedings of Principles of Advanced and Distributed Simulation (PADS)},
optpages = {},
year = {2005},
optvolume = {},
month = {June},
abstract = {We introduce a novel worm containment strategy that integrates two complementary worm quarantine techniques. The two techniques are linked, with one strategy employing the other as an indicator of worm infection. A group defense mechanism shares such indicators among neighboring networks, and when enough corroboration occurs, the network engages in traffic filtering to halt infection attempts. \par We present an SSFnet-based microscopic simulation of the containment strategy against random scan worms, and explore various performance characteristics of the group defense mechanism. The simulation results help to characterize the conditions and degree to which the integrated quarantine strategy can both slow worm propagation and prevent the worm from reaching its full saturation potential.}
}
@misc{SAL-language,
title = {The {SAL} intermediate language},
address = {Computer Science Laboratory, SRI International, Menlo Park, CA},
institution = {SRI International},
year = 2003,
key = {SAL-language},
note = {Computer Science Laboratory, SRI International, Menlo Park, CA. \url{http://sal.csl.sri.com/}}
}
@inproceedings{SAL204:CAV,
title = {{SAL} 2},
author = {de Moura, L. and Owre, S. and Rue{\ss}, H. and Rushby, J. and Shankar, N. and Sorea, M. and Tiwari, A.},
booktitle = {Computer-Aided Verification, CAV},
editor = {Alur, R. and Peled, D.},
pages = {496--500},
publisher = {Springer},
series = {LNCS},
volume = {3114},
month = jul,
year = 2004
}
@inproceedings{Pnueli77:FOCS,
author = {Pnueli, A.},
year = 1977,
title = {The temporal logic of programs},
booktitle = {Proceedings of the 18th {IEEE} Symposium on Foundations of Computer Science},
pages = {46--67}
}
@article{356852,
author = {Carl E. Landwehr},
title = {Formal Models for Computer Security},
journal = {ACM Comput. Surv.},
volume = {13},
number = {3},
year = {1981},
issn = {0360-0300},
pages = {247--278},
doi = {http://doi.acm.org/10.1145/356850.356852},
publisher = {ACM Press},
address = {New York, NY, USA}
}
@techreport{jiang-worm,
author = {Xuxian Jiang and Dongyan Xu and Shan Lei and Paul Ruth and Jianzhong Sun},
title = {Worm Meets Beehive},
institution = {Purdue University, Department of Computer Sciences},
year = {2004},
number = {CSD TR 04-027},
month = {May},
pdf = {http://www.cs.purdue.edu/homes/dxu/pubs/Beehive-Tech-Report.pdf},
http = {http://citeseer.ist.psu.edu/711054.html}
}
@inproceedings{586140,
author = {Paul Ammann and Duminda Wijesekera and Saket Kaushik},
title = {Scalable, graph-based network vulnerability analysis},
booktitle = {Proceedings of the 9th ACM conference on Computer and communications security (CCS)},
year = {2002},
isbn = {1-58113-612-9},
pages = {217--224},
location = {Washington, DC, USA},
doi = {http://doi.acm.org/10.1145/586110.586140},
publisher = {ACM Press},
address = {New York, NY, USA}
}
@inproceedings{KimKang2004,
author = {Hyogen Kim; Inhye Kang},
title = {On the functional validity of the worm-killing worm},
booktitle = {Proceedings of the IEEE International Conference on Communications},
pages = {1902--1906},
year = {2004},
volume = {4},
month = {Jun},
doi = {http://dx.doi.org/10.1109/ICC.2004.1312851},
http = {http://ieeexplore.ieee.org/iel5/9179/29121/01312851.pdf?arnumber=1312851},
abstract = {The notion of worm-killing worm has been in the folklore for some time. However the obvious fear of the killer worm itself being compromised, or of any self-propagating code set loose (possibly over administrative boundaries), has barred serious exploration on the practical aspects of the idea. In this paper, we suspend such concerns momentarily, and investigate its functional validity. This effort is motivated by recent fast worm epidemics exemplified by that of SQL slammer, which was overwhelmingly faster than traditional human-intervened response. Specifically, this paper evaluates the killer worm in terms of the prevention effect and the incurred traffic cost. Above and beyond, we consider supplementary techniques that could boost the performance and mitigate the harmful side-effects of the worm-killing worm.}
}
@inproceedings{1046305,
author = {Yun-Kai Zhang and Fang-Wei Wang and Yu-Qing Zhang and Jian-Feng Ma},
title = {Worm propagation modeling and analysis based on quarantine},
booktitle = {Proceedings of the 3rd International Conference on Information Security (InfoSecu)},
year = {2004},
isbn = {1-58113-955-1},
pages = {69--75},
location = {Shanghai, China},
doi = {http://doi.acm.org/10.1145/1046290.1046305},
abstract = {In recent years, the worms that had a dramatic increase in the frequency and virulence of such outbreaks have become one of the major threats to the security of the Internet. In this paper, we provide a worm propagating model. It bases on the classical epidemic Kermack-Kermack model, adopts dynamic quarantine strategy, dynamic infecting rate and removing rate. The analysis shows that model can efficiently reduce a worm's propagation speed, which can give us more precious time to defend it, and reduce the negative influence of worms. The simulation results verify the effectiveness of the model.}
}
@inproceedings{1035434,
author = {Sviatoslav Braynov and Murtuza Jadiwala},
title = {Representation and analysis of coordinated attacks},
booktitle = {Proceedings of the 2003 ACM workshop on Formal methods in security engineering (FMSE)},
year = {2003},
isbn = {1-58113-781-8},
pages = {43--51},
location = {Washington, D.C.},
doi = {http://doi.acm.org/10.1145/1035429.1035434},
publisher = {ACM Press},
address = {New York, NY, USA},
abstract = {In this paper, we propose a formal model of coordinated attacks in which several attackers cooperate towards a common malicious goal. The model investigates both attack planning and vulnerability analysis, thereby providing a uniform approach to system and adversary modelling. In addition, the model is general enough to explain both coordinated and single attacks. \par In the paper, we define the notion of coordinated-attack graph, propose an algorithm for efficient generation of coordinated-attack graphs, demonstrate how coordinated-attack can be used for vulnerability analysis, and discuss an implementation of a coordinated-attack graph.\par Coordinated-attack graphs can facilitate a wide range of tasks, such as model checking, opponent modelling, intrusion response, sensor configuration, and so forth. In addition, they can be used in robotic warfare, where several intelligent software agents automatically produce and launch coordinated attacks.}
}
@inproceedings{381505,
author = {Somesh Jha and Jeannette M. Wing},
title = {Survivability analysis of networked systems},
booktitle = {Proceedings of the 23rd International Conference on Software Engineering (ICSE)},
year = {2001},
isbn = {0-7695-1050-7},
pages = {307--317},
location = {Toronto, Ontario, Canada},
publisher = {IEEE Computer Society},
address = {Washington, DC, USA},
abstract = {Survivability is the ability of a system to continue operating despite the presence of abnormal events such as failures and intrusions. Ensuring system survivability has increased in importance as critical infrastructures have become heavily dependent on computers. In this paper we present a systematic method for performing survivability analysis of networked systems. An architect injects failure and intrusion events into a system model and then visualizes the effects of the injected events in the form of scenario graphs. Our method enables further global analyses, such as reliability, latency, and cost-benefit analyses, where mathematical techniques used in different domains are combined in a systematic manner. We illustrate our ideas on an abstract model of the United States Payment System.}
}
@article{568608,
author = {Prabhat K. Singh and Arun Lakhotia},
title = {Analysis and detection of computer viruses and worms: an annotated bibliography},
journal = {ACM SIGPLAN Notices},
volume = {37},
number = {2},
year = {2002},
issn = {0362-1340},
pages = {29--35},
doi = {http://doi.acm.org/10.1145/568600.568608},
publisher = {ACM Press},
address = {New York, NY, USA},
abstract = {This annotated bibliography reviews research in analyzing and detecting computer viruses and worms. This document focuses on papers that give information about techniques and systems detecting malicious code.}
}
@inproceedings{Anagnostakis2003,
author = {K. Anagnostakis and M. Greenwald and S. Ioannidis and A. Keromytis and D. Li},
booktitle = {Proceedings of the 11th IEEE International Conference on Networks (ICON)},
location = {Sydney, Australia},
title = {A Cooperative Immunization System for an Untrusting {Internet}},
month = {September},
year = {2003}
}
@inproceedings{Nojiri2003,
author = {D. Nojiri and J. Rowe and K. Levitt},
booktitle = {Proceedings of the 3rd DARPA Information Survivability Conference and Exposition},
location = {Washington DC, USA},
title = {Cooperative Response Strategies for Large Scale Attack Mitigation},
month = {April},
year = {2003}
}
@inproceedings{Abdelhafez05,
author = {M. Abdelhafez and G.F. Riley},
booktitle = {Third IEEE International Workshop on Information Assurance (IWIA)},
location = {College Park, Maryland},
title = {Evaluation of Worm Containment Algorithms and Their Effect on Legitimate Traffic},
month = {March},
year = {2005}
}
@inproceedings{Liljenstam04,
author = {Michael Liljenstam and David M.~Nicol},
booktitle = {Proceedings of the First International Conference on the Quantitative Evaluation of Systems (QEST)},
month = {September},
pages = {18--27},
title = {Comparing passive and active worm defenses},
pdf = {http://www.linklings.net/MOSES/papers/qest-242.pdf},
year = {2004}
}
@inproceedings{Kephart91,
author = {Jeffrey O. Kephart and Steve R. White},
title = {Directed-Graph Epidemiological Models of Computer Viruses.},
booktitle = {IEEE Symposium on Security and Privacy},
location = {Oakland, CA},
year = {1991}
}
@inproceedings{Liljenstam-WORM03,
abstract = {Reproducing the effects of large-scale worm attacks in a laboratory setup in a realistic and reproducible manner is an important issue for the development of worm detection and defense systems. In this paper, we describe a worm simulation model we are developing to accurately model the large-scale spread dynamics of a worm and many aspects of its detailed effects on the network. We can model slow or fast worms with realistic scan rates on realistic IP address spaces and selectively model local detailed network behavior. We show how it can be used to generate realistic input traffic for a working prototype worm detection and tracking system, the Dartmouth ICMP BCC: System/Tracking and Fusion Engine (DIB:S/TRAFEN), allowing performance evaluation of the system under realistic conditions. Thus, we can answer important design questions relating to necessary detector coverage and noise filtering without deploying and operating a full system. Our experiments indicate that the tracking algorithms currently implemented in the DIB:S/TRAFEN system could detect attacks such as Code Red v2 and Sapphire/Slammer very early, even when monitoring a quite limited portion of the address space, but more sophisticated algorithms are being constructed to reduce the risk of false positives in the presence of significant ``background noise'' scanning.},
author = {Michael Liljenstam and David M.~Nicol and Vincent H.~Berk and Robert S.~Gray},
booktitle = {Proceedings of the 2003 ACM workshop on Rapid Malcode (WORM)},
doi = {http://doi.acm.org/10.1145/948187.948193},
isbn = {1-58113-785-0},
location = {Washington, DC, USA},
pages = {24--33},
publisher = {ACM Press},
title = {Simulating realistic network worm traffic for worm warning system design and testing},
year = {2003}
}
@article{Bajcsy03,
author = {R. Bajcsy and T. Benzel and M. Bishop and B. Braden and C. Brodley and S. Fahmy and S. Floyd and W. Hardaker and A. Joseph and G. Kesidis and K. Levitt and B. Lindell and P. Liu and D. Miller and R. Mundy and C. Neuman and R. Ostrenga and V. Paxson and P. Porras and C. Rosenberg and J. D. Tygar and S. Sastry and D. Sterne and S. F. Wu},
title = {Cyber defense technology networking and evaluation},
journal = {Commun. ACM},
volume = {47},
number = {3},
year = {2004},
publisher = {ACM Press},
address = {New York, NY, USA}
}
@inproceedings{chen04slowing,
author = {Shigang Chen and Yong Tang},
title = {Slowing Down Internet Worms},
booktitle = {Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS)},
pages = {312--319},
year = {2004},
http = {http://citeseer.ist.psu.edu/chen04slowing.html},
month = {March},
http = {http://csdl.computer.org/comp/proceedings/icdcs/2004/2086/00/20860312abs.htm},
publisher = {IEEE Computer Society},
abstract = {An Internet worm automatically replicates itself to vulnerable systems and may infect hundreds of thousands of servers across the Internet. It is conceivable that the cyber-terrorists may use a wide-spread worm to cause major disruption to our Internet economy. While much recent research concentrates on propagation models, the defense against worms is largely an open problem. We propose a distributed anti-worm architecture (DAW) that automatically slows down or even halts the worm propagation. New defense techniques are developed based on behavioral difference between normal hosts and worm-infected hosts. Particulary, a worm-infected host has a much higher connection-failure rate when it scans the Internet with randomly selected addresses. This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial rate-limit algorithm, which makes the speed of worm propagation configurable by the parameters of the defense system. DAW is designed for an Internet service provider to provide the anti-worm service to its customers. The effectiveness of the new techniques is evaluated analytically and by simulations.}
}
This file was generated by bibtex2html 1.96.