Computer Science Department
School of Computer Science, Carnegie Mellon University


Taxonomy and Effectiveness of Worm Defense Strategies

David Brumley, Li-Hao Liu*, Pongsin Poosankam, Dawn Song

June 2005

Keywords: Worms, worm propagation, defense strategy analysis, proactive protection, probabilistic protection, address space randomization, worm blacklisting, worm antibody, worm containment, automatic worm containment

While it is important to develop effective worm defense techniques, most previous work has focused on a single point in the design space. The sheer complexity and size of the design space of worm defense requires a more systematic study of the design space.

We give the first systematic investigation of the design space of worm defense system strategies. We accomplish this by providing a taxonomy of defense strategies by abstracting away implementation-dependent and approach-specific details and concentrating on the fundamental properties of each defense category. Our taxonomy and analysis reveals the key parameters for each strategy that determine its effectiveness. We provide a theoretical foundation for understanding how these parameters interact, as well as simulation-based analysis of how these strategies compare as worm defense systems. Finally, we offer recommendations based upon our taxonomy and analysis on which worm defense strategies are most likely to succeed. In particular, we show that a hybrid approach combining Proactive Protection and Reactive Antibody Defense is the most promising approach and can be effective even against the fastest worms such as hitlist worms. Thus, we are the first to demonstrate that it is possible to defend against the fastest worms such as hitlist worms.

22 pages

*Information Networking Institute, Carnegie Mellon University

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by