| Large-scale attacks generated by fast spreading worms and viruses have emerged as a major threat to the Internet. These worms are capable of infecting and crippling substantial portions of the Internet as well as the enterprise networks of large public and private agencies in a very short time. This dissertation studies the behavior of such viruses and examines the problem of their detection and containment. It develops a simulation testbed to study the propagation and threat potentials of self-propagating viruses. Using the testbed, we have developed a new approach for detecting self-propagating worms/viruses based on statistical anomaly detection. Our approach assumes that a key characteristic of a worm/virus attack is an increase in application based network traffic, which will eventually overwhelm servers and clients. We tested the effectiveness of our detection approach for email based viruses in an intranet setting. Our results establish that the approach is effective in detecting attacks with a low rate of false alarms. In most of the cases, attacks were detected sufficiently early so that clean up efforts needed to target only a fraction of the clients in an intranet setting. We also report on the results using a more accurate traffic model, where the email traffic was generated directly based on the logs stored on an email server.; Finally, we report on experiments with a novel approach for cleaning up virus infections based on the model of "predators" in an ecosystem. The predator approach harnesses the power of P2P networks to eliminate bandwidth bottlenecks on servers that distribute patches. Moreover, predators can use information available on the machines being cleaned up to track the propagation of viruses in the network, and thus significantly improve the speed as well as effectiveness of the clean-up effort. |
