Sciweavers

TPDS
2008

Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach

13 years 11 months ago
Tracing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach
To detect and investigate self-propagating worm attacks against networked servers, the following capabilities are desirable: (1) raising timely alerts to trigger a worm investigation, (2) determining the break-in point of a worm, i.e. the vulnerable service from which the worm infiltrates the victim, and (3) identifying all contaminations inflicted by the worm during its residence in the victim. In this paper, we argue that the worm break-in provenance information has not been exploited in achieving these capabilities and thus propose process coloring, a new approach that preserves worm break-in provenance information and propagates it along operating system level information flows. More specifically, process coloring assigns a "color", a unique system-wide identifier, to each remotely-accessible server process. The color will be either inherited by spawned child processes or diffused transitively through process actions. Process coloring achieves three new capabilities: col...
Xuxian Jiang, Florian P. Buchholz, Aaron Walters,
Added 15 Dec 2010
Updated 15 Dec 2010
Type Journal
Year 2008
Where TPDS
Authors Xuxian Jiang, Florian P. Buchholz, Aaron Walters, Dongyan Xu, Yi-Min Wang, Eugene H. Spafford
Comments (0)