[Colloq] Talk by Fernando C. Colon Osorio, hosted by NU Computer Architecture Research Laboratory

Rachel Kalweit rachelb at ccs.neu.edu
Wed Apr 27 13:32:48 EDT 2005


The Northeastern University Computer Architecture Research Laboratory
is pleased to welcome Prof. Fernando C. Colon Osorio, who will be
talking about his work in the area of Information Security and Swarm
Worms.

Date: Friday, April 29
Time: 11:00am
Place: 206 Egan Center

Title:
"And you thought you were safe after SLAMMER, not so, Swarms not Zombies
present the greatest risk to Our National Internet Infrastructure"

Presenters:
Fernando C. Colon Osorio and Zachi Klopman
WPI System Security Research Laboratory
Worcester Polytechnic Institute

Abstract:
In the early morning hours (05:30 GMT) of January 25, 2003 the
fastest computer worm in recorded history began spreading throughout the
Internet. Within 10 minutes after the first infected host (patient 
zero), 90 percent of all vulnerable hosts had been compromised creating
significant disruption to the global Internet infrastructure.  Vern 
Paxson of the International Computer Science Institute and Lawrence 
Berkeley National Laboratory in its analysis of SLAMMER commented:
"The Slammer worm spread so quickly that human response was ineffective."

The interesting part from our perspective about the spread of SLAMMER is
that it was a relatively unsophisticated worm with benign behavior, 
namely self-reproduction. Since SLAMMER, researchers across the United 
States and overseas have explored the behaviors of fast spreading worms, 
and have designed countermeasures strategies based primarily on rate 
detection and limiting algorithms. For example, Zhou, et al. proposed a 
scheme where a Kalman filter is used to detect the early propagation of 
a worm. Other researchers have proposed the use of detectors where rates 
of "Destination Unreachable" messages are monitored by firewalls, and a
significant increase beyond "normal", alerts the organization to the
potential presence of a worm. However, such strategies suffer from the
"fighting the last WAR" syndrome.  That is, systems are being designed 
and developed to effectively contain worms whose behaviors are similar 
to that of SLAMMER.

In this work, we put forth the hypothesis that next generation
worms will be radically different, and therefore such techniques will 
prove ineffective.  Specifically, we propose to study a new generation 
of worms called "Swarm Worms", whose behavior is predicated on the 
concept of "emergent intelligence". Emergent Intelligence is the 
behavior of systems, very much like biological swarms such as ants or 
bees, where simple local interactions of autonomous swarm members, with 
simple primitives, gives rise to complex and intelligent global 
behavior. In this talk we will introduce the basic principles behind the 
idea of "Swarm Worms", the nature of the intelligent behavior that 
emerges, as well as the basic structure required in order to be 
considered a "swarm worm", based on our definition. In addition, we will 
present preliminary results on the propagation speeds of one such swarm 
worm, called the ZachiK worm.  We will show that ZachiK is capable of 
propagating at a rate 9,000 times faster that previously known worms.

______________________________________

* This work was conducted as part of a larger effort in the development of
next generation Intrusion Detection & Countermeasure Systems at WSSRL.
The work is conducted under the auspices of Grant ACG-2004-06 by the
Acumen Consulting Group, Inc., Marlboro, Massachusetts.

Information on the speaker can be found at:
http://www.cs.wpi.edu/People/faculty/fcco.html




More information about the Colloq mailing list