This project is developing an automated defense system for enterprise networks against malicious code attacks such as worms, viruses and spyware. This system responds to attacks by dynamically and selectively quarantining hosts, services, and other networked devices. Traditional containment systems based on firewalls and individual host isolation are not adequate for containing the new generation of local-scanning, topological, metaserver and contagion worms that can spread very quickly through an enterprise. Further, these systems do not provide enterprise-wide protection of essential services during such quarantine. To address these shortcomings, a comprehensive enterprise defense framework, called SeQuEN (Service Quarantine in Enterprise Networks) is being developed, implemented and evaluated. SeQuEN automatically identifies hosts, routers and switches forquarantine based on their service interactions ("behaviors") instead of the physical topology of the network. Since most viruses and worms target specific services and the underlying vulnerabilities, the service-centric quarantine in SeQuEN is expected to achieve fast containment of malicious attacks. Further, SeQuEN enhances the survivability of an operational network by maintaining essential services when a network-wide quarantine is activated upon attack detection. This is achieved by partitioning the service topology into a number of quarantine zones while providing service distribution and replication. SeQuEN is also being integrated within an Attack Simulation Engine (ASE) to simulate different types of malicious code attacks, such as topological, local-scanning worms and spybots. The effectiveness of the quarantine algorithms in SeQuEN is being evaluated using network traces collected from a class-2 IP network.
