This proposal addresses the important problem of coping with the ever more intelligent worms that are beginning to be launched by attackers and that are likely to become much more prevalent in the near future.
The research will design and implement a class of deception-based schemes to deter malware infection and immunize hosts against smart worms that attempt to avoid detection; such worms are called "stealthy." The proposal identifies light-weight fingerprinting-based deception as a way to disguise regular hosts as honeypot systems, the kind of systems that worms attempt to avoid. The proposal also addresses the creation of fake fingerprints to make hosts run on OSes with services that are not attractive targets for malware. Deterrence is another closely related technique that will be explored, for example in the form of resource restriction and counter-characterization to make what should be attractive targets uninteresting to worms. The work will focus on polymorphic and evasive worms, the kind that are likely to appear soon.
The key idea is to trick those evasive worms into thinking they are being actively checked by detection algorithms they want to avoid. By deliberating imitating the environments that stealthy worms want to evade, the proposed worm defense system will prevent many stealthy worms from infecting important hosts.
This is the first work aimed at exploiting the evasive nature of stealthy worms so that such worms will neutralize themselves.
