Foresight: Countering Malware through Cooperative Forensics Sharing

Thumbnail Image



Journal Title

Journal ISSN

Volume Title

Repository Usage Stats



With the Internet's rapid growth has come a proportional increase in exposure to attacks, misuse and abuse. Modern viruses and worms are causing damage much more quickly than those created in the past. The fast replication and epidemic nature of the spreads limits the time security experts have to respond and be able to protect and fortify their systems. A pathogen might infect thousands of machines and cascade across the network producing consequences that could overwhelm the internet very quickly. Such attacks have the potential of making a human response to them all but ineffective. While pathogens are becoming much more aggressive, there is also a significant delay between the identification of a new threat and the generation of a cure for it. Worms and viruses have been able to cause significant damage in this 'submission to cure generation' window of vulnerability. Having timely and credible security information is thus becoming critical to network and security management.

The main hypothesis behind our research is that sharing threat information and forensic evidence among cooperating domains yields important benefits for dealing with modern day pathogens in a timely fashion. The idea is that each host might have an incomplete, approximate or inexact information about a particular threat or attack. We can get a more comprehensive view of the extent and nature of developing threats by observing suspect behavior and combining information gathered from different vantage points. A better understanding of the pathogen allows for effective and timely immunization in order to thwart epidemic cascading of threats. We also propose cooperative policing mechanisms as an effective approach to trace large scale distributed threats like Ddos attacks. Increased cooperation amongst domains helps to mitigate such attacks nearer to the sources so that their effects on the overall network are minimized.

This thesis leverages experiences and ideas from fields of cryptography, machine learning, security and multi-agent systems to build Foresight: an internet scale threat analysis, indication, early warning and response architecture. Foresight allows cooperating domains to share a global threat view in order to detect zero-day pathogens and isolate them using cooperative policing mechanisms.

- We describe a novel behavioral signature scheme to extract a generalized footprint for multi-modal threats. Blended or multi-modal threats combine the characteristics of viruses, worms, trojan horses and malicious code to initiate, transmit and spread attacks. By using multiple methods and techniques, blended threats can quickly spread and surpass defenses that address only a single type of malicious activity and hence are much more difficult to defend against. System performance analysis, through trace-based simulations, shows significant benefits for sharing forensics data between cooperating domains.

- We present Mail-trap, an anomaly based system that catches zero-day email borne pathogens and retards their growth through effective behavior monitoring of mail traffic and active forensics sharing between cooperating domains. Mail-trap relies on Foresight's cooperative policing model to identify and pre-empt email-borne threats. Our results show that behavior monitoring alone can be an effective tool for malware detection. Cooperation amongst domains greatly increases the effectiveness of our approach. Domains are able to pre-empt attacks and respond to malware behavior that they have not seen before. We also analyze various immunization/prevention and containment techniques.

- We present AMP, a service architecture for countering distributed denial of service attacks using alert sharing and cooperative policing mechanisms. Our simulation architecture enables us to test the system with actual, benign and worm traffic traces, and realistic network topologies. AMP does not require universal deployment and is complementary to other schemes for countering Ddos attacks, however with the use of collaborative policing techniques, the performance of the scheme can be improved greatly.

- We also present a prototype implementation for Paranoid, a novel global secure file sharing mechanism which can be used to allow secure resource access across administrative domains. We describe the design of a trust-based cooperation scheme to create a global community which is more accountable and hence less vulnerable to attacks and abuse.





Zaffar, Fareed M (2008). Foresight: Countering Malware through Cooperative Forensics Sharing. Dissertation, Duke University. Retrieved from


Dukes student scholarship is made available to the public using a Creative Commons Attribution / Non-commercial / No derivative (CC-BY-NC-ND) license.