This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Feedback Email Worm Defense System for Enterprise Networks Cliff C. Zou*, Weibo Gong*, Don Towsley *Dept. Electrical & Computer Engineering Dept. Computer Science University of Massachusetts, Amherst Technical Report: TR-04-CSE-05 April 16, 2004 ABSTRACT As email becomes one of the most convenient and indispens- able communication mediums in our life, it is very important to protect email users from increasing email worm attacks. In this paper, we present the architecture and system design of a feedback email worm defense system to protect email users in enterprise networks. The defense system is exible and able to integrate many existing detection techniques to provide effective and ecient email worm defense. First, in response to a detection score of a detected worm email and information on the possible appearance of a malicious email worm in the global Internet, the defense system adaptively chooses a cost-effective defense action that can range from simply labelling this email to aggressively deleting it from an email server. Second, the system uses honeypot  to thoroughly detect worm emails received by email servers and also to early detect the presence of an email worm in the global Internet. Third, the defense system implements a multi-sifting detection technique and differential email service to achieve accurate detection without causing much delay on most emails. Furthermore, the defense system sep- arates email attachments from email texts and saves attach- ments in separate attachment caching servers, which facil- itate both email worm detection and email service eciency. 1. INTRODUCTION Email worms are malicious computer programs that prop- agate through email attachments: when an email user clicks and executes a worm program in an email attachment, the worm runs with the email users privilege to compromise the users computer; then it finds all email addresses stored on this computer and sends out worm emails to these addresses. Email is one of the most convenient and indispensable com- munication mediums in our life. However, email worms keep attacking us with increasing intensity and using more ad- vanced social engineering tricks. Melissa in 1999, Love Let- ter in 2000 and W32/Sircam in 2001 spread throughout the Internet and caused millions or even billions of dollars in damage . In 2003, the SoBig series  attacked the Internet several times with the goal of creating spam proxies on compromised computers . In January and February 2004, MyDoom infected more computers than any previous email worm by using clever social engineering techniques to lure email users to execute worm code attach- ments . In most cases MyDoom hid its worm code in a compressed attachment file. To prevent anti-virus soft- ware from checking email attachments, the recent Bagle series email worms  began to use password-protected com-...
View Full Document
- Spring '08