• computer crime;
  • network security;
  • system security;
  • worm


In this paper, we propose an automatic defense system, called Serum System, against scanning worms. The homeland security department of a country can use Serum System to protect its Internet infrastructure. When an infecting host is infecting a Serum System host, called Serum System Server (SSS), the SSS automatically replaces the shellcode inside the infecting string with its code (called serum code) and then uses the modified string (called serum string) to counterattack the infecting host and takes control of it. The serum code transforms the infecting host into a Serum System Client (SSC) that has the same functions as the SSS and is immune to the same worm. Therefore, infecting hosts attacking SSSs or SSCs will transform themselves into SSCs. We implemented Serum System on Linux and also built a mathematical model for Serum System to analyze its effectiveness and bandwidth savings. Our analyses show that with only a small number of SSSs and through chain counterattacks, Serum System can automatically and rapidly defeat related infected hosts. Compared with white worms whose spread cannot be controlled, Serum System only spreads on infected hosts. The amount of accumulative traffic saved by Serum System at time tick 450 reached 90%. Copyright © 2014 John Wiley & Sons, Ltd.