Blockchain-based containment of computer worms




Elsayed, Mohamed Ahmed Seifeldin Mohamed

Journal Title

Journal ISSN

Volume Title



Information technology systems are essential for most businesses as they facilitate the handling and sharing of data and the execution of tasks. Due to connectivity to the internet and other internal networks, these systems are susceptible to cyberattacks. Computer worms are one of the most significant threats to computer systems because of their fast self-propagation to multiple systems and malicious payloads. Modern worms employ obfuscation techniques to avoid detection using patterns from previous attacks. Although the best defense is to eliminate (patch) the software vulnerabilities being exploited by computer worms, this requires a substantial amount of time to create, test, and deploy the patches. Worm containment techniques are used to reduce or stop the spread of worm infections to allow time for software patches to be developed and deployed. In this dissertation, a novel blockchain-based collaborative intrusion prevention system model is introduced. This model is designed to proactively contain zero-day and obfuscated computer worms. In this model, containment is achieved by creating and distributing signatures for the exploited vulnerabilities. Blockchain technology is employed to provide liveness, maintain an immutable record of vulnerability-based signatures to update peers, accomplish trust in confirming the occurrence of a malicious event and the corresponding signature, and allow a decentralized defensive environment. A consensus algorithm based on the Practical Byzantine Fault Tolerance (PBFT) algorithm is employed in the model. The TLA+ formal method is utilized to check the correctness, liveness, and safety properties of the model as well as to assert that it has no behavioral errors. A blockchain-based automatic worm containment system is implemented. A synthetic worm is created to exploit a network-deployed vulnerable program. This is used to evaluate the effectiveness of the containment system. It is shown that the system can contain the worm and has good performance. The system can contain 100 worm attacks a second by generating and distributing the corresponding vulnerability-based signatures. The system latency to contain these attacks is less than 10 ms. In addition, the system has low resource requirements with respect to memory, CPU, and network traffic.



Worm Containment, Intrusion Response, Practical Byzantine Fault Tolerance (PBFT), Distributed Host-based Intrusion Prevention, Worm Signature Generation, Blockchain-based Containment, Dynamic Taint Analysis Detection, Vulnerability-based Worm Signatures, TLA+ Formal Method