具自行散播能力的蠕蟲程式,由於能讓攻擊者竊取數量龐大的主機的控制權,因此長期以來一直是網路世界中致命的安全威脅之一。本篇論文提出了一個新的架構與方法,可以以高精準度且自動化的解決與恢復遭受蠕蟲攻擊感染的主機 —「即時蠕蟲恢復系統」(Serum System)。 本系統之基礎架構是以具備攻擊性的防禦為概念,建立攻性防壁,對攻擊來源作出反擊。一旦具備Serum System的主機收到惡意程式之攻擊字串時,首先動態即時修改攻擊字串的payload,之後對攻擊來源主機的相同漏洞進行反擊,再複製Serum System到該主機上並修復漏洞。攻擊來源主機不僅對於該攻擊之蠕蟲免疫,此外更可進一步的以相同的方式反擊任何攻擊此免疫主機的其他惡意主機。借由此種具備正當性之連鎖型式的擴散反擊,可以在signature不精確之情況下,仍能自動精準且受控制地清除散播在 Internet 各處受蠕蟲感染的主機,不論其規模大小。 本論文亦將討論關於蠕蟲感染的模型,分析證明此系統對蠕蟲傳播抑止之有效性。此分析不僅可描述蠕蟲造成的破壞跟時間的關係,同時也可以看出即時反擊主機的佈署對蠕蟲壓制的效果。 論文中也提出了區域型自動化程式漏洞修補之架構,使企業以及各型機構能夠及時修復漏洞。此項成果有助於資安事件研究者未來面對緩衝區溢位型蠕蟲的攻擊時,能夠快速反應並從危害中恢復。 Although the implementations of ASLR and Non-executable stack decrease the risks of worm spreading via buffer overflow exploits, there are still numerous ways to defeat or circumvent the protections. In this paper we propose a system of automatic worm curing – Infectious Real-time Serum System (IRSS). Our approach is based on the concept of “attack barrier” which will counter back to the attackers. Once the host with Serum System was attacked by attacker, it will modify the payload of attacking string dynamically, then counter back to the attacking source and setup patches which clone the Serum System entirely to target source. The original attacking host thus not only immune to this kind of the vulnerability, but also has the ability of counter back to any hosts who are trying to attack this host. By the behavior of infectious counterattack with catenation of Serum System, we can automatically cure the hosts of worm precisely and under control. Otherwise, we can clean the worms all around the world and only a few Serum System Servers are demanded to the entire environment. The Serum System can deal with whatever attacks of BOA, even if the return into libc attacks, therefore the system is effective in defending the spreading of modern worms. This paper also builds a mathematic model of worm curing behavior to analyze the efficiency of serum system and provide the concept of automatic exploit patching.