1. IEEE Communications Surveys & Tutorials 1st Quarter 2008

2. Outline Terminology Internet Worms Defending Against Internet Worms Containment

3. Terminology Activation Activation is when a worm starts performing its malicious activities. Activation might be triggered on a specific date or under certain conditions. False alarm A false alarm is an incorrect alert generated by a worm detection system. False positive A false positive is a false alarm where an alert is generated when there is no actual attack or threat. False negative False negative means the detection system missed an attack. It is a false negative if no alert is generated while the system is under an attack. Infection Infection is the result of the worm performing its malicious activities on the host. Target finding Target finding is the first step in a worm’s life to discover victims (vulnerable hosts).

4. Terminology Threshold Threshold is a predefined condition that, if met, indicates the existence of specious traffic or a worm attack. Transfer Transfer refers to sending a copy of the worm to the target after the victim (target) is discovered. Virus A virus is a malicious piece of code that attaches to other programs to propagate. It cannot propagate by itself, and normally depends on a certain user intervention, such as opening up an email attachment or running an executable file, to be activated. Worm A worm is a malicious piece of code that self propagates, often via network connections, exploiting security flaws in computers on the network.

5. Internet Worms Definition: a piece of malicious code that duplicates and propagates by itself. Usually, it does not require any human interaction and spreads via network connections. Life of a worm Phase 1: target finding Phase 2: worm transforming Phase 3: worm activation Phase 4: infection Can be caught by NIDS

6. Categorization of worm characteristics

7. Worm target finding scheme Blind target finding 1. Sequential 2. Random 3. Permutation High failure connection rate Many anomaly-based detection systems are designed to capture this type of worm. Hit list prescanned stealthily more accurate and may cause more damage

8. Worm target finding scheme Topological Many hosts on the Internet store information about other hosts on the network. Worms use this information to gain knowledge of topology of the network and use that as the path of infection. Spread very fast. Passive Require certain host behavior or human intervention to propagate Use search engines

9. Worm Propagation Scheme Self-carried worms Through a second channel Embedded propagation Botnet A group of compromised hosts under the control of a botmaster.

10. Worm Payload Format Monomorphic worm Worms send the payload in a straightforward unchanged fashion Polymorphic worm Worms change their payload dynamically by scrambling the program Metamorphic worm Worms change not only its appearance but also its behavior

11. Internet Worm Defense

12. Worm Detection Signature Based traditional technique used for intrusion detection systems (IDSs) take a look at the payload and indentify whether or not it contains a worm require an entry in the database Anomaly Based detect abnormal behaviors and generate alarms requires the definition of normal network behavior

13. Traffic Rate/Connection Count: TCP SYN If the number of SYN packets sent from a certain host exceeds a threshold value within a period of time, the host is considered to be scanning. Pro’s able to catch most active scanning worms Con’s easy to cause false alarms not efficient useless against UDP worms

14. Failed Connection Counts: TCP RST and ICMP Failed connection attempt to connect to a nonexisting IP address or an existing IP address with the target port closed

15. Failed Connection Counts: TCP RST and ICMP (cont’d) To detect active scanning worms depending on failed connections Pro’s more efficient and accurate useful for both TCP and UDP worms Con’s not effective for hit list, topological or passive scanning worms ICMP error messages may blocked or dropped by some border routers or gateway systems not suitable for large networks

16. Ratio of Success and Failure Connections Instead of counting the failure or successful connection attempts, some believe it is the ratio or correlation of successful and failed connections that matters. Counting the number of connections, whether successful or not, depends on the Internet usage and network size to be effective. If the network being monitored is large, this can be very resource consuming.

17. Destination-Source Correlation base on the correlation between incoming and outgoing traffic Pro’s able to detect almost all types of scans with the same port works for both TCP and UDP worms Con’s only capture scans from worms targeting the same port

18. Illustration of a destination-source correlation scheme

19. DarkNet/Unused Address Space Monitor unused address space instead of used ones scanning or connection attempts toward nonexisting addresses are abnormal behaviors of a regular network Pro’s requires significantly less resources works for both TCP and UDP worms Con’s not very useful against hit list, topological, or passive scans

20. Honeypots A honeypot is a vulnerable system on the network that does not provide any real services a security resource whose value lies in being probed, attacked, or compromised In a normal situation, no traffic is supposed to come toward the honeypot. Pro’s able to detect both TCP and UDP worms gather less but higher quality data able to detect hit list scan and topological worms Con’s not useful to passive worms

21. Honeypot used in worm detection and containment

22. Unknown Signature Detection Systems Signature-based detection systems is vulnerability against unknown attacks. To remedy this issue, some algorithms have been proposed to detect unknown attacks by generating signatures in real time. considered anomaly-based E.g.1. Honeycomb honeypot-based IDS system capable of generating signatures for unknown worms E.g.2. Autograph method Relies on unsuccessful scans Automatically generates signatures for TCP worms by analyzing the contents of the payload based on the most frequently occurring byte sequence in the suspicious flow.

23. Detecting Polymorphic Worms Most payload detection algorithms target monomorphic worm payloads only and have no defense against polymorphic worms. Karp, and Song proposed polygraph Certain payload contents are not changed Protocol framing bytes Value used for return address Pointer to overwrite a jump target Dived signatures into tokens Generate tokens automatically and detect worms based on these tokens

24. Combination usage of detection schemes Unknown signature-based detection system Take time to generate signatures, and since there are defined signatures already Known signature-based detection system Can’t detect unknown worms Merge them!

25. Anomaly detection methods vs. worms characteristic.

26. Containment Slowing Down Infection Rate limiting techniques Blocking Address Blocking when a host is identified as a scanner or victim, any traffic from that host address is dropped. Content Blocking If packet content matches a worm signature, the packet will be dropped automatically Honeypot Trap worms to infect simulated machine by Honeypot

27. Comments No perfect solution to deal with all existing and future worms. Efficiency issue