IEEE Communications Surveys & Tutorials • 1st Quarter 2008

OutlineTerminologyInternet WormsDefending Against Internet WormsContainment

Terminology Activation

Activation is when a worm starts performing its malicious activities. Activation might be triggered on a specific date or under certain conditions.

False alarm A false alarm is an incorrect alert generated by a worm detection system.

False positive A false positive is a false alarm where an alert is generated when there is

no actual attack or threat. False negative

False negative means the detection system missed an attack. It is a false negative if no alert is generated while the system is under an attack.

Infection Infection is the result of the worm performing its malicious activities on

the host. Target finding

Target finding is the first step in a worm’s life to discover victims (vulnerable hosts).

TerminologyThreshold

Threshold is a predefined condition that, if met, indicates the existence of specious traffic or a worm attack.

TransferTransfer refers to sending a copy of the worm to the target

after the victim (target) is discovered.Virus

A virus is a malicious piece of code that attaches to other programs to propagate. It cannot propagate by itself, and normally depends on a certain user intervention, such as opening up an email attachment or running an executable file, to be activated .

WormA worm is a malicious piece of code that self propagates,

often via network connections, exploiting security flaws in computers on the network.

Internet WormsDefinition: a piece of malicious code that

duplicates and propagates by itself. Usually, it does not require any human interaction and spreads via network connections.

Life of a wormPhase 1: target finding Phase 2: worm transforming Phase 3: worm activationPhase 4: infection

Can be caught by

NIDS

Categorization of worm characteristics

Worm target finding schemeBlind target finding

1. Sequential2. Random3. Permutation High failure connection rate Many anomaly-based detection systems are

designed to capture this type of worm.Hit list

prescanned stealthily more accurate and may cause more damage

Worm target finding schemeTopological

Many hosts on the Internet store information about other hosts on the network.

Worms use this information to gain knowledge of topology of the network and use that as the path of infection.

Spread very fast.Passive

Require certain host behavior or human intervention to propagate

Use search engines

Worm Propagation SchemeSelf-carried wormsThrough a second channelEmbedded propagationBotnet

A group of compromised hosts under the control of a botmaster.

Worm Payload FormatMonomorphic worm

Worms send the payload in a straightforward unchanged fashion

Polymorphic wormWorms change their payload dynamically by

scrambling the programMetamorphic worm

Worms change not only its appearance but also its behavior

Internet Worm Defense

Worm DetectionSignature Based

traditional technique used for intrusion detection systems (IDSs)

take a look at the payload and indentify whether or not it contains a worm

require an entry in the databaseAnomaly Based

detect abnormal behaviors and generate alarmsrequires the definition of normal network

behavior

Traffic Rate/Connection Count: TCP SYNIf the number of SYN packets sent from a

certain host exceeds a threshold value within a period of time, the host is considered to be scanning.Pro’s

able to catch most active scanning wormsCon’s

easy to cause false alarms not efficient useless against UDP worms

Failed Connection Counts: TCP RST and ICMPFailed connection

attempt to connect to a nonexisting IP address or an existing IP address with the target port closed

Failed Connection Counts: TCP RST and ICMP (cont’d)To detect active scanning worms depending

on failed connectionsPro’s

more efficient and accurate useful for both TCP and UDP worms

Con’s not effective for hit list, topological or passive

scanning worms ICMP error messages may blocked or dropped by

some border routers or gateway systems not suitable for large networks

Ratio of Success and Failure ConnectionsInstead of counting the failure or successful

connection attempts, some believe it is the ratio or correlation of successful and failed connections that matters.

Counting the number of connections, whether successful or not, depends on the Internet usage and network size to be effective.

If the network being monitored is large, this can be very resource consuming.

Destination-Source Correlationbase on the correlation between incoming

and outgoing trafficPro’s

able to detect almost all types of scans with the same port

works for both TCP and UDP wormsCon’s

only capture scans from worms targeting the same port

Illustration of a destination-source correlation scheme

DarkNet/Unused Address SpaceMonitor unused address space instead of

used onesscanning or connection attempts toward

nonexisting addresses are abnormal behaviors of a regular network

Pro’s requires significantly less resources works for both TCP and UDP worms

Con’s not very useful against hit list, topological, or

passive scans

HoneypotsA honeypot is a vulnerable system on the

network that does not provide any real servicesa security resource whose value lies in being

probed, attacked, or compromisedIn a normal situation, no traffic is supposed to

come toward the honeypot.Pro’s

able to detect both TCP and UDP wormsgather less but higher quality data able to detect hit list scan and topological worms

Con’snot useful to passive worms

Honeypot used in worm detection and containment

Unknown Signature Detection SystemsSignature-based detection systems is vulnerability

against unknown attacks.To remedy this issue, some algorithms have been

proposed to detect unknown attacks by generating signatures in real time.considered anomaly-based

E.g.1. Honeycombhoneypot-based IDS systemcapable of generating signatures for unknown worms

E.g.2. Autograph methodRelies on unsuccessful scansAutomatically generates signatures for TCP worms

by analyzing the contents of the payload based on the most frequently occurring byte sequence in the suspicious flow.

Detecting Polymorphic WormsMost payload detection algorithms target

monomorphic worm payloads only and have no defense against polymorphic worms.

Karp, and Song proposed polygraphCertain payload contents are not changed

Protocol framing bytes Value used for return address Pointer to overwrite a jump target

Dived signatures into tokensGenerate tokens automatically and detect

worms based on these tokens

Combination usage of detection schemesUnknown signature-based detection system

Take time to generate signatures, and since there are defined signatures already

Known signature-based detection systemCan’t detect unknown worms

Merge them!

Anomaly detection methods vs. worms characteristic.

ContainmentSlowing Down Infection

Rate limiting techniquesBlocking

Address Blocking when a host is identified as a scanner or victim, any

traffic from that host address is dropped.Content Blocking

If packet content matches a worm signature, the packet will be dropped automatically

HoneypotTrap worms to infect simulated machine by

Honeypot

CommentsNo perfect solution to deal with all existing

and future worms.Efficiency issue