Article

A behavioral approach to worm detection

Authors:
Daniel R. Ellis

The MITRE Corporation

The MITRE Corporation
View Profile

,
John G. Aiken

The MITRE Corporation

The MITRE Corporation
View Profile

,
Kira S. Attwood

The MITRE Corporation

The MITRE Corporation
View Profile

,
Scott D. Tenaglia

The MITRE Corporation

The MITRE Corporation
View Profile

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcodeOctober 2004Pages 43–53https://doi.org/10.1145/1029618.1029625

Published:29 October 2004Publication History

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Pages 43–53

ABSTRACT

This paper presents a new approach to the automatic detection of worms using behavioral signatures. A behavioral signature describes aspects of any particular worm's behavior that are common across the manifestations of a given worm and that span its nodes in temporal order. Characteristic patterns of worm behaviors in network traffic include 1) sending similar data from one machine to the next, 2) tree-like propagation and reconnaissance, and 3) changing a server into a client. These behavioral signatures are presented within the context of a general worm propagation model. Taken together, they have the potential to detect entire classes of worms including those which have yet to be observed.

This paper introduces the concept of an network application architecture (NAA) as a way to distribute network applications. An analysis shows that the choice of NAA impacts the sensitivity of behavioral signatures. An NAA that satisfies certain constraints significantly improves worm detection sensitivity. Mathematical models of traffic flow, NAAs, worm propagation, and worm detection provide a context for the entire discussion.

References

Joan M. Aldous and Robin J. Wilson, Graphs and Applications: An Introductory Approach, Springer-Verlag, 2000.Google Scholar
Eric Bryant et al, Poly2 Paradigm: A Secure Network Service Architecture, 19th Annual Computer Security Applications Conference (ACSAC), December, 2003. Google ScholarDigital Library
Dan Ellis, Worm Anatomy and Model, Proceedings of ACM CCS WORM Workshop 2003, October, 2003. Google ScholarDigital Library
Joshua D. Guttman, Filtering Postures: Local Enforcement for Global Policies, Proceedings, 1997 IEEE Symposium on Security and Privacy pages 120--129. IEEE Computer Society Press. May 1997. Google ScholarDigital Library
Hyang-Ah Kim, Brad Karp, Autograph: Toward Automated, DistributedWorm Signature Detection, USENIX Security Symposium, to appear, 2004. Google ScholarDigital Library
Internet Engineering Task Force RFC 1700. http://www.ietf.org/rfc/rfc1700.txt.Google Scholar
Jose Nazario, Defense and Detection Strategies against Internet Worms, Artech House, 2004. Google ScholarDigital Library
Sumeet Singh, Cristian Estan, George Varghese, Stefan Savage, The EarlyBird System for Real-time Detection of Unknown Worms, to be presented at the Sixth Symposium on Operating System Design and Implementation (OSDI), 2004. http://www.snort.org/.Google Scholar
Stuart Staniford et al., The Design of GrIDS: A Graph-Based Intrusion Detection System. UCD Technical Report CSE-99-2, January, 1999.Google Scholar
Stuart Staniford, Nicholas Weaver, Vern Paxson, How to 0wn the Internet in your Spare Time, USENIX Security Symposium, 2002. Google ScholarDigital Library
Stuart Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, to appear, 2004.Google Scholar
Richard W. Stevens, TCP/IP Illustrated, vol. 1, Addison Wesley Longman, Inc., 1994.Google Scholar
Nicholas Weaver, Vern Paxson, Stuart Staniford, Robert Cunningham.Google Scholar
A Taxonomy of Computer Worms. Proceedings of ACM CCS WORM Workshop 2003, October 2003. Google ScholarDigital Library
Nicholas Weaver, Dan Ellis, Vern Paxson, Stuart Staniford, Worms vs. Perimeters: The Case for HardLANs, To appear, Hot Interconnects 2004, Stanford University, August, 2004. Google ScholarDigital Library
Nicholas Weaver, Stuart Staniford, Vern Paxson, Very Fast Containment of Scanning Worms, USENIX Security Symposium, 2004. Google ScholarDigital Library
Matthew Williamson. Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code. In ACSAC, 2002. Google ScholarDigital Library

Index Terms

A behavioral approach to worm detection
1. Networks
  1. Network protocols

Recommendations

WORM vs. WORM: preliminary study of an active counter-attack mechanism
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Self-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to ...
Read More
Polymorphic worm detection using structural information of executables
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Network worms are malicious programs that spread automatically across networks by exploiting vulnerabilities that affect a large number of hosts. Because of the speed at which worms spread to large computer populations, countermeasures based on human ...
Read More
Signature metrics for accurate and automated worm detection
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload ...
Read More

Reviews

Reviewer: Wei Yen

The detecting function is an integral part of a defense mechanism against viruses, worms, and denial of service attacks. A new paradigm for worm detection is described in this paper. Instead of looking for known patterns in packet contents, this paradigm deviates from the current method by examining the behavioral signature of worms. The paper introduces a way to express worm propagation trees, and lists three types of behavioral signatures. It also presents a qualitative discussion on network application architectures, and their impact on the detection capability of the paradigm. There are several papers and reports that apply a similar concept to host-based worm detection. It is encouraging to see this work being addressed to the enterprise network environment. It is said that the behavioral based approach will make it harder for worms to evade detection. On the other hand, it also seems that the behavioral based approach exhibits higher cost, and the accuracy of its performance is less clear. However, little space is devoted to these discussions in the paper. Since the authors indicate that experiments are being conducted, I look forward to seeing more studies in this promising area.

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode
October 2004
100 pages
ISBN:1581139705
DOI:10.1145/1029618
Program Chair:
Vern Paxson
International Computer Science Institute & Lawrence Berkeley National Laboratory
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 29 October 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
behavioral signatures
descendant relation
intrusion detection
network application architecture
network worms
Qualifiers
- Article
Conference
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 78
  Total Citations
  View Citations
- 1,671
  Total Downloads
- Downloads (Last 12 months)12
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A behavioral approach to worm detection

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

ABSTRACT

References

Cited By

Index Terms

Recommendations

WORM vs. WORM: preliminary study of an active counter-attack mechanism

Polymorphic worm detection using structural information of executables

Signature metrics for accurate and automated worm detection

Reviews

Access critical reviews of Computing literature here