ABSTRACT
This paper presents a new approach to the automatic detection of worms using behavioral signatures. A behavioral signature describes aspects of any particular worm's behavior that are common across the manifestations of a given worm and that span its nodes in temporal order. Characteristic patterns of worm behaviors in network traffic include 1) sending similar data from one machine to the next, 2) tree-like propagation and reconnaissance, and 3) changing a server into a client. These behavioral signatures are presented within the context of a general worm propagation model. Taken together, they have the potential to detect entire classes of worms including those which have yet to be observed.
This paper introduces the concept of an network application architecture (NAA) as a way to distribute network applications. An analysis shows that the choice of NAA impacts the sensitivity of behavioral signatures. An NAA that satisfies certain constraints significantly improves worm detection sensitivity. Mathematical models of traffic flow, NAAs, worm propagation, and worm detection provide a context for the entire discussion.
- Joan M. Aldous and Robin J. Wilson, Graphs and Applications: An Introductory Approach, Springer-Verlag, 2000.Google Scholar
- Eric Bryant et al, Poly2 Paradigm: A Secure Network Service Architecture, 19th Annual Computer Security Applications Conference (ACSAC), December, 2003. Google ScholarDigital Library
- Dan Ellis, Worm Anatomy and Model, Proceedings of ACM CCS WORM Workshop 2003, October, 2003. Google ScholarDigital Library
- Joshua D. Guttman, Filtering Postures: Local Enforcement for Global Policies, Proceedings, 1997 IEEE Symposium on Security and Privacy pages 120--129. IEEE Computer Society Press. May 1997. Google ScholarDigital Library
- Hyang-Ah Kim, Brad Karp, Autograph: Toward Automated, DistributedWorm Signature Detection, USENIX Security Symposium, to appear, 2004. Google ScholarDigital Library
- Internet Engineering Task Force RFC 1700. http://www.ietf.org/rfc/rfc1700.txt.Google Scholar
- Jose Nazario, Defense and Detection Strategies against Internet Worms, Artech House, 2004. Google ScholarDigital Library
- Sumeet Singh, Cristian Estan, George Varghese, Stefan Savage, The EarlyBird System for Real-time Detection of Unknown Worms, to be presented at the Sixth Symposium on Operating System Design and Implementation (OSDI), 2004. http://www.snort.org/.Google Scholar
- Stuart Staniford et al., The Design of GrIDS: A Graph-Based Intrusion Detection System. UCD Technical Report CSE-99-2, January, 1999.Google Scholar
- Stuart Staniford, Nicholas Weaver, Vern Paxson, How to 0wn the Internet in your Spare Time, USENIX Security Symposium, 2002. Google ScholarDigital Library
- Stuart Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, to appear, 2004.Google Scholar
- Richard W. Stevens, TCP/IP Illustrated, vol. 1, Addison Wesley Longman, Inc., 1994.Google Scholar
- Nicholas Weaver, Vern Paxson, Stuart Staniford, Robert Cunningham.Google Scholar
- A Taxonomy of Computer Worms. Proceedings of ACM CCS WORM Workshop 2003, October 2003. Google ScholarDigital Library
- Nicholas Weaver, Dan Ellis, Vern Paxson, Stuart Staniford, Worms vs. Perimeters: The Case for HardLANs, To appear, Hot Interconnects 2004, Stanford University, August, 2004. Google ScholarDigital Library
- Nicholas Weaver, Stuart Staniford, Vern Paxson, Very Fast Containment of Scanning Worms, USENIX Security Symposium, 2004. Google ScholarDigital Library
- Matthew Williamson. Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code. In ACSAC, 2002. Google ScholarDigital Library
Index Terms
- A behavioral approach to worm detection
Recommendations
WORM vs. WORM: preliminary study of an active counter-attack mechanism
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcodeSelf-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to ...
Polymorphic worm detection using structural information of executables
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion DetectionNetwork worms are malicious programs that spread automatically across networks by exploiting vulnerabilities that affect a large number of hosts. Because of the speed at which worms spread to large computer populations, countermeasures based on human ...
Signature metrics for accurate and automated worm detection
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcodeThis paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload ...
Comments