worm blog: distributed worm detection and characterization

« punishment for worm authors | Main | usenix security 2004 papers »

distributed worm detection and characterization

a couple of papers crossed my desk recently that i think are impressive and worth looking at. these show part of the state of the art in worm detection. simple honeypots wont cut it any longer, you really need to dig through lots of data. a project i'm involved in (the IMS project) is seeking to do this as well, although our approach is somewhat different. hopefully we complement and don't compete too much with these other projects.

Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation." Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.

source: Characteristics of Internet Background Radiation, Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, Larry Peterson.

Today's Internet intrusion detection systems (IDSes) monitor edge networks' DMZs to identify and/or filter malicious flows. While an IDS helps protect the hosts on its local edge network from compromise and denial of service, it cannot alone effectively intervene to halt and reverse the spreading of novel Internet worms. Generation of the worm signatures required by an IDS--the byte patterns sought in monitored traffic to identify worms--today entails non-trivial human labor, and thus significant delay: as network operators detect anomalous behavior, they communicate with one another and manually study packet traces to produce a worm signature. Yet intervention must occur early in an epidemic to halt a worm's spread. In this paper, we describe Autograph, a system that automatically generates signatures for novel Internet worms that propagate using TCP transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level. It is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives); our evaluation of the system on real DMZ traces validates that it achieves these goals. We extend Autograph to share port scan reports among distributed monitor instances, and using trace-driven simulation, demonstrate the value of this technique in speeding the generation of signatures for novel worms. Our results elucidate the fundamental trade-off between early generation of signatures for novel worms and the specificity of these generated signatures.

source: Autograph: Toward Automated, Distributed Worm Signature Detection, Hyang-Ah Kim and Brad Karp.

in a nutshell this is getting to be a crowded space with lots of promise.

June 2, 2004 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345595b269e200d8342dcc9353ef

Listed below are links to weblogs that reference distributed worm detection and characterization:

Comments

First post!

Posted by: Anonymous Coward | Jun 4, 2004 9:37:03 AM

another project to look at http://www.cymru.com/Darknet/ , plus get to know lots of tcp/ip and flow-data tools out there.

Posted by: myhosus | Jun 7, 2004 6:19:18 AM

Hi,
I am in desprate need of help, and who better to ask then people who talk about it the most, i have a project where i have to research 4 papers about Distributed Worm Signature Detection. I found few articles but they were allready taken.
these were allready read and summarized:

1. Autograph: Toward Automated, Distributed Worm Signature Detection 2. Low level network attack recognition 3. Efficient Batch signature generation using tree structure 4. Anomalous Payload-based Worm Detection and Signature Generation

I was wondering if there are any other acedamic papers or white papers you guys know aobut regarding this topic, i need 2 acedamic papers and 2 white papers. Please help me i know i am asking for tomuch and i am not contributing but i dont know who else to ask fer help.

I will really appriciate any feed back from you guys!!!

Thanks
:)
Manesh Saini

Posted by: Manesh Saini | Dec 17, 2005 3:22:54 PM

The comments to this entry are closed.