worm blog: The Case for Using Layered Defenses to Stop Worms

« The Myth of the "Good Worm" | Main | Worm Charming: Taking SMB Lure To The Next Level »

The Case for Using Layered Defenses to Stop Worms

The US NSA is getting into the worm space some more with a decent size paper on the subject.

For this paper, we studied current worm strategies and implementations and tried to determine whether the trends point to a significant worsening of the problem in the near future. Are worm technologies improving? Are worm attacks becoming more sophisticated? We were also interested in defensive technologies that can be used to combat the worm problem. Where are defensive technologies best applied? Should other technologies be developed to help defend against the worm problem? Ultimately, we would like to know whether a sophisticated attack can be prevented – could current defensive mechanisms be used to defend against future sophisticated attacks?

Source: The Case for Using Layered Defenses to Stop Worms, David J. Albanese, Michael J. Wiacek, Christopher M. Salter, Jeffrey A. Six, National Security Agency.

The paper is interesting, and in some places it's a bit wrong, but overall it's quite a useful piece, although a bit dated in places. Table 7, for example, "Summary of Case Study Results" shows that filesystem and registry integrity checking tools would have been a useful defense against SQLSlammer, yet widespread analysis of it suggests otherwise. Perhaps I need to redo my analysis. Also, while they cite J. Nazario, J. Anderson, R. Wash, C. Connelly, “The Future of Internet Worms” (2001), they didn't cite my book, in which I fix some errors from the paper and clarify a few issues. Nor did they example significant more bodies of research on classification and analysis that are available, nor tools. This paper seems a bit out of sync with the current reality in places.

November 8, 2004 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit