worm blog: Worm Detection, Early Warning and Response Based on Local Victim Information

« PHP Worm, Mobile Phone Worm | Main | Another "Good Worm": Anti-Santy »

Worm Detection, Early Warning and Response Based on Local Victim Information

Worm detection systems have traditionally focused on global strategies and required a large network, say 2²⁰ nodes. The value of this approach is clear; however, worm detection techniques for smaller local networks have not been fully explored. In the absence of a global worm detection system, we examine the effectiveness of local worm detection and response strategies.

This paper makes three contributions: (1) We propose a simple two-phase local worm victim detection algorithm, DSC (Destination-Source Correlation), based on worm behavior in terms of both infection pattern and scanning pattern. DSC can detect zero-day scanning worms with a high detection rate and very low false positive rate. (2) We demonstrate the effectiveness of early worm warning based on local victim information. For example, warning occurs with 0.19\% infection of all vulnerable hosts on Internet when using a /12 monitored network. (3) Based on local victim information, we investigate and evaluate the effectiveness of an automatic real-time local response in terms of slowing down the global Internet worms propagation. (2) and (3) are general results, not specific to certain detection algorithm like DSC. We demonstrate (2) and (3) with both analytical models and packet-level network simulator experiments.

Source: Worm Detection, Early Warning and Response Based on Local Victim Information (PDF here), Guofei Gu, Monirul Sharif, Xinzhou Qin, David Dagon, Wenke Lee, and George Riley. To appear at the 20th Annual Computer Security Applications Conference.

These authors have been listed here before for their HoneyStat tool. The DSC algorithm described in this paper is worth studying and evaluating. It's much like a technique I developed, although they are not completely identical. As you may have guessed, I'm partial to things like naive detection systems (which can detect new and emerging threats) and behavioral characterization of the threat as opposed to specific attributes.

In this paper, a few potentially problematic spots creep up. The first is the percetage of the network that must be infected for the worm to be detected. The authors found a 0.19% infection percentage required to trigger an alert. Under all but the least aggressive worms which wont infect hunreds of thousands of machines, this percentage is still a large number of systems. Secondly, the DSC algorithm requires that the worm be propagating for it to be detected. The system looks for both sources and destinations growing over time. Thirdly, the rate of spread needs to be sufficiently fast for the algorithm to trigger an alert based on the rate of change of the obsrvations. Finally, if the worm uses multiple vectors to probe hosts and doesn't try any one of them too frequently (ie a round robin infection method attempt), the observations will lag behind the worm's spread. These limitations are also noted by the authors: "Clearly, DSC does not aim to detect all types of worms. It is unlikely any one algorithm could detect all manner of malware. Instead, DSC aims to detect scan-based, fast spreading worms. Further, we presume that the infection time for hosts is not very long. In other words, DSC may not effectively detect email worms, very slow scanning worm, or sleeper worms with very slow rates of infection." With these caveats in mind, the premise of DSC, and the finding published by the authors, are interesting and show promise against a major class of worms.

December 31, 2004 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit