« February 2006 | Main | May 2006 »
Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data
This paper came up in the comments of a recent post. I like it quite a bit, and I'm convinced that in most mass-mailer worm cases, this is an effective solution to detecting them without any signatures.The Domain Name System (DNS) is a critical infrastructure in the Internet; thus, monitoring its traffic, and protecting DNS from malicious activities are important for security in cyberspace. However, it is often difficult to determine whether a DNS query is caused by malicious or normal activity, because information available in DNS traffic is limited.Source: Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data, Keisuke Ishibashi, Tsuyoshi Toyono, Katsuyasu Toyama, Masahiro Ishino, Haruhiko Ohshima, and Ichiro Mizukoshi.We focus on the activities of mass-mailing worms and propose a method to detect hosts infected by mass-mailing worms by mining DNS traffic data. Our method begins with a small amount of a priori knowledge about a signature query. By assuming that queries sent by most hosts that have sent the signature query of worms have been sent by worm behavior, we detect infected hosts using Bayesian estimation.
We apply our method to DNS traffic data captured at one of the largest commercial Internet Service Providers in Japan, and the experimental result indicates that an 89% reduction of mail exchange queries can be achieved with the method.
March 16, 2006 | Permalink
| Comments (4)
Tell others: digg submit
del.icio.us this
A Topologically-Aware Worm Propagation Model for Wireless Sensor Networks
Another paper from Khayam, this one is from the year before and covers some similar ground, namely worms in a wireless network.
Internet worms have repeatedly revealed the susceptibility of network hosts to malicious intrusions. Recent studies have proposed to employ the underlying principles of worm propagation to disseminate security-critical information in a network. Wireless sensor networks can benefit from a thorough understanding of worm propagation over sensor networks to defend from worms and to efficiently disseminate security-critical information. In this paper, we develop a topologically-aware worm propagation model (TWPM) for wireless sensor networks. In addition to simultaneously capturing both time and space propagation dynamics, the TWPM also incorporates physical, MAC and network layer considerations of practical sensor networks. Simulation results show that the proposed model follows actual propagation dynamics quite closely.
Source: "A Topologically-Aware Worm Propagation Model for Wireless Sensor Networks," Syed A. Khayam and Hayder Radha, IEEE ICDCS International Workshop on Security in Distributed Computing Systems (SDCS), June 2005. (pdf)
March 15, 2006 in modeling, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Updated Microsoft Malicious Software Removal Tool (March, 2006)
Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:
Source: Malicious Software Removal Tool, updated March 14, 2006.
March 14, 2006 in Bagle, Blaster, defense, microsoft, sasser, tools, witty, Zotob | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
An Inside Look at Botnets
This is one of the better, most complete overviews of the botnet problem available today. Not surprisingly, it's from a noted security researcher.The continued growth and diversification of the Internet has been accompanied by an increasing prevalence of attacks and intrusions. It can be argued, however, that a significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community, to attacks and intrusions for financial gain. This shift has been marked by a growing sophistication in the tools and methods used to conduct attacks, thereby escalating the network security arms race.Source: A Look Inside Botnets, Barford, Paul and Yegneswaran, Vinod. To appear in Series: Advances in Information Security, Springer, 2006.Our thesis is that the reactive methods for network security that are predominant today are ultimately insufficient and that more proactive methods are required. One such approach is to develop a foundational understanding of the mechanisms employed by malicious software (malware) which is often readily available in source form on the Internet. While it is well known that large IT security companies maintain detailed databases of this information, these are not openly available and we are not aware of any such open repository. In this paper we begin the process of codifying the capabilities of malware by dissecting four widely-used Internet Relay Chat (IRC) botnet codebases. Each codebase is classified along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our study reveals the complexity of botnet software, and we discusses implications for defense strategies based on our analysis.
March 13, 2006 in new trends, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Using Signal Processing Techniques to Model Worm Propagation over Wireless Sensor Networks
Another neat paper that looks at worm propagation in a non-traditional network medium. The constraints found in such networks is offset by the opportunities they provide for long distance travel. This is increasingly important with PDA-based malware.In this article, we define worm propagation characteristics that are specific to sensor networks. We parameterize the effects of physical channel conditions, medium access control (MAC) layer contention, network layer routing, and transport layer protocol on worm propagation in sensor networks. These parameters are incorporated in the TWPM, which borrows its basic formulation from models of epidemic diseases. The advanced model parameters and the mathematical treatment following the formulation are then developed specifically for sensor networks. The basic model formulation results in a partial differential equation, which is solved in the frequency domain to yield a closed-form solution for the TWPM. It is shown that in the spatial domain the TWPM spread function is low-pass filtered by a two-dimensional (2-D) isotropic Gaussian filter, thereby providing an intuitive feel for the dependence of the model on its underlying (physical, MAC, and network layer) parameters. For performance evaluation, we simulate the spread of a worm over a sensor network. The simulated and TWPM-predicted worm propagation dynamics are then compared to evaluate the accuracy of the model. We show that the TWPM predicts the worm propagation dynamics very accurately.Source: "Using Signal Processing Techniques to Model Worm Propagation over Wireless Sensor Networks," Syed A. Khayam and Hayder Radha, IEEE Signal Processing Magazine, vol. 23, no. 2, pp. 164-169, March 2006.
March 12, 2006 in modeling, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
An Improved Worm Mitigation Model for Evaluating the Spread of Aggressive Network Worms
This is a short paper, but if you're interested in the math behind epidemiological modeling of worm outbreaks, this one should be interesting to you.
An enhancement to existing epidemiological worm models is proposed which is used to simulate the spread of aggressive worms within computer networks. The proposed model presents worm propagation dynamics in five state transitions in a finite state machine model. The results obtained from the simulation are used to compare the dependability of previous worm quarantine models.
Source: An Improved Worm Mitigation Model for Evaluating the Spread of Aggressive Network Worms, C. Onwubiko, A. P. Lenaghan and L. Hebbes.
March 4, 2006 in modeling, papers | Permalink
| Comments (5)
Tell others: digg submit
del.icio.us this
Entropy Based Worm and Anomaly Detection in Fast IP Networks
An interesting approach to the problem of detecting worm outbreaks using scalable, wide-view network monitoring tools (like NetFlow from border routers). This approach relies on the fact that for any given sliding time window, the traffic seen in that time period will be very self-similar. Because of this, it will compress reasonably well, being highly redundant in nature and all. However, when a large change occurs, like a worm outbreak, the pattern will change, and you can detect this as a change in entropy. While this pinpoints that something happened, it has a bit to go to actually being useful. It's not sufficient to just say "the network has changed," you need to show the operator what changed.
Detecting massive network events like worm outbreaks in fast IP networks, such as Internet backbones, is hard. One problem is that the amount of traffic data does not allow real-time analysis of details. Another problem is that the specific characteristics of these events are not known in advance. There is a need for analysis methods that are real-time capable and can handle large amounts of traffic data. We have developed an entropy-based approach, that determines and reports entropy contents of traffic parameters such as IP addresses. Changes in the entropy content indicate a massive network event. We give analyses on two Internet worms as proof-of-concept. While our primary focus is detection of fast worms, our approach should also be able to detect other network events. We discuss implementation alternatives and give benchmark results. We also show that our approach scales very well.
Source: Entropy Based Worm and Anomaly Detection in Fast IP Networks, Arno Wagner, Bernhard Plattner, both from the Swiss Federal Institute of Technology Zurich.
March 3, 2006 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
