Worms: Taxonomy and Detection
More slides ... fitting, given that I'm at VBCon.
I like this slide deck, Worms: Taxonomy and Detection by Mark Shaneck (PPT, 2004), because it's a clean, well organized summary of the problem space. It also introduces you to the Kalman Filter and Hidden Markov Models in detecting worms, not something you see very often.
Happy Friday the 13th, by the way.
October 13, 2006 in detection, slides | Permalink | Comments (0)
Recent Internet Worms: Who are the Victims, and How Good are We at Getting the Word Out?
This slide deck coveres some interesting ground from 2001, looking at Code Red and Nimda, as well as vulnerable host populations. It marries up the data to find that there's a disproportionate number of worms spread around the world. You can view the slides from that talk, Recent Internet Worms: Who are the Victims, and How Good are We at Getting the Word Out?, given by David Moore at a NANOG event in October 2001.
October 11, 2006 in slides | Permalink | Comments (0)
Early DoS and Worms
This slide deck from Ben Wilde mixes worm data from various papers, botnets, and DDoS tools in one. A bit of a mishmash, but it's some interesting data gathered into one place. Early DoS and Worms, Ben Wilde, from a slide deck dated 7 February, 2005 for Comp 290 – Network Intrusion Detection.October 10, 2006 in slides | Permalink | Comments (0)
Experiences With Internet Traffic Measurement and Analysis
Most of this worm data isn't new to regular readers of Wormblog. If you've seen much of Vern Paxson's work, or that of his colleagues at CAIDA, then you're familiar with much of the data. However, this slide deck puts together the worm data with Internet-scale meausrement data of the normal Internet, not something you see often. A neat set of slides. From: Experiences With Internet Traffic Measurement and Analysis [PPT], a slide deck by Vern Paxson.September 27, 2006 in modeling, slides | Permalink | Comments (0)
Collaborative Online Passive Monitoring for Internet Quarantine
Similar to yesterday's paper on collaborative host-based worm detection, here's more hosts communicating to determine if a worm is on the loose. The idea is simple, if more than one or two trustworthy hosts begin acting odd, compare notes between hosts and see if they're similar. If they start to match a wormy pattern, voila, a worm is loose. You can read about this in Collaborative Online Passive Monitoring for Internet Quarantine, from a slide deck by Weidong Cui from 2004.September 18, 2006 in detection, slides | Permalink | Comments (0)
Review and Analysis of Synthetic Diversity for Breaking Monocultures
This is a pretty large (40 slides, lots of text) slide deck given at WORM04 about software defense mechanisms. Remember, many people think that a large monoculture (ie Microsoft dominated world) is responsible for the high number of malware outbreaks that we see every year. This paper goes over some of the techniques and how they contribute to security. Review and Analysis of Synthetic Diversity for Breaking Monocultures, by James E. Just, Mark W. Cornwell, from a slide deck given at WORM-04.
You can see their paper, too.
The increasing monoculture in operating systems and key applications and the enormous expense of N-version programming for custom applications mean that lack of diversity is a fundamental barrier to achieving survivability even for high value systems that can afford hot spares. This monoculture makes flash worms possible. Our analysis of vulnerabilities and exploits identifies key assumptions required to develop successful attacks. We review the literature on synthetic diversity techniques, focusing primarily on those that can be implemented at the executable code level, since this is where we believe there is the most potential to reduce the common mode failure problem in COTS applications. Finally we propose a functional architecture for synthetic diversity at the executable code level that reduces the common mode failure problem in COTS applications by several orders of magnitude.
Source: Review and Analysis of Synthetic Diversity for Breaking Monocultures, by James E. Just, Mark W. Cornwell.
September 11, 2006 in defense, slides | Permalink | Comments (0)
Some Anti-Worm Efforts at Microsoft
A brief slide deck from Helen Wang at Microsoft describing what was then (this is from WORM04) upcoming measures designed to put a dent in the worm's future. It's been a couple of years and I think that what the folks at Microsoft have done - XP SP2's firewall, non-executable stack, etc - havs been partly responsible for the dent in the worm outbreak frequency for the past couple of years. Source: Some Anti-Worm Efforts at Microsoft, from a talk given by Helen J. Wang at WORM04.
September 9, 2006 in defense, slides | Permalink | Comments (0)
The Limits of Global Scanning Worm Detectors in the Presence of Background Noise
Finally! A slide deck that attempts to look at the reality of the Internet and shows that many of the worm detection systems we've designed have been designed in a perfect Internet with no background noise. From the slide deck: "As noise level in Internet continue to increase, these systems will become less and less effective." Source: The Limits of Global Scanning Worm Detectors in the Presence of Background Noise, David W. Richardson, Steven D. Gribble, Edward D. Lazowska.September 3, 2006 in detection, modeling, slides | Permalink | Comments (0)
Botnets
I met Randy years ago at a SANS event. He had been key in several UNISOG related events, as I recall, and always got things done. This is no different, he's got a slide deck that gives you a great background in the bulk of today's botnets. Please download and look at Botnets by Randy Marchany (PPT slide deck).February 17, 2006 in slides | Permalink | Comments (0)
The Creation of a Botnet Tracking Web Application
A slide deck on tracking botnets (which is what I've been up to a lot lately) and an application to help do that. While it's not complete, it does give you an idea of what people are doing to manage this scale of information and the degree of response they're giving it. In The Creation of a Botnet Tracking Web Application (a PowerPoint slide deck from the ORAC meeting) by Micah Hoffman from the US CERT, you get an idea of what kind of data goes into this system. While it's lacking some of the details on detecting a botnet and focuses instead on the remediation aspects of their involvement, it looks neat.February 16, 2006 in slides | Permalink | Comments (1)
