Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL
Help

4.4 Defense Against Initial Attacks > 4.4.1 Detection Strategy - Pg. 82

82 CHAPTER 4 Evolution of Widely Spreading Worms and Countermeasures mines whether a worm is propagating in cyber space. Earlybird [40], as one representative method using traffic payload signature-based strategy, developed the system for fast detection of both known and unknown worm and automated extraction of unique content signatures. To be specific, it is based on two key observations. The first is that the worm propagation itself through the network and some portion of con- tent in worms is invariant. The second is that some invariable strings recur within packets from many sources to many destinations will not hap- pen in normal network operation. Hence, by shifting through network traffic to examine con- tent strings that are both frequently and widely dispersed, it is possible to provide a way to auto- matically identify new worms and extract the signatures. Nevertheless, shifting traffic content to examine invariant worm payload signature is technically challenging because monitoring, counting, and analyzing such invariable string signatures over the network are very expensive due to the large volume of traffic over the cyber space. To address this issue, Earlybird developed an efficient algorithm, which is scaled to analyze the network traffic for prevalent and widely dis- persed invariable content strings. Their deployed system demonstrated that it could automatically extract the signatures for all known worms (e.g., Code-Red, Slammer), along with other worms (e.g., Blaster, My-Doom, and Kibuv.B worms) even earlier than other detection systems in the world. Target IP Address Occupancy-Based Strat- egy. The basic observation behind the traffic tar- get IP address occupancy-based strategy is that a worm has no knowledge of whether an IP address in cyber space is actually occupied by a computer or defender. Based on this observation, the tar- get IP address occupancy-based strategy monitors irregular scans to void IP addresses. Since void IP addresses are not used for normal network ser- vices, any scan or connection attempt to these addresses are more likely to be from malicious entities. Some examples of this strategy include honeypots and threat monitors [41, 42], both of system size increases (an increase in m or u or both) E s (i ) and M s (i ) increase. The total num- ber of infected hosts M (i ) consequently increases, resulting in rapid worm propagation. Following similar analysis, we can also derive the analytical results for the performance of worm propagation over the social network topol- ogy. We can recursively derive the newly added infected computer in the social network by con- sidering the topology degree of computer and probability of the computer being infected by its social neighbors. Due to the space limitation, we will not show the detailed epidemic analysis here. 4.4. DEFENSE AGAINST INITIAL ATTACKS In the above section, we addressed the strategies of worm propagator, which exploits the knowl- edge of vulnerable computers in cyber space while no defensive countermeasure presents. In this section, we consider the second step in the initial interaction cycle, which concerns the design of the defensive countermeasures to coun- teract worms introduced in the last section. As we mentioned in Section 4.2, the defender needs to determine its detection and reaction strategies, which are addressed below. 4.4.1. Detection Strategy The fundamental task of worm detection is to utilize the knowledge of worm propagation to identify worm propagation from normal network traffic. Such identification can be done in differ- ent ways, including the traffic payload signature, target IP address occupancy, and traffic patterns. We discuss these methods in details below. Traffic Payload Signature-Based Strategy. The basic observation behind the traffic payload- based strategy is that all worm-infected com- puters generate the attack traffic with similar payload signature (i.e., same malicious program code to conduct infection). Based on this obser- vation, the defender analyzes the byte stream in the payload of sampled traffic and deter-