| Abstract |
The Internet is abound with computer security threats. Many high-visibility attacks involve network-borne, self-replicating programs, called worms. Recent incidents suggest that Internet worms can spread so fast that in-time human-mediated reaction is not possible, and therefore initial response to the outbreaks has to be automated. The first step towards combating new, unknown, so-called, zero-day worms is the ability to detect and identify them at the initial stages of their spread. In this work, we explore techniques for detecting zero-day worms. Our starting point is the observation that all worms to this day have included substantial commonality among their instances. Based on this observation we present a novel method for detecting new worms called EAR, based on identifying similar packet contents directed to multiple destination hosts. We evaluate our method using real traffic traces that contain real worms. Our results suggest that our approach is able to identify novel worms while at the same time the generated false alarms reach as low as zero percent. However, it is possible for attackers to obfuscate attacks so that no common substring can be used as a characteristic signature. To address this problem, we have designed a new buffer-overflow attack detection heuristic, called STRIDE, that offers three main improvements over previous work: it detects several types of polymorphic attacks that other techniques are blind to, has a lower rate of false positives, and is significantly more computationally efficient, and hence more suitable for use at the network-level. Finally, we have integrated these detection techniques into a passive network monitoring application that will identify new worms and extract signatures in the form of content substrings, destination port numbers, and address black-lists to block the worm at the network level.
|
Ανίχνευση Πρωτοεμφανιζόμενων Worms
