Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Researchers Propose Early Warning System for Worms



 By: Ryan Naraine
2005-04-20
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Focusing on TCP-based worms, university security researchers have invented a system that scans for the signs of an Internet attack.

Researchers at the University of Florida have designed an Internet-worm early warning system that offers a new approach to pinpointing the first sign of a malicious network attack.

Shigang Chen and Sanjay Ranka, professors in the universitys Computer and Information Science and Engineering department, outlined the plumbing for the system in a research paper (here in pdf) that promises a fix for known weaknesses in existing early warning mechanisms.

The paper focuses on TCP-based worms and identifies ways of avoiding false positives by looking at reply traffic from the targets instead of monitoring Syn (synchronization) packets to keep track of half-open connections.

"Our proposal integrates a set of techniques that can automatically detect the concerted scan activity of an ongoing worm attack," Chen explained. In an interview with Ziff Davis Internet News, he said the system monitors a "used" address space and relies on RESET packets to find the scan sources.

"This has greater accuracy and makes the system resilient to antimonitor measures," he added.

The paper does not provide details on how worm propagation warnings would be distributed or how the system would arrange detection of UDP (User Datagram Protocol)-based worms, but Chen argues that the research can be easily expanded to solve those issues.

"Once the system is in place and worm propagation is detected, you can use all kinds of distribution mechanisms to get the alarm out. You can set up subscriptions to distribute the data via e-mail, pagers, newsgroups or any other existing mechanism," he said.

Resource Library:

Chens group has also designed a distributed anti-worm system, described here in pdf, that offers perimeter-based defense against high-bandwidth distributed denial-of-service attacks. That system, Chen said, can be used by ISPs to provide security service to customers.

With the worm early warning system, dubbed WEW, Chen said he believes the "open problem" of thwarting attacks like the destructive Blaster, CodeRed, Nimda and Sasser worms could be minimized.

Read more here about the destructive Sasser worm.

"The problem has not been solved because nobody is detecting worms in time. As weve seen with the big attacks, they were already widespread before the industry could figure out it was a worm attack," Chen said.

Chen and Rankas proposal also includes an antispoof protocol that filters out the false scan sources to identify possible worm-infected hosts. It also proposes the use of a new performance metric, system sensitivity, to capture the responsiveness of an early warning system in reporting an ongoing worm.

In theory, Chen sees the early warning system deployed at the gateway of a large enterprise network to collect samples of Internet scan activities. "The system detected potential worm outbreak by analyzing the pattern of increase in external scan sources and comparing their similarity," the researcher wrote.

"It captures the common signature from those sources in order to assist human analysis or automatically reconfigure a filtering device to block them," he added.

The primary task of Chens worm early warning system is to monitor outbound TCP RESET packets which would indicate failed inbound connection attempts, Chen explained.

To work around the problem of false positives, the paper proposes to filter out false scan sources.

"The goal is to have a system to issue warnings at the very early stages of an attack and to provide information for security analysts to control the damage."

Chen said the system can be deployed locally or codeployed among a group of enterprise networks to provide comprehensive worm-detection capabilities.

Click here to read about Microsofts anti-Blaster worm tool for home users.

Chen said "honeypots" would be used to capture the attack signatures of the scanning hosts, but conceded that the issue of creating signatures was not fully addressed in the proposal.

He likened the need for an Internet-worm early warning system to similar mechanisms that deal with real-life disasters like hurricanes, floods and tornados.

"In the Internet world, the damage may not be loss of lives, but its still very significant," Chen said. "The network worm is still the number one threat in the enterprise. It costs hundreds of millions of dollars every year to fix compromised machines and clean up from a major attack."

"An early warning system gives you some time to take urgent action ahead of worm propagation. Just like with the hurricane warnings, you can learn about the nature of the attack and figure out ways to put defense systems in place before it becomes widespread," he added.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Researchers Propose Early Warning System for Worms
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r㶲s\@♵M"b{)ْm-/K3ΤN"!1Er=NN~b:?qtMJ%3kLb["h4y$ W7-gL.]sfS;uA@ [!%w> '(+ԯ1mnf]S/ _hoL|Nშ :#:@.Pk< Z57껲54o/ne0S-ڎIQ>)VNմI>ڴ^$)qHˑh] ]( Ѽ/$pm<"Q}# QTz u-C ¿{+߀Cݸ1̷L[좖>'l"R ?q7`BaC%LjZE&> ؗCY͢`F3l˸+:4 HS(G~@?8rދWcm9/NeW4;޾KB(uu7ںsm9k%sruO}qN6nyvtx//;YHMDU%`ZJG4_::~\B^,9DFI?n/nF`)ڑVR]jGF[V@a`%pfQU>gsK߾ڤ>9?O}b9̠VPAf`WKe`=m>_svZ9ސVSCV|BCj`BәcYuZʿ! vLmrO,.iT$VM&!usB ,ߖNdo;Be}U З?7,Y`MImdʩ$|ǺzNԜY*Ư`K7BSI_3^8nZK}0[RF&\ ДQC|dMab&DJH?є=6-`i˫ TY嗋mESu= .+J!b^3E !\J!=! g|8Jn΋|? [˚&YzhNTꂮ2W|{?/1 .Cuƍv"U.۽^ S3G#洋вn 榣V$c~+e_;ڇU95zQnʼnl :2X jXR7HaQ/gtA`::)ҧ>RӚMCqRO#Gs>H2胎6mb8-ƹ" ,70}HOqI4o Q٭lE%_¤< ) zA;=H:]6(Z\?`c VC@B랂9׿ޚB"Qޒҡ4aqj =*~3=w}   @lk 6G~[>l03ţN\JQz[ dSJJd$D!-i]R@Az8 -,rrl++E쎄~ .<BI>ڹLXأXB YX/E_R23#CdɬaX91{MfT`"[/Kᙖ&JlkVNdF E=4!Г޹`|=0Xհݙ2r|=sI$П5+8dp? \y |;pG9#rUϚX 5<9.&B#5_uSҚLq畕eIYiJ~*’ptrKݼ~h";hqNNSНB#D9zQ=YUo)<4^KՕ݋$/gcP. :Rj'~d7Bj^¼ye<4@V`9H^> x# d\46L XbOF=F K~z/, i{qMٕRB|znN Yڇу=:}4̄+ud4 T,q|ݛtZF_`֚ үgJY)jB4P/#[յ /S+wڶOt]QG#X1L.-g @WQR>U\!EX+LT׃REad[s5/g;f}FkwYвJqcJrEmXo{b Sքc'MXtyEWhȈ0A  ~HLbV4> \Rbr>+j*e$T6)5*iMym"P8+%t갢zԘ}Qː 0gted-΀ӅVJjB=9GjZ9Ύ^WYP2:Ś&H_ଯ?p,zm85YoN?+zKݠ?{]+\μ+ '0E<&R$Op2HUϬa>]Ik0g8PzU05ESUG݀Νn/Џ]MtAk?X, ܠYAaiϖ_ZrO-xzVGs-! ,r޽m?Qe~ZYŢ&@u(Dkap?F]S؇Qgm/R=TڞuZu^ߜmhDA`! ѝ;#ؐCKAk1* G8՞oF*ϛ=G$1*@7Z)ɖ~oVɢ ׆gyϤMhR|=y ,>p)7hoj)[z_EnMsU_A#dߊzf![1@j=%9~ܔyeb@m "^i_&c2 s*?}l[31p TMg_;(X17(p[c?֍'~@d _?L= [L4Gzɖ0-0=sK\7a0^nȍGڽv?aIG{EY]T&#UiZe%^萫n%vdi&d9LLgl'P`Q(S&L]8TV<^ۋ953קAHLf@= P3t^iW:.W+y*1a2N$[G*knIG:a/T)wOLIZVڳ$|p`푱Eb{IT"N=yמj-/$x4Hđ ;wkʁnUR'o6*]; sK4G\0B_}Q{)ܗKrvZTKUdPe\X'߾b[D m‚'T&.n_B'7ƒ"'!Z+73,qvëJVqe^-1돻{/ZM}{ EE@Djpف#;?Jn;!)il{՗NχxDŽst'_w{~{uHDyysvޏS ﵲe珅%<4sj|HGV%nZRya}dLR(ɢ]2|ܮcoVL0lg~hy+ @4+~{)\6o:WK'݋ ?wD.:Wm)^{-z0&Լ]'d0| srnD6bW `xѤĢ8bԃcxH/ ^!mBE\7 g |}XhrslP1h4'lC%/ؿ+[Zf·ńB?jNx0(G@RPOh%[#ZEs|Z;3^t}dh!,:Ua2"穔(BS.hDO§,>49S9j6_}AFJN^vZҷoDW蘧Y/tEx[(+x,6dsJ;D{Nbp j_tz`ESrg!F,/D_{"TS8L,ӤN)fTDɖXSaoy0;Fp8ꀒ~*f0BٸEO,,mSs4S3:%Iyc Um$jZ3fj# $_: I"v+VhllAzͫ jSÚmf /.\m6Dr0@u\d( ` q4/@P)V-<(m1a}Xki-jշʫ؉OJ>lj9l0`&(!9/iT*Ա0ktH.]<;;WQ杊uSOF 95C/3re}ۨ+=hGt?wJow{ѧ}y t3VTsb;i6ӱ$BUU+j*ۻAXEVe.tՓN|*<9qg ,F} d3DӼ0hɘAhl7B_7C]`l]sT 7?~PeҰwߵ= =zs.+-R!ykEwWSUsT7&E:%:m֗Fݽ];K !bidOc@/mvc)輳2O a[C؞qaLpX#Pzp~vƔI ic$H)[ M _56DN X W+Oip$|#؈oO_O_[7u򽱢|3̕ u\wךW)&5ş!/1 %]Kh3[QOɨ(^  }"s(u‰KݴC&SˁUmYѡZV;JE+)X$\QH)I0Zh@C“Lg̽')PJ%g)ZtDƫϣg,*gg,jS qt-ճ/tgqX 1uOpdG :Gȓs5MwHIsO}C('"YAJ$Lw=* i;9ݷ<~XBtX7Ǻ#zQ?N<-j۪TӘw o8ԉ2_t޳Zkt!tg!4Cwυv4 haI]_@2,^0pUe"Z'l<9YP eYd$ |aP?!"Kf猓,z4WBBX|#=1˱c,lD ʍmjojfg];b K?#H6y: q ]lNmG+`)a>JTeTu]s{C1pJt?c%>BvX*CD; }֖g^~ z$kes Gʝ!J(l{޷PkMXdnU6ҋ႖w5I8K͡(t LFHeF 6/HdY1֍n 1h\ٟ?59H lG Ir qljv)Bzb ߐ)ʯ'tSnТW&E)t[nNhj,AQ7BY@laFm,D1Sx2X+6jůdp9jq[0|Ɋ! `C0$Gۓ#hlƆbNlH>|x)n,f <KO'>ܛW$QUG9Dk R|*D'` ].ݼw-31 n{Z.YBo>I0׳!Ah^^``5,4` pm9Ns!rQ}Q੯B[,:nO3hˉYH;!D/=5VfJ׾+5d"X˚\j [,۾mh*+ ^EUhFv0}K[,ťU p=AYWSEP>D0,ou2,~a+1;> 8c?Q"?ٟPVô10~jbdFyAx!F%1 M}1P7>4#uT[RSS,Z3njUj9DNE0H ^XB0~4. dR /)_V6TPrDmMEfIȢDD\1]Uub? @utNk-b"K]Ζ1xy[/>Lz'5aL,P;IU6'a|Q&oJ UH+4h $ŸF೚bfچX50^Vz^3vX5Į6XVں6q)y,y -JHP.%$7_wp(b @[_a̷UKphkY\-zrK 惆W&Du#i GY,Tf:9QMҢSF;1CWIе6A\Π{3EF-h>#Թ|A+1߯m9d0؞ʒ2;3GWlfmmYU)7g%Ή0,%Xj Xp,PDa8}G*_[E>^^9`V9H0oY&FxDvŴMh%%MFV(hdti SxcLW<0Մ0t#gfٝ7rY?e=a '[2u?|{yBJ/ZM}{kȚZG t J mkZ mtt MtM"7+ 8$\БߔJuOoS&Ri48>[ Pm̼DGRSz}o 2cb2zXMs׀gאU"a=X 2>nde2WGP56)# p7ڷf\o{~}C@>;C}m0E6wOA?C0,Xv\KƒsH ]\W\AxE; #xtX$l.cbH!̆\oX|J7b7|$rkIC9ҔzUO9PJ Iݹa?Ð3{9Z"UZ1ш@Q->ɹcMNVJE< ,iM YC) \_=)ÚbZŘ!ky 1SӦ{8m<{aCcн\31Faŷ^$l;b21#bH9fH"{+$(bU 7TYPk,(Ϗpk2ꥦH0^df) '.X`YtA9w/5ypoJ2}O0]:1LnԂؚzy 6t(^U=1&Ǯ)nN A1I)t#K/HxzsR^\Xщzo~&Jb+ zob @h),f,ԪRD&uMb.ʟ?0X:k2QqvJV!J`xzA dez߃{@0>6#&Dw`9{C&ǽ5QdzC֒E_en՝nIi}}ӹ31F;f6/ME`9,eiӫe)3C9տ,g2Yx9%Ew8lCwD~Rf}YQJNi21SlnڽOֆC^CVՉt.<&mzfx9n0zIc r!>/'}ҽjIJ/6//r?@_(Y]~NmwS_]9'P~sC3YN>BB㼳*4:r_'\C;9+4>r?C">v˜/sy9\2?/?/se*OP)s)˜r߫ʑ+B9.n~kx:{/>_??Cϫ?}OP)'ߧBm^9mB9_zyʛ9rּƅ)rq/ 苼 Oy射:)?}VQ<_`k9t _r̭L_:'Vz]!,.5PW[k /Y-+ Ǥjuv^_@%KH0e^#(R^>Ȧc 4rk 7[y=>w懴Ix崝#&J2o-7cENZ9.~QFxd\$h{U26#{"Գ1Q$%Y!/ܻGzʉnS>ҟ\2fA<'ԎnOArr mv#}Ra^[xCcMzL˘͛ˌMMu?/{_ۉ G2)ebb;ˈLbTlJx mqg  |L:AÆoޞٕv"n,2Nw1z6cP4ǭa&r4A|Mz4z<8JN)g,#[ P`t{^=F.u/J\șP=wX@>DBeD˪UB` j?5;n%c$Q%w/ɉؼ!gP,#V}~AӟF}q!2a "t@\LcYv1횁WR=!x9 >}r)1-X4hcЁxAIZ-cXn΀`HG/6g6"f>̆I-<6,wb33r 'O5w'S!mc>m=]wtl#ë`iW - ˒'/Հm'"Rl['ZV``5svtIuu= p7cfsH!L&d>[l,)1 {;Kh6VܠUCSr%S$)Vy`_GFb+u B:ɄdX.N`'_CShnYx $w/$VT#cE \3SzA۹&=מ ąl@ f&}#Km^F\gȌQ)x>QcС_456:\.5(L ALH\=oz^DbtΆb'O$uުRRΥJU^mm }c"1b9?"ㅰx?C J2Gd!᳤c9*?{G9>%^Πo'b/;K{K9((& ]a1W%Uh,^IG*9"% oPmJO0G`{swJ0y]8!sD: DyPީ!/[v2R*4%NF)O?5o'[nA5y`0v4M n=ձ]w O`7@I>=a7Ct_ԕe`7g#~*3VœA>p8{g!(ْ[0?s^nT <+1<&WDƸEߟ2"L)Ԧ?MSw(\*],5Ał<rvV5wg~sx:YʐL\kDI Ik-.,wvUa4,Lb1"[\'QI 8`\жX3"@a)5|dn~ӧf<˜4W6QĶqyuڵ-ˉ=lw6++Ȁ7HY{D,5Ra:(= zBk|FXK]s&&tĵa}ar8Lt4QS|J)Km)3 ߂ iW 52lt* X>!ˣŬj]+ N*t&vж?g8}fƲ"7cP!W]-B@:S .x C,$ˋ}P cyx ŧ$NSb0xDtƙW.rWŠN|]p1NꇿU_:m^v.>J{`g^vTvQKeէr09d֊&|&Z2cˤ_ l?$ٔv