Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Researchers Propose Early Warning System for Worms



 By: Ryan Naraine
2005-04-20
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Focusing on TCP-based worms, university security researchers have invented a system that scans for the signs of an Internet attack.

Researchers at the University of Florida have designed an Internet-worm early warning system that offers a new approach to pinpointing the first sign of a malicious network attack.

Shigang Chen and Sanjay Ranka, professors in the universitys Computer and Information Science and Engineering department, outlined the plumbing for the system in a research paper (here in pdf) that promises a fix for known weaknesses in existing early warning mechanisms.

The paper focuses on TCP-based worms and identifies ways of avoiding false positives by looking at reply traffic from the targets instead of monitoring Syn (synchronization) packets to keep track of half-open connections.

"Our proposal integrates a set of techniques that can automatically detect the concerted scan activity of an ongoing worm attack," Chen explained. In an interview with Ziff Davis Internet News, he said the system monitors a "used" address space and relies on RESET packets to find the scan sources.

"This has greater accuracy and makes the system resilient to antimonitor measures," he added.

The paper does not provide details on how worm propagation warnings would be distributed or how the system would arrange detection of UDP (User Datagram Protocol)-based worms, but Chen argues that the research can be easily expanded to solve those issues.

"Once the system is in place and worm propagation is detected, you can use all kinds of distribution mechanisms to get the alarm out. You can set up subscriptions to distribute the data via e-mail, pagers, newsgroups or any other existing mechanism," he said.

Resource Library:

Chens group has also designed a distributed anti-worm system, described here in pdf, that offers perimeter-based defense against high-bandwidth distributed denial-of-service attacks. That system, Chen said, can be used by ISPs to provide security service to customers.

With the worm early warning system, dubbed WEW, Chen said he believes the "open problem" of thwarting attacks like the destructive Blaster, CodeRed, Nimda and Sasser worms could be minimized.

Read more here about the destructive Sasser worm.

"The problem has not been solved because nobody is detecting worms in time. As weve seen with the big attacks, they were already widespread before the industry could figure out it was a worm attack," Chen said.

Chen and Rankas proposal also includes an antispoof protocol that filters out the false scan sources to identify possible worm-infected hosts. It also proposes the use of a new performance metric, system sensitivity, to capture the responsiveness of an early warning system in reporting an ongoing worm.

In theory, Chen sees the early warning system deployed at the gateway of a large enterprise network to collect samples of Internet scan activities. "The system detected potential worm outbreak by analyzing the pattern of increase in external scan sources and comparing their similarity," the researcher wrote.

"It captures the common signature from those sources in order to assist human analysis or automatically reconfigure a filtering device to block them," he added.

The primary task of Chens worm early warning system is to monitor outbound TCP RESET packets which would indicate failed inbound connection attempts, Chen explained.

To work around the problem of false positives, the paper proposes to filter out false scan sources.

"The goal is to have a system to issue warnings at the very early stages of an attack and to provide information for security analysts to control the damage."

Chen said the system can be deployed locally or codeployed among a group of enterprise networks to provide comprehensive worm-detection capabilities.

Click here to read about Microsofts anti-Blaster worm tool for home users.

Chen said "honeypots" would be used to capture the attack signatures of the scanning hosts, but conceded that the issue of creating signatures was not fully addressed in the proposal.

He likened the need for an Internet-worm early warning system to similar mechanisms that deal with real-life disasters like hurricanes, floods and tornados.

"In the Internet world, the damage may not be loss of lives, but its still very significant," Chen said. "The network worm is still the number one threat in the enterprise. It costs hundreds of millions of dollars every year to fix compromised machines and clean up from a major attack."

"An early warning system gives you some time to take urgent action ahead of worm propagation. Just like with the hurricane warnings, you can learn about the nature of the attack and figure out ways to put defense systems in place before it becomes widespread," he added.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Researchers Propose Early Warning System for Worms
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks6*Q3{L!a{lcؖҌwRJEĘ"$e|9u_zPs2mFwh4#ooD.]ݴ1r͙M55|``HRcoޅ-3 @oR^P ĠxnwݶN`P'~> \?g3U;Y|R(ޗѺ1QQy_HږyB6EGJߣ*C7 ݩx8/DeOPɼM"h4"j>vn3 w2`~|!k`Tx>?&C5CUVekFV#luy! 1#o+ݿ!Hͤ޸@d`jId:@",C63!p55\ap*)ZHZ6tG-> HPN$=+AbArxưcIHo*!)lpi+¼t'@=:tQV_սyoAסn܏}wdo&a-wQKw6j ۆ@ظz00!J&5\_-׉"˱,ftg0eʆ}VSRr8?Wcm9/NeW4F}ޥRQ5MQzם ? n0uh;\Cry]J UuSK^_w&KDeR)Ni& 0h!5&tt<_B^,9BFI?nOnF)ډVR]j'F[V@a`%pfQU>gsK߾ڤ>8ϑ}d9̠VPAf`W+e`;o=_su[ݻ9ޒVSCV|BCj`BәcYuZʿ!-v?54Y01\ \V+IjgdZݳ6)H|W:VEqѿ$} ,-)Ttܿ ,_0f k$LJsi)":u P;|sNGGGm҄& 9B:%ϙP/7>hr ^@e)#8?݇IhJq䨉kYSl؅ R揇o4@M XZEU>hi"E[ŢˊfoF">y 23yB(pHqb&μbO૦yp>jY]6'tauIUi _Cޡ:yxnMOW^ S3G#вnZKV%cWPvr/*Grkh 2ud8԰1nґ>âx_~AAӧIz'|JMk6uI=DC#ɠ:ڴG\V4!>&MЀ`Qi1[W <ۋJ!pIxZSxv&ztmP`~5$ǎ@ Ls'08Ƀ5E0ݻCi`y1&զAp{ Tgg ,zC /lmAl}h`1 >5g%G@i0x2CDȧ$D!-i]R@Az8 -,rr: $QvGBj0mlry KwrKd&,fQY,p[/)͙J2d0U Q򍜘=b`&Qea*0pLKak`FZ< k2'yv=.Q1j4<3_O#kۖsM_e jJ=WsFA|5 i!sL&Ze ?<<Gy5&++\=P9Д*T218 FL@ ('wJFJV !zh'>eg HuXKnuooI8Ұ.Z.eY mc-׾0^Ԣ(/Q|u$"!lsiŰ,B /0|:Cb&^fthQs&u|pöV/UKW3@ZYSj2ej=[`B]PeܠQ@3%X3PQ[ lxkuꟹPCߵɧ+|> w=dsqu3$0T(e!\o ZJkX"L M=t%<42.|O\V,'0sgеSҝaria;o/ uS_JXQ>om V!҇GD+ه0`,E=_GMR^-#oz0iTWJIUӤck@Lf2,rGmAu،;s4=}Zj\Y,>R>U< đOT׃REaT(j]p12q˝a&1 DR)Ö1Swhi'{T'j/%Ex15ᚉ 1ǁ$o':!#HE~H \RZr>J+"X[8:T:4ݦ6W݃:,Cd5f>O{M{c>4Ye j,E@z"RJZ5ZEUՓCZfG=>YP2~2j&8x_8]85Yo?+GzGG>s.}O>zN '-h'^+0ZN O*GJ?#2ByQihw\rRkCL˧FxhՓ u7uav9Aخ kqAmY1 pWgPV#85 '& aBg%:<!pwC):2,pw]0XAG50qH&G+E689  :+@5lr Z+::j9Ng~ˣ ,ćφSG2>L:k}]\WQ7Ӫ`,Bc$ D!#2!z q[kh0h-f;Z;pLjg %Jkfx+sJbOW2E?XizvslƵYTyE3is{*s-L-,sw&J Դ\.[C5^(;3N]-M;fr/cSX_dUM+0m3YhSYlpg#]Ӟuu}lO>=QO#MI^:ŝSݸyrȫ"w~kPgw(*Gq3`S"豥mBtH+'& iGav bȈCzf{zJ$>3?Vi(lz*eR)Yid {2 t9t=d}ԫ6Ϥ?pYOUUQS;:&DVѶU0Hz.q,wqIU1S2I*"E6[pde l&SJ_ũZkRS+'F`"U!TP>zc_7)~(zC9[m{~>RTS:U}T&#UZe%~ݳnSEZdЯdL5AKgl!/`.S(S/l`^ASV<^ےtK3קA(6E&7 u5Yx\sXҌd;{X^5ItH"J7e^Vڑ*\$T+IjYtn:0ȘُYD[^:L&rOf皿6D30| ϟݜ;s`>L7JCM;VJ=ȕe#uL!9ԾbH%~W9@` |RQ*'rF22@BZNbxlēo =$Ԅ7; +Aנn)ɡ$ |Cʍ D;}ZTa&㘘ٿՔ'P@/I6\*YUihja{i12A$K~_ϻ}yչ|g|L8@wMwDŽA\;/qAVkq 4 }E\8&o[R&Fø@o9)P K1E1>dt+]84[{閿ð]Q址҈Fvsռ}߹_>^voQrٹnK^'΃ 'w"e1KrBVëqF.Zٿuoue'3 CA}i^w7UzyZ J~l/t:D(jE[e{wC9Ȫ̅S{R؋~'g#3^q:-: `tH߶lFځ{-3(#F=߸_2{K=7Kx=*AOO42]awB%>mJˢz%nQhr;T%%e(IQ)"{"F%t`o14m*z>=-35"i 1N6;x:o :l0̠@ b@ff7g\8 9S6@Sid3h l?|nwkJljl 41Qh9o٦h ["a' zYOC,' _p$|+؊woO_O_[M򽵢|;̕-u\wךW)&5!/1 %]Kдg=.0(yS/ K[⹏^}:lQOo %~!Щ*Ͷ-C Krg#y_,[ӏJ$$r{,1 $*#Ul,Bx"ytzlk29yjy2V)?GR=OFG?_!S HvtPSmf TOxE(RG2IzDUHvrֻoy8谬nuG+~Au;HgON_nQVƼ`,ƏZ@(5FgFBwB3t\d/Os/`y4 4>#^ʫAN x W\W& K7>Ța0LXT><<,UrO:R)!|[l5kl(o3U)u^ ɡO? $Mkq&*;XT akqɋ!#M5.۲돳/3۔vIIgEuJ79rVQ-  N"艼#A'Yߖy 2"4ֶef fhn-p҅9Lז=>s{| #j4IQW^|&Eњ3+\P3b[[`0Xbt֦萐`;d܉wʒIYŵGݼҴJ@7(<4(b>aLiI b!--+_7vj/#]x vA0Sq?ZcD ""% JeCخq 1_ ŝ":sjZ_R$rz݁Y2>3  J _RL|LVy=%>B-bX"]|볶?~i3ˑrV|TTzvLϵ0ezµG{$~=ڈh"pkl倾ԸnORYj~fi ֍0 @*k4 |~A$X7%75f袷D4bTă qf "€6K9p️65]".7v%S_)+d[fQ)t?XNhj,AQ7B'f@aFm,D-0Sx[2Xkڶti9/fFN-ߎsASgND a`C!ou>ڝ%v@c7|ܹǀͤJiuTS%/4COd> -5IvTQpA{/jK>}1Q6t vĀ{}Xl}.,-6XfMp$99X~;jt[`Χ\\Tߥ}Tb7z {c=˯}O0Bn-Fu%YҍJ0Y3Ѽa)<˶2v; ƚwdUb*X?0\oʎs+PknF3`o [$z:N+K(6J=x!),Z*P޸!Wwg~_Z~%4~5Gy3˓:qhh#oR]/tQ¢7#O=F{[\jSўR%4Chl>CN1׾8?8(Fn/+D(a7߈st t[;䑥!eRefDo#oFxV6G/Ӧ%KCϙːi\+)ElN:C=m%)Ci ,[NFx-qb8~aSL:ZUj?@mpaW2Uߐ?'Xt*%.⛽IB04'\'53NOsnmmo q&Ø6kh7Z_{vxm&Zx{m_ oO6a@lj[V8GA=y=Uֿ忍}:uRy,e徯i˖Ë6#Yf-e։5IV$N)'1L4 +1Y(h7{d*Ο&rpD";k҃>?w}#{b1DKb@/_jN}L+?0kڊS]?w*͆xq?P##D"Dw u~kGs8RG5Śx_ KEA nlo>)fFllz^C `5llz^C쮃M`g.қ≡37:QS뜗=qhH Np찌71otY&T),"ĉZƒM2Ӱp-3| Y?NRUfoNYU"cWW+/h[}m]^ӔV;TSWkĻ'1XtXie`=Xy{gvXU2uߞcAx kHу%S֔2J\d9_K>HP.%$_p(b @k_awUKpjkY\-zɒM Wݥ&Du+i!GY,Tf:9QbMҢSF;1vCWIеA\Π{;eF-h>#y|A+1?m9e0؞ʒ2;ij@WlfmmYU)ַg%.0,%g\Xp,PDa8}G*_[G>f9`V9J0oY&2FxDvʹMh%%mF(hdti S3E \TЭaUewޠeЇ5T?0nG )Uh5eIj+On kj6ҁ+q,ᶭMCh%ӝ17ѽ`(8NtpAG>p<|SR*U+MݢK5fـjcE~%:td\~APߞ= ˸8O roEVIv# ,Ő?Z,D1y_Ѿk? ?4;}׻lzxX2 ٰCߑ?H>'죇BaY`=`(LNwFHs.cbH!̆\oX|J71[>B$!ibbzuO9RJIݹa?Ð3{9Z"UZ1ш@Q>~1&v+%"&Ls6@@P0H47W|w.&%hD1fuc^r {fĔy9d^_ >q@>u;7LQXj*!b3wȧX,?@@=%v Lt]\VP*@J>SiAm??­!Rfjs# x_V4`y.fYͼE+X<>Nwe~t:Tx0͆S ZzdkQ>閣zUQpV#ߛ~pSg8 Xں9P4m^+LJrY:2 ͫ6SfrYdL*rKx52 /%Lqx&0̟D~Rv}Y QJNi21Sln۽O֖C@VՉt.<'mzfx9n0zIc r!>/g}ҽnIJ/6//s?@_[(]_~NmwS__9gP~sC9?/ViC:9CL:^S?/9ak\ʃʡ*>WUWW9yyß(9_O9P~S7([N_^5u\]_O7GtAts M79O{99c}G௏9 ?~rC;(+;h.;࿻Ku3Ay3GΚ7pz~;CsS^.4Ns\}~)P9GP* ~2&ΕR+@^W~ KJ+ťfW*7yKxM}%+yᘴ[ͺrn@Kȣ_xi +{#68xE“B+gٔ0vFnmu#( Q-c#CqN8{(G.v)n7*pK|SG0nsOkz>s"[~r^<^Ȭu5VlNAm,PO:y}2oفOh]O WYZ-KbaP$П}rFsVj?f>xfOCvHy9iolZ/O>*8z:S w}Y&@Y8'Qدhع[jNN7CtF ۘs~ocus`I ʡUVjpWrDa3""C6ɪ"+5W9 8]V(G*D`I9#Tx|Demګ.91C=bGh8[閾P=^?!O^!u>j2cof2EaSOp^Wv" $` f@2b/`{z38{[Y0`FF.eа!,%sv[F8 3| vM현35,>t zCcj$dV$3x7X%05]8+t1ldA(we6LmY1_wa3۝ɕ3=y ; n Anӕc^+wfh]X_ಓJ_`P++3/BlvK7q>soN\ ``a?>N@U]Pp`HzBGa|5J(KESXnՂ[#r/KDπjUM$f@gQl)VxRDR@n뭻I+(\d~\g;6n 7&R,`'/2^;'#B+*π-sD<>K:w,lp/>&G[0rczz7Y=7- ɴ{%̅AdaܐdZ-*?҂o/ Q\F$30(y lm5G0X1+ (R9(t>0 'Ɣ ϰ" ׶9),3כGGw\6k+[Ȁ7HYD,5Ra:(= zBk|FXK]s&&tĵa}ar8Lt4QS|J)Km)3 G߂ i 52lt* X>!ˣŬj]+ N*t&ж?g82acL 1L\+R.Wv!GZq|_E>ODNű<<Sf}')VSL_X1_Q>q&g\ƕEy_Sq|l/]W,{ݗΛW<|;XEt$y']f*FRqOR|(>^vooh=/=m}xxݒ6Ҝ%!to[,!ջiZxY޿`(XE Ch_ś|G`bhPlyYWVMGv36HZ\֓#VR۽wz"f/ROa6%s|N1VKii7JlTʩY+~XXqg;f†[hx.b&;f1Բm.l