Researchers at the University of Florida have designed an Internet-worm early warning system that offers a new approach to pinpointing the first sign of a malicious network attack.
Shigang Chen and Sanjay Ranka, professors in the universitys Computer and Information Science and Engineering department, outlined the plumbing for the system in a research paper (here in pdf) that promises a fix for known weaknesses in existing early warning mechanisms.
The paper focuses on TCP-based worms and identifies ways of avoiding false positives by looking at reply traffic from the targets instead of monitoring Syn (synchronization) packets to keep track of half-open connections.
“Our proposal integrates a set of techniques that can automatically detect the concerted scan activity of an ongoing worm attack,” Chen explained. In an interview with Ziff Davis Internet News, he said the system monitors a “used” address space and relies on RESET packets to find the scan sources.
“This has greater accuracy and makes the system resilient to antimonitor measures,” he added.
The paper does not provide details on how worm propagation warnings would be distributed or how the system would arrange detection of UDP (User Datagram Protocol)-based worms, but Chen argues that the research can be easily expanded to solve those issues.
“Once the system is in place and worm propagation is detected, you can use all kinds of distribution mechanisms to get the alarm out. You can set up subscriptions to distribute the data via e-mail, pagers, newsgroups or any other existing mechanism,” he said.
Chens group has also designed a distributed anti-worm system, described here in pdf, that offers perimeter-based defense against high-bandwidth distributed denial-of-service attacks. That system, Chen said, can be used by ISPs to provide security service to customers.
With the worm early warning system, dubbed WEW, Chen said he believes the “open problem” of thwarting attacks like the destructive Blaster, CodeRed, Nimda and Sasser worms could be minimized.
“The problem has not been solved because nobody is detecting worms in time. As weve seen with the big attacks, they were already widespread before the industry could figure out it was a worm attack,” Chen said.
Chen and Rankas proposal also includes an antispoof protocol that filters out the false scan sources to identify possible worm-infected hosts. It also proposes the use of a new performance metric, system sensitivity, to capture the responsiveness of an early warning system in reporting an ongoing worm.
In theory, Chen sees the early warning system deployed at the gateway of a large enterprise network to collect samples of Internet scan activities. “The system detected potential worm outbreak by analyzing the pattern of increase in external scan sources and comparing their similarity,” the researcher wrote.
“It captures the common signature from those sources in order to assist human analysis or automatically reconfigure a filtering device to block them,” he added.
The primary task of Chens worm early warning system is to monitor outbound TCP RESET packets which would indicate failed inbound connection attempts, Chen explained.
To work around the problem of false positives, the paper proposes to filter out false scan sources.
“The goal is to have a system to issue warnings at the very early stages of an attack and to provide information for security analysts to control the damage.”
Chen said the system can be deployed locally or codeployed among a group of enterprise networks to provide comprehensive worm-detection capabilities.
Chen said “honeypots” would be used to capture the attack signatures of the scanning hosts, but conceded that the issue of creating signatures was not fully addressed in the proposal.
He likened the need for an Internet-worm early warning system to similar mechanisms that deal with real-life disasters like hurricanes, floods and tornados.
“In the Internet world, the damage may not be loss of lives, but its still very significant,” Chen said. “The network worm is still the number one threat in the enterprise. It costs hundreds of millions of dollars every year to fix compromised machines and clean up from a major attack.”
“An early warning system gives you some time to take urgent action ahead of worm propagation. Just like with the hurricane warnings, you can learn about the nature of the attack and figure out ways to put defense systems in place before it becomes widespread,” he added.