Upload
joshua-salazar
View
213
Download
1
Embed Size (px)
Citation preview
Defense and Detection Strategies Against Internet
Worms
Usman [email protected]
Network Research Group, University Science Malaysia.
Agenda
Basically we have two parts in the presentation
Understanding the worm Planning the strategies
Worms
A computer worm is a program that self-propagates across a network exploiting security or policy flaws in widely-used services.
A computer worm is a program that travels from one computer to another but does not attach itself to the operating system of the computer it “infects.”
Destruction by worms
In recent years there were lots of massive destruction by the worms which somehow paralyzed the organizations
for example: Code red [$2 billion ] Love bug [$9 billion ]
Types of worms
There are two types of worms Host worms Network worms
Construction of worm
Target platform? How it will attack the remote system Selecting computer language Scanning techniques Payload delivery mechanism Installation on target host Establishing the worm network
Introduction mechanisms
Single point Multiple point Delayed trigger
Components of worms
There are five components of worms Reconnaissance Attack components. Communication components Command components Intelligence components
Infection patterns
Random Scanning Random Scanning using lists Island hoping Directed attacking Hit-list scanning
Worm network topologies
Hierarchical tree Centrally connected network Shockwave Rider-type and guerilla networks Hierarchical networks Mesh networks
Target vulnerabilities
Prevalence of target Homogeneous versus heterogeneous targets
Traffic analysis
Growth in traffic volume Rise in the number of scans and sweeps Change in traffic patterns for some hosts Predicting scans by analyzing the scan
engine
Pattern Matching
Port Matching IP Address matching
Host based detection
Host firewalls Virus detection software Partitioned privileges Sandboxing of applications Disabling unneeded services and features Patching known holes
Firewall & Network Defenses
Perimeter firewalls Subnet firewalls Reactive IDS deployments
Proxy Defenses
Configuration Authentication via proxy server Mail server proxies Web based proxies
Software vulnerabilities
Most security vendors focus on adding features rather than fixing existing products SQL SERVER (Slammer worm) Windows (blaster worm)
Attacking the worm network
Shutdown messages Bluffing with worm Slowing down the spread
Future worms attributes expectations
Intelligence Polymorphism techniques Modular and upgradability Better hiding techniques Web crawlers as worms Super worms Political messages.
References 1- Ranum, M. J., and F. M. Avolio, “A Toolkit and Methods for Internet Firewalls,” Proc. USENIX Summer, 1994, pp. 37–44. 2 Safford, D. R., D. L. Schales, and D. K. Hess, “The TAMU Security Package:
An Ongoing Response to Internet Intruders in an Academic Environment,” Proc. Fourth USENIX Security Symposium, Santa Clara, CA, 1993, pp. 91–118. 3 Wack, J., K. Cutler, and J. Pole, “Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology,” 2001. Available at http://csrc.nist.gov/publications/nistpubs/800-41/ sp800-41.pdf. 4- Chapman, D. B., “Network (In)Security Through IP Packet Filtering,” Proc. UNIX Security Symposium III, Baltimore, MD, 1992, pp. 63–76. 5-Mullen, T., “The Right to Defend,” 2002. Available at http:// www. securityfocus.com/columnists/98. 6-Liston, T., “LaBrea,” 2001. Available at http://www.hackbusters.net/. 7-Defense and Detection strategies against internet worms by Jose Nazario.