Presentation on theme: "Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia."— Presentation transcript:
Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.
Agenda Basically we have two parts in the presentation Understanding the worm Planning the strategies
Worms A computer worm is a program that self-propagates across a network exploiting security or policy flaws in widely-used services. A computer worm is a program that travels from one computer to another but does not attach itself to the operating system of the computer it infects.
Destruction by worms In recent years there were lots of massive destruction by the worms which somehow paralyzed the organizations for example: Code red [$2 billion ] Love bug [$9 billion ]
Types of worms There are two types of worms Host worms Network worms
Construction of worm Target platform? How it will attack the remote system Selecting computer language Scanning techniques Payload delivery mechanism Installation on target host Establishing the worm network
Introduction mechanisms Single point Multiple point Delayed trigger
Components of worms There are five components of worms Reconnaissance Attack components. Communication components Command components Intelligence components
Infection patterns Random Scanning Random Scanning using lists Island hoping Directed attacking Hit-list scanning
Worm network topologies Hierarchical tree Centrally connected network Shockwave Rider-type and guerilla networks Hierarchical networks Mesh networks
Target vulnerabilities Prevalence of target Homogeneous versus heterogeneous targets
Traffic analysis Growth in traffic volume Rise in the number of scans and sweeps Change in traffic patterns for some hosts Predicting scans by analyzing the scan engine
Pattern Matching Port Matching IP Address matching
Host based detection Host firewalls Virus detection software Partitioned privileges Sandboxing of applications Disabling unneeded services and features Patching known holes
Proxy Defenses Configuration Authentication via proxy server Mail server proxies Web based proxies
Software vulnerabilities Most security vendors focus on adding features rather than fixing existing products SQL SERVER (Slammer worm) Windows (blaster worm)
Attacking the worm network Shutdown messages Bluffing with worm Slowing down the spread
Future worms attributes expectations Intelligence Polymorphism techniques Modular and upgradability Better hiding techniques Web crawlers as worms Super worms Political messages.
References 1- Ranum, M. J., and F. M. Avolio, A Toolkit and Methods for Internet Firewalls, Proc. USENIX Summer, 1994, pp. 37–44. 2 Safford, D. R., D. L. Schales, and D. K. Hess, The TAMU Security Package: An Ongoing Response to Internet Intruders in an Academic Environment, Proc. Fourth USENIX Security Symposium, Santa Clara, CA, 1993, pp. 91– Wack, J., K. Cutler, and J. Pole, Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology, Available at sp pdf. 4- Chapman, D. B., Network (In)Security Through IP Packet Filtering, Proc. UNIX Security Symposium III, Baltimore, MD, 1992, pp. 63–76. 5-Mullen, T., The Right to Defend, Available at www. securityfocus.com/columnists/98. 6-Liston, T., LaBrea, Available at 7-Defense and Detection strategies against internet worms by Jose Nazario.