Towards automated distributed containment of zero-day network worms

Worms are a serious potential threat to computer network security. The high potential speed of propagation of worms and their ability to self-replicate make them highly infectious. Zero-day worms represent a particularly challenging class of such malware, with the cost of a single worm outbreak estimated to be as high as US$2.6 Billion. In this paper, we present a distributed automated worm detection and containment scheme that is based on the correlation of Domain Name System (DNS) queries and the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary. The proposed countermeasure scheme also utilizes cooperation between different communicating scheme members using a custom protocol, which we term Friends. The absence of a DNS lookup action prior to an outgoing TCP SYN or UDP datagram to a new destination IP addresses is used as a behavioral signature for a rate limiting mechanism while the Friends protocol spreads reports of the event to potentially vulnerable uninfected peer networks within the scheme. To our knowledge, this is the first implementation of such a scheme. We conducted empirical experiments across six class C networks by using a Slammer-like pseudo-worm to evaluate the performance of the proposed scheme. The results show a significant reduction in the worm infection, when the countermeasure scheme is invoked

A new generation for intelligent anti-internet worm early system detection

Worm requires host computer with an address on the Internet and any of several vulnerabilities to create a big threat environment.We propose intelligent early system detection mechanism for detecting internet worm.The mechanism is combined of three techniques: Failure Connection Detection (FCD) which concerns with detecting the internet worm and stealthy worm in which computer infected by the worm by using Artificial Immune System; and the Traffic Signature Detection (TSD) which responsible for detecting traffic signature for the worm; and the DNA Filtering Detection (DNAFD) which converts traffic signature to DNA signature and sending it to all computer that connected with the router to create a firewall for new worms.Our proposed algorithm can detect difficult stealthy internet worm in addition to detecting unknown internet worm

Geometry-based Detection of Flash Worms

While it takes traditional internet worms hours to infect all the vulnerable hosts on the Internet, a flash worm takes seconds. Because of the rapid rate with which flash worms spread, the existing worm defense mechanisms cannot respond fast enough to detect and stop the flash worm infections. In this project, we propose a geometric-based detection mechanism that can detect the spread of flash worms in a short period of time. We tested the mechanism on various simulated flash worm traffics consisting of more than 10,000 nodes. In addition to testing on flash worm traffics, we also tested the mechanism on non-flash worm traffics to see if our detection mechanism produces false alarms. In order to efficiently analyze bulks of various network traffics, we implemented an application that can be used to convert the network traffic data into graphical notations. Using the application, the analysis can be done graphically as it displays the large amount of network relationships as tree structures

An Innovative Signature Detection System for Polymorphic and Monomorphic Internet Worms Detection and Containment

Most current anti-worm systems and intrusion-detection systems use signature-based technology instead of anomaly-based technology. Signature-based technology can only detect known attacks with identified signatures. Existing anti-worm systems cannot detect unknown Internet scanning worms automatically because these systems do not depend upon worm behaviour but upon the worm’s signature. Most detection algorithms used in current detection systems target only monomorphic worm payloads and offer no defence against polymorphic worms, which changes the payload dynamically. Anomaly detection systems can detect unknown worms but usually suffer from a high false alarm rate. Detecting unknown worms is challenging, and the worm defence must be automated because worms spread quickly and can flood the Internet in a short time. This research proposes an accurate, robust and fast technique to detect and contain Internet worms (monomorphic and polymorphic). The detection technique uses specific failure connection statuses on specific protocols such as UDP, TCP, ICMP, TCP slow scanning and stealth scanning as characteristics of the worms. Whereas the containment utilizes flags and labels of the segment header and the source and destination ports to generate the traffic signature of the worms. Experiments using eight different worms (monomorphic and polymorphic) in a testbed environment were conducted to verify the performance of the proposed technique. The experiment results showed that the proposed technique could detect stealth scanning up to 30 times faster than the technique proposed by another researcher and had no false-positive alarms for all scanning detection cases. The experiments showed the proposed technique was capable of containing the worm because of the traffic signature’s uniqueness

Containment of network worms via per-process rate-limiting

Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for de-tection of, and response against worms. A frequently-used and au-tomated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. How-ever, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To allevi-ate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime be-havior of each process and accordingly assigns the process a sus-picion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates

Shadow Honeypots

We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network or service. Traffic that is considered anomalous is processed by a "shadow honeypot" to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular ("production") instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives

Propagation, Detection and Containment of Mobile Malware.

Today's enterprise systems and networks are frequent targets of malicious attacks, such as worms, viruses, spyware and intrusions that can disrupt, or even disable critical services. Recent trends suggest that by combining spyware as a malicious payload with worms as a delivery mechanism, malicious programs can potentially be used for industrial espionage and identity theft. The problem is compounded further by the increasing convergence of wired, wireless and cellular networks, since virus writers can now write malware that can crossover from one network segment to another, exploiting services and vulnerabilities specific to each network. This dissertation makes four primary contributions. First, it builds more accurate malware propagation models for emerging hybrid malware (i.e., malware that use multiple propagation vectors such as Bluetooth, Email, Peer-to-Peer, Instant Messaging, etc.), addressing key propagation factors such as heterogeneity of nodes, services and user mobility within the network. Second, it develops a proactive containment framework based on group-behavior of hosts against such malicious agents in an enterprise setting. The majority of today's anti-virus solutions are reactive, i.e., these are activated only after a malicious activity has been detected at a node in the network. In contrast, proactive containment has the potential of closing the vulnerable services ahead of infection, and thereby halting the spread of the malware. Third, we study (1) the current-generation mobile viruses and worms that target SMS/MMS messaging and Bluetooth on handsets, and the corresponding exploits, and (2) their potential impact in a large SMS provider network using real-life SMS network data. Finally, we propose a new behavioral approach for detecting emerging malware targeting mobile handsets. Our approach is based on the concept of generalized behavioral patterns instead of traditional signature-based detection. The signature-based methods are not scalable for deployment in mobile devices due to limited resources available on today's typical handsets. Further, we demonstrate that the behavioral approach not only has a compact footprint, but also can detect new classes of malware that combine some features from existing classes of malware.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/60849/1/abose_1.pd

Cybersecurity Games: Mathematical Approaches for Cyber Attack and Defense Modeling

Cyber-attacks targeting individuals and enterprises have become a predominant part of the computer/information age. Such attacks are becoming more sophisticated and prevalent on a day-to-day basis. The exponential growth of cyber plays and cyber players necessitate the inauguration of new methods and research for better understanding the cyber kill chain, particularly with the rise of advanced and novel malware and the extraordinary growth in the population of Internet residents, especially connected Internet of Things (IoT) devices. Mathematical modeling could be used to represent real-world cyber-attack situations. Such models play a beneficial role when it comes to the secure design and evaluation of systems/infrastructures by providing a better understanding of the threat itself and the attacker\u27s conduct during the lifetime of a cyber attack. Therefore, the main goal of this dissertation is to construct a proper theoretical framework to be able to model and thus evaluate the defensive strategies/technologies\u27 effectiveness from a security standpoint. To this end, we first present a Markov-based general framework to model the interactions between the two famous players of (network) security games, i.e., a system defender and an attacker taking actions to reach its attack objective(s) in the game. We mainly focus on the most significant and tangible aspects of sophisticated cyber attacks: (1) the amount of time it takes for the adversary to accomplish its mission and (2) the success probabilities of fulfilling the attack objective(s) by translating attacker-defender interactions into well-defined games and providing rigorous cryptographic security guarantees for a system given both players\u27 tactics and strategies. We study various attack-defense scenarios, including Moving Target Defense (MTD) strategies, multi-stage attacks, and Advanced Persistent Threats (APT). We provide general theorems about how the probability of a successful adversary defeating a defender’s strategy is related to the amount of time (or any measure of cost) spent by the adversary in such scenarios. We also introduce the notion of learning in cybersecurity games and describe a general game of consequences meaning that each player\u27s chances of making a progressive move in the game depend on its previous actions. Finally, we walk through a malware propagation and botnet construction game in which we investigate the importance of defense systems\u27 learning rates to fight against the self-propagating class of malware such as worms and bots. We introduce a new propagation modeling and containment strategy called the learning-based model and study the containment criterion for the propagation of the malware based on theoretical and simulation analysis