Geometry-based Detection of Flash Worms

While it takes traditional internet worms hours to infect all the vulnerable hosts on the Internet, a flash worm takes seconds. Because of the rapid rate with which flash worms spread, the existing worm defense mechanisms cannot respond fast enough to detect and stop the flash worm infections. In this project, we propose a geometric-based detection mechanism that can detect the spread of flash worms in a short period of time. We tested the mechanism on various simulated flash worm traffics consisting of more than 10,000 nodes. In addition to testing on flash worm traffics, we also tested the mechanism on non-flash worm traffics to see if our detection mechanism produces false alarms. In order to efficiently analyze bulks of various network traffics, we implemented an application that can be used to convert the network traffic data into graphical notations. Using the application, the analysis can be done graphically as it displays the large amount of network relationships as tree structures

Containment of fast scanning computer network worms

This paper presents a mechanism for detecting and containing fast scanning computer network worms. The countermeasure mechanism, termed NEDAC, uses a behavioural detection technique that observes the absence of DNS resolution in newly initiated outgoing connections. Upon detection of abnormal behaviour by a host, based on the absence of DNS resolution, the detection system then invokes a data link containment system to block traffic from the host. The concept has been demonstrated using a developed prototype and tested in a virtualised network environment. An empirical analysis of network worm propagation has been conducted based on the characteristics of reported contemporary vulnerabilities to test the capabilities of the countermeasure mechanism. The results show that the developed mechanism is sensitive in detecting and blocking fast scanning worm infection at an early stage

Early containment of fast network worm malware

This paper presents a countermeasure mechanism for the propagation of fast network worm malware. The mechanism uses a cross layer architecture with a detection technique at the network layer to identify worm infection and a data-link containment solution to block an identified infected host. A software prototype of the mechanism has been used to demonstrate its effective. An empirical analysis of network worm propagation has been conducted to test the mechanism. The results show that the developed mechanism is effective in containing self-propagating malware with almost no false positives

Early detection and containment of network worm

This paper presents a network security framework for containing the propagation of network worms. The framework employs a detection mechanism at the network layer to identify the presence of a network worm and a data-link containment solution to block the infected host. A prototype of the mechanism has been used to demonstrate the effectiveness of the developed framework. An empirical analysis of network worm propagation has been conducted to test the framework. The results show that the developed framework is effective in containing network worms with almost no false positives

Towards automated distributed containment of zero-day network worms

Worms are a serious potential threat to computer network security. The high potential speed of propagation of worms and their ability to self-replicate make them highly infectious. Zero-day worms represent a particularly challenging class of such malware, with the cost of a single worm outbreak estimated to be as high as US$2.6 Billion. In this paper, we present a distributed automated worm detection and containment scheme that is based on the correlation of Domain Name System (DNS) queries and the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary. The proposed countermeasure scheme also utilizes cooperation between different communicating scheme members using a custom protocol, which we term Friends. The absence of a DNS lookup action prior to an outgoing TCP SYN or UDP datagram to a new destination IP addresses is used as a behavioral signature for a rate limiting mechanism while the Friends protocol spreads reports of the event to potentially vulnerable uninfected peer networks within the scheme. To our knowledge, this is the first implementation of such a scheme. We conducted empirical experiments across six class C networks by using a Slammer-like pseudo-worm to evaluate the performance of the proposed scheme. The results show a significant reduction in the worm infection, when the countermeasure scheme is invoked

Centralized prevention of denial of service attacks

The world has come to depend on the Internet at an increasing rate for communication, e-commerce, and many other essential services. As such, the Internet has become an integral part of the workings of society at large. This has lead to an increased vulnerability to remotely controlled disruption of vital commercial and government operations---with obvious implications. This disruption can be caused by an attack on one or more specific networks which will deny service to legitimate users or an attack on the Internet itself by creating large amounts of spurious traffic (which will deny services to many or all networks). Individual organizations can take steps to protect themselves but this does not solve the problem of an Internet wide attack. This thesis focuses on an analysis of the different types of Denial of Service attacks and suggests an approach to prevent both categories by centralized detection and limitation of excessive packet flows

An assessment of the contemporary threat posed by network worm malware

The cost of a zero-day network worm outbreak has been estimated to be up to US$2.6 billion. Additionally zeroday network worm outbreaks have been observed that spread at a significant pace across the global Internet, with an observed infection level of more than 90 percent of vulnerable hosts within 10 minutes. The threat posed by such fast-spreading malware is therefore significant, particularly given the fact that network operator / administrator intervention is not likely to take effect within the typical epidemiological timescale of such infections. This paper presents a classification of wormable vulnerabilities, demonstrating a method to determine if a vulnerability is wormable, and presents a survey into the cause of the reduction of worm outbreaks in recent years, as well as their viability in the future. It then goes on to explore recent wormable vulnerabilities, and points out the issues with operating system security in relation to techniques used by zero-day worms