2,854 research outputs found
On countermeasures of worm attacks over the Internet
Worm attacks have always been considered dangerous threats to the Internet since they can
infect a large number of computers and consequently cause large-scale service disruptions and
damage. Thus, research on modeling worm attacks, and defenses against them, have become
vital to the field of computer and network security. This dissertation intends to systematically
study two classes of countermeasures against worm attacks, known as traffic-based
countermeasure and non-traffic based countermeasure. Traffic-based countermeasures are those
whose means are limited to monitoring, collecting, and analyzing the traffic generated by worm
attacks. Non-traffic based countermeasures do not have such limitations.
For the traffic-based countermeasures, we first consider the worm attack that adopts feedback
loop-control mechanisms which make its overall propagation traffic behavior similar to
background non-worm traffic and circumvent the detection. We also develop a novel spectrumbased
scheme to achieve highly effective detection performance against such attacks. We then
consider worm attacks that perform probing traffic in a stealthy manner to obtain the location infrastructure of a defense system and introduce an information-theoretic based framework to
obtain the limitations of such attacks and develop corresponding countermeasures.
For the non-traffic based countermeasures, we first consider new unseen worm attacks and
develop the countermeasure based on mining the dynamic signature of worm programsâ run-time
execution. We then consider a generic worm attack that dynamically changes its propagation
patterns and develops integrated countermeasures based on the attackerâs contradicted
objectives. Lastly, we consider the real-world system setting with multiple incoming worm
attacks that collaborate by sharing the history of their interactions with the defender and develop
a generic countermeasure based on establishing the defenderâs reputation of toughness in its
repeated interactions with multiple incoming attackers to optimize the long-term defense
performance.
This dissertation research has broad impacts on Internet worm research since this work is
fundamental, practical and extensible. Our developed framework can be used by researchers to
understand key features of other forms of new worm attacks and develop countermeasures
against them
DoWitcher: Effective Worm Detection and Containment in the Internet Core
Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a longest common subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worm
An Evolutionary Approach for Learning Attack Specifications in Network Graphs
This paper presents an evolutionary algorithm that learns attack scenarios, called attack specifications, from a network graph. This learning process aims to find attack specifications that minimise cost and maximise the value that an attacker gets from a successful attack. The attack specifications that the algorithm learns are represented using an approach based on Hoare's CSP (Communicating Sequential Processes). This new approach is able to represent several elements found in attacks, for example synchronisation. These attack specifications can be used by network administrators to find vulnerable scenarios, composed from the basic constructs Sequence, Parallel and Choice, that lead to valuable assets in the network
Malware "Ecology" Viewed as Ecological Succession: Historical Trends and Future Prospects
The development and evolution of malware including computer viruses, worms,
and trojan horses, is shown to be closely analogous to the process of community
succession long recognized in ecology. In particular, both changes in the
overall environment by external disturbances, as well as, feedback effects from
malware competition and antivirus coevolution have driven community succession
and the development of different types of malware with varying modes of
transmission and adaptability.Comment: 13 pages, 3 figure
- âŠ