Combating against internet worms in large-scale networks: an autonomic signature-based solution

In this paper, we propose a signature-based hierarchical email worm detection (SHEWD) system to detect e-mail worms in large-scale networks. The proposed system detects novel worms and instantly generates their signatures. This feature helps to check the spread of any kind of worm—known or unknown. We envision a two-layer hierarchical architecture comprising local security managers (LSMs), metropolitan security managers (MSM), and a global security manager (GSM). Local managers collect suspicious flows and hand them to metropolitan managers. Metropolitan managers then use cluster analysis to sort worms from the suspicious flows. The sorted worms are used to generate the worm signature which is relayed to the global manager and then to all the collaborating networks. A separate scheme is proposed to automatically select suitable values of the system parameters. This parameter selection procedure takes into account the current network state and the threat level of the ongoing attack. The performance of the whole system is investigated using real network traffic with traces of worms. Experimental results demonstrate that the proposed scheme is capable to accurately detect email worms during the early phase of their propagations. Copyright © 2008 John Wiley & Sons, Ltd.

[1]  Evangelos P. Markatos,et al.  Efficient content-based detection of zero-day worms , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[2]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Tarik Taleb,et al.  NIS08-1: A Multi-level Security Based Autonomic Parameter Selection Approach for an Effective and Early Detection of Internet Worms , 2006, IEEE Globecom 2006.

[5]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[6]  Weibo Gong,et al.  Feedback Email Worm Defense System for Enterprise Networks , 2004 .

[7]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[8]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[9]  John Heidemann,et al.  Detecting Early Worm Propagation through Packet Matching , 2004 .

[10]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[11]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[12]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[13]  根元 義章 A Multi-level Security Based Autonomic Parameter Selection Approach for an Effective and Early Detection of Internet Worms , 2006 .

[14]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[15]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[16]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[17]  Yong Tang,et al.  Slowing down Internet worms , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[18]  Eleazar Eskin,et al.  MET: an experimental system for Malicious Email Tracking , 2002, NSPW '02.

[19]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[20]  A. Helmy,et al.  VACCINE : War of the Worms in Wired and Wireless Networks , 2005 .

[21]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[22]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[23]  Matthew M. Williamson Design, implementation and test of an email virus throttle , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[24]  Qi Zhang,et al.  Indra: a peer-to-peer approach to network intrusion detection and prevention , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[25]  Hiroshi Tsunoda,et al.  A Low Cost Worm Detection Technique based on Flow Payload Similarity , 2007, WEBIST.

[26]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.

[27]  Glenn A. Fink,et al.  A metrics-based approach to intrusion detection system evaluation for distributed real-time systems , 2002, Proceedings 16th International Parallel and Distributed Processing Symposium.

[28]  Hiroshi Tsunoda,et al.  Differencing worm flows and normal flows for automatic generation of worm signatures , 2005, Seventh IEEE International Symposium on Multimedia (ISM'05).

[29]  Jose Nazario,et al.  Defense and Detection Strategies against Internet Worms , 2003 .

[30]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[31]  Tarik Taleb,et al.  An Efficient Signature-Based Approach for Automatic Detection of Internet Worms over Large-Scale Networks , 2006, 2006 IEEE International Conference on Communications.

[32]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .