Design of a system for real-time worm detection

Recent well publicized attacks have made it clear that worms constitute a threat to Internet security. Systems that secure networks against malicious code are expected to be a part of the critical Internet infrastructure in the future. Intrusion detection and prevention systems (IDPS) currently have limited use because they can filter only known worms. We present the design and implementation of a system that automatically detects new worms in real-time by monitoring traffic on a network. The system uses field programmable gate arrays (FPGAs) to scan packets for patterns of similar content. Given that a new worm hits the network and the rate of infection is high, the system is automatically able to detect an outbreak. Frequently occurring strings in packet payloads are instantly reported as likely worm signatures.

[1]  John W. Lockwood,et al.  SRAM Programming SelectMap Interface EC EC VC VC Four Port Switch ccp Error Check VC VC Control Cell Asynchronous LineCardSwitch InterfaceCircuit Interface Processor Synch , 2001 .

[2]  Vern Paxson,et al.  A high-level programming environment for packet trace anonymization and transformation , 2003, SIGCOMM '03.

[3]  John W. Lockwood,et al.  Protocol Wrappers for Layered Network Packet Processing in Reconfigurable Hardware , 2002, IEEE Micro.

[4]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[5]  Niklaus Wirth,et al.  Algorithms and Data Structures , 1989, Lecture Notes in Computer Science.

[6]  Abhishek Kumar,et al.  Data streaming algorithms for efficient and accurate estimation of flow size distribution , 2004, SIGMETRICS '04/Performance '04.

[7]  John W. Lockwood,et al.  FPsed: a streaming content search-and-replace module for an Internet firewall , 2003, 11th Symposium on High Performance Interconnects, 2003. Proceedings..

[8]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .

[9]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[10]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[11]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[12]  John W. Lockwood,et al.  Application of Hardware Accelerated Extensible Network Nodes for Internet Worm and Virus Protection , 2003, IWAN.

[13]  Gaston H. Gonnet,et al.  Handbook Of Algorithms And Data Structures , 1984 .

[14]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[15]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[17]  George Varghese,et al.  Bitmap algorithms for counting active flows on high speed links , 2003, IMC '03.