Collaborative Internet worm containment

Large-scale worm outbreaks that lead to distributed denial-of-service attacks pose a major threat to Internet infrastructure security. Fast worm containment is crucial for minimizing damage and preventing flooding attacks against network hosts.     

Modeling and Automated Containment of Worms

Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms and then extended to preference scanning worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for uniform scanning worms, we are able to 1) provide a precise condition that determines whether the worm spread will eventually stop and 2) obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain preference scanning worms. Our strategy is based on limiting the number of scans to dark-address space. The limiting value is determined by our analysis. Our automatic worm containment schemes effectively contain both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be nonintrusive. We also show that our worm strategy, when used with traditional firewalls, can be deployed incrementally to provide worm containment for the local network and benefit the Internet.     

WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation

Fast and accurate generation of worm signatures is essential to contain zero-day worms at the Internet scale. Recent work has shown that signature generation can be automated by analyzing the repetition of worm substrings (that is, fingerprints) and their address dispersion. However, at the early stage of a worm outbreak, individual edge networks are often short of enough worm exploits for generating accurate signatures. This paper presents both theoretical and experimental results on a collaborative worm signature generation system (WormShield) that employs distributed fingerprint filtering and aggregation over multiple edge networks. By analyzing real-life Internet traces, we discovered that fingerprints in background traffic exhibit a Zipf-like distribution. Due to this property, a distributed fingerprint filtering reduces the amount of aggregation traffic significantly. WormShield monitors utilize a new distributed aggregation tree (DAT) to compute global fingerprint statistics in a scalable and load-balanced fashion. We simulated a spectrum of scanning worms including CodeRed and Slammer by using realistic Internet configurations of about 100,000 edge networks. On average, 256 collaborative monitors generate the signature of CodeRedl-v2 135 times faster than using the same number of isolated monitors. In addition to speed gains, we observed less than 100 false signatures out of 18.7-Gbyte Internet traces, yielding a very low false-positive rate. Each monitor only generates about 0.6 kilobit per second of aggregation traffic, which is 0.003 percent of the 18 megabits per second link traffic sniffed. These results demonstrate that the WormShield system offers distinct advantages in speed gains, signature accuracy, and scalability for large-scale worm containment.     

基于阴性选择的网络蠕虫抑制模型

基于免疫系统的阴性选择机制,提出一种网络蠕虫抑制模型。通过主机的程序行为异常,检测蠕虫攻击并及时响应,允许主机进行大部分的正常网络通信,防止蠕虫通过主机继续传播。主机发出基于阴性选择过滤的网络服务请求,依据蠕虫的传播特征,网络主机之间相互协同,推断蠕虫所攻击的服务并进行限制。实验结果表明,该模型能有效检测并抑制传统蠕虫及拓扑蠕虫等传播隐秘的新型蠕虫。     

Dual-task performance consequences of imperfect alerting associated with a cockpit display of traffic information

OBJECTIVE: Performance consequences related to integrating an imperfect alert within a complex task domain were examined in two experiments. BACKGROUND: Cockpit displays of traffic information (CDTIs) are being designed for use in airplane cockpits as responsibility for safe separation becomes shared between pilots and controllers. Of interest in this work is how characteristics of the alarm system such as threshold, modality, and number of alert levels impact concurrent task (flight control) performance and response to potential conflicts. METHODS: Student pilots performed a tracking task analogous to flight control while simultaneously monitoring for air traffic conflicts with the aid of a CDTI alert as the threshold, modality, and level of alert was varied. RESULTS: As the alerting system became more prone to false alerts, pilot compliance decreased and concurrent performance improved. There was some evidence of auditory preemption with auditory alerts as the false alarm rate increased. Finally, there was no benefit to a three-level system over a two-level system. CONCLUSION: There is justification for increased false alarm rates, as miss-prone systems appear to be costly. The 4:1 false alarm to miss ratio employed here improved accuracy and concurrent task performance. More research needs to address the potential benefits of likelihood alerting. APPLICATION: The issues addressed in this research can be applied to any imperfect alerting system such as in aviation, driving, or air traffic control. It is crucial to understand the performance consequences of new technology and the efficacy of potential mitigating design features within the specific context desired.     

SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots

As next-generation computer worms may spread within minutes to millions of hosts, protection via human intervention is no longer an option. We discuss the implementation of SweetBait, an automated protection system that employs low- and high-interaction honeypots to recognise and capture suspicious traffic. After discarding whitelisted patterns, it automatically generates worm signatures. To provide a low response time, the signatures may be immediately distributed to network intrusion detection and prevention systems. At the same time the signatures are continuously refined for increased accuracy and lower false identification rates. By monitoring signature activity and predicting ascending or descending trends in worm virulence, we are able to sort signatures in order of urgency. As a result, the set of signatures to be monitored or filtered is managed in such a way that new and very active worms are always included in the set, while the size of the set is bounded. SweetBait is deployed on medium sized academic networks across the world and is able to react to zero-day worms within minutes. Furthermore, we demonstrate how globally sharing signatures can help immunise parts of the Internet.     

利用主机软件信息消除NIDS虚警

由于缺乏对网络主机上下文的了解,多数基于特征的NIDS(网络入侵检测系统)产生的虚警数量太多,使得管理员无法尽快将注意力集中到真正有威胁的报警上.通过改进已有的MDS使其能够有效利用网络主机上的软件信息消除MDS虚警的有效方法,改进后的MDS根据已知的受监控网段内的主机软件信息,在与入侵规则做匹配之前进行预先判断,过滤掉不需要匹配的入侵规则,从而减少很多没有实际意义的报警记录.改进后的NIDS原型系统在企业内部网实施的实测结果显示,该方法确实可以达到减少虚警数量提高报警质量的目的.     

Resilience analysis of service-oriented collaboration process management systems

Collaborative business process management allows for the automated coordination of processes involving human and computer actors. In modern economies, it is increasingly needed for this coordination to be not only within organizations but also to cross organizational boundaries. The dependence on the performance of other organizations should, however, be limited, and the control over the own processes is required from a competitiveness perspective. The main objective of this work is to propose an evaluation model for measuring a resilience of a service-oriented architecture (SOA) collaborative process management system. In this paper, we have proposed resilience analysis perspectives of SOA collaborative process systems, i.e., overall system perspective, individual process model perspective, individual process instance perspective, service perspective, and resource perspective. A collaborative incident and maintenance notification process system is reviewed for illustrating our resilience analysis. This research contributes to extend SOA collaborative business process management systems with resilience support, not only looking at quantification and identification of resilience factors, but also considering ways of improving the resilience of SOA collaborative process systems through measures at design and runtime.     

On the adaptive real-time detection of fast-propagating network worms

We present two light-weight worm detection algorithms that offer significant advantages over fixed-threshold methods. The first algorithm, rate-based sequential hypothesis testing (RBS), aims at the large class of worms that attempts to quickly propagate, thus exhibiting abnormal levels of the rate at which hosts initiate connections to new destinations. The foundation of RBS derives from the theory of sequential hypothesis testing, the use of which for detecting randomly scanning hosts was first introduced by our previous work developing TRW (Jung et al. in Proceedings of the IEEE Symposium on Security and Privacy, 9–12 May 2004). The sequential hypothesis testing methodology enables us to engineer detectors to meet specific targets for false-positive and false-negative rates, rather than triggering when fixed thresholds are crossed. In this sense, the detectors that we introduce are truly adaptive. We then introduce RBS+TRW, an algorithm that combines fan-out rate (RBS) and probability of failure (TRW) of connections to new destinations. RBS+TRW provides a unified framework that at one end acts as pure RBS and at the other end as pure TRW. Selecting an operating point that includes both mechanisms extends RBS’s power in detecting worms that scan randomly selected IP addresses. Using four traces from three qualitatively different sites, we evaluate RBS and RBS+TRW in terms of false positives, false negatives, and detection speed, finding that RBS+TRW provides good detection of actual Code Red worm outbreaks that we caught in our trace as well as internal Web crawlers that we use as proxies for targeting worms. In doing so, RBS+TRW generates fewer than one false alarm per hour for wide range of parameter choices.     

Alert correlation in collaborative intelligent intrusion detection systems—A survey

As complete prevention of computer attacks is not possible, intrusion detection systems (IDSs) play a very important role in minimizing the damage caused by different computer attacks. There are two intrusion detection methods: namely misuse- and anomaly-based. A collaborative, intelligent intrusion detection system (CIIDS) is proposed to include both methods, since it is concluded from recent research that the performance of an individual detection engine is rarely satisfactory. In particular, two main challenges in current collaborative intrusion detection systems (CIDSs) research are highlighted and reviewed: CIDSs system architectures and alert correlation algorithms. Different CIDSs system, architectures are explained and compared. The use of CIDSs together with other multiple security systems raise certain issues and challenges in, alert correlation. Several different techniques for alert correlation are discussed. The focus will be on correlation of CIIDS alerts. Computational, Intelligence approaches, together with their applications on IDSs, are reviewed. Methods in soft computing collectively provide understandable, and autonomous solutions to IDS problems. At the end of the review, the paper suggests fuzzy logic, soft computing and other AI techniques, to be exploited to reduce the rate of false alarms while keeping the detection rate high. In conclusion, the paper highlights opportunities for an integrated solution to large-scale CIIDS.