| Computer networks have become vital infrastructure for virtually all organizations. Unfortunately, they have also become both source and victim of increasingly sophisticated attacks. 'Worms' especially are hard to fight, as they are autonomous, self-replicating programs that may spread across the world in minutes ('flash worms'), leaving no time for human administrators to respond in a timely fashion. Instead, an Intrusion Detection System (IDS) is needed that is able to cope with current and future worms. Signatures of new worms are regularly published by various organizations, or may even be automatically generated in specialized nodes on the Internet (such as 'honeypots'). However, even if its signature is known it is increasingly difficult to stop a worm at high link rates. At the same time, applying some form of IDS in the backbone (where link rates are high) is more effective than at the edge of the network, as any attack that is stopped in the network protects a large number of clients from (rather costly) problems. There are two main approaches to high-speed intrusion detection. First, one may take a 'flow-based' approach whereby fluctuations in the traffic are analyzed for unusual behavior. For example, if an IDS discovers a sudden increase in the volume of traffic sent to a specific port, this may indicate that a flash worm is active. However, manual inspection of the flows is still needed to certify that this is really the case. Second, one may instead opt to scan all of the network packets for signatures of known worms. This approach will be termed 'deep scan'. While a deep scan finds all known worms (as long as they do not mutate), it is not a practical solution for the backbone where link rates are too high. Also, sophisticated worms that modify themselves in order to escape detection ('polymorphic worms') are not found. In this proposal, we plan to investigate a new approach called DeWorm which combines the deep scan and flow-based approaches to stop flash worms even if they are self-modifying. A flow-based approach is used to detect unusual behavior (first tier). Packets belonging to flows that exhibit unusual behavior are subjected to a deep scan (second tier). Self-modifying worms are detected by comparing suspect packets to other suspect packets and finding 'similarities'. Packets that are similar to known worms and that are reported by multiple sites are classified as suspect packets also. |
