Defense and Detection Strategies against Internet Worms

This is the first book focused exclusively on Internet worms, offering you solid worm detection and mitigation strategies for your work in the field. This ground-breaking volume enables you to put rising worm trends into perspective with practical information in detection and defense techniques utilizing data from live networks, real IP addresses, and commercial tools. The book helps you understand the classifications and groupings of worms, and offers a deeper understanding of how they threaten network and system security.

After examining how a worm isconstructed and how its major life cycle steps are implemented, the bookscrutinizes targets that worms have attacked over the years, and the likelytargets of the immediate future. Moreover, this unique reference explains howto detect worms using a variety of mechanisms, and evaluates the strengths andweaknesses of three approaches - traffic analysis, honeypots and dark networkmonitors, and signature analysis. The book concludes with a discussion of foureffective defenses against network worms, including host-based defenses,network firewalls and filters, application layer proxies, and a direct attackon the worm network itself.

Contents:

Introduction.

Background and Taxonomy-Wormsdefined. Differentiation From Viruses. Their Six Components. Worm TrafficPatterns. Exponential Growth. Scans, Attacks, Fetch. Worm History. Theory,Implementations, Use, and Ubiquity. Worm Taxonomy. History. ADMworm, Ramen,110n, Code Red, CR2, NIMDA, etc. Construction of a Worm. Basic Components andImplementation.

Worm Trends-InfectionPatterns. Random: Ramen, Code Red 1. Directed. Local Heavy: Code Red 2, NIMDA.Targets. Servers. Desktops. Broadband vs. Commodity Connections. Possiblefutures. Updates. Different Behaviors. Warhol and Flash Worms.

Detection - Reliance onKnowledge of Set of Behaviors. Traffic Analysis. Traffic Trends (ExponentialGrowth). Many Connections Outward. Numerous Random Scans In and Out. LessComplete Behavior Set Needed (Generic Behavior).Honeypot and BlackholeDetection. Honeypots: Sit and Wait to be Attacked. Get Hit, Analyze Infection.Back Scatter Analysis from Scans. Blackhole Captures of Payloads. Signature BasedAnalysis. Virus Applications. NIDS Engines. Application Behavior (Zone Alarm,etc.).

Defenses - Host Level Defenses.Patching. Virus Detection. Host Based IDS. Firewalling Strategies. Generalpolicies. Specific Policies. Traffic Limits on Hosts. Ingress vs. EgressFiltering. Proxy Filters. Web. Mail. File. Difficulties: Compressed, LockedArchives. Unicode. Attacking the Worm Network. Shutdown Messages. Forged“Already Infected” Replies. Routing Style Attacks. NULL or Poison Updates.

Conclusions-General Summaryand Closing Thoughts.

Jose Nazario is a senior softwareengineer at Arbor Networks, an internet security company. He is also aconsultant and researcher at Crimelabs Research, a think tank and consultingfirm. He holds a Ph.D. in biochemistry from Case Western Reserve University. Hehas published extensively.