ABSTRACT
With new worms appearing at fast pace off late, conventional classification and defense techniques are not adequate to cover wide spectrum of recent worm attacks like stuxnet (2010), morto (June 2011), and DuQu (Oct 2011). Honeypots have been found to be effective for zero day threats, and recent trend for defending against worms leverages the advantages of honeypot alone, or honeypots combined with either signature or anomaly based detection. Although such honeypot based techniques are effective, they become resource intensive when multiple honeypot sensors are used. Moreover, the techniques suffer from one or more limitations of high false positives, false negatives, reduced sensitivity and specificity.
In this paper we discuss a classification of worms which is more exhaustive compared to the earlier classifications. It includes recent worm attacks as well as gives a better and quicker understanding of the recent worm behavior aiding in the design of accurate defense mechanisms. Further a novel hybrid scheme is proposed that integrates anomaly and signature detection with honeypots. At first level we used Signature based detection, for known worm attacks, that makes the system operate in real time. Any deviation from the normal behavior can be easily detected by anomaly detector in second level. Last level is honeypots which helps in detecting zero day attacks. We leverage the advantage of honeyfarm by deploying honeypots and both the detectors in a resource efficient advantage. Controller redirects the traffic to the respective honeypots. To ensure the security of controller, the role of controller is alternated among the honeypots periodically. We validate the proposed scheme by deploying a realistic setup in local environment. Metasploit has been used to generate attack traffic. We compare our proposed scheme against various existing honeypot based defense mechanisms and observe an increase of 32.78% in the detection rate as well as a reduction of 33.3% in the false alarm rate.
Our proposed model combines detection scheme (i.e. signature based and anomaly based) with containment scheme, taking the advantages of both and hence developing an effective defense against Internet worms.
- Li, P., Salour, M. and Su, X. A survey of internet worm detection and containment, Communications Surveys & Tutorials, IEEE, vol. 10, pp. 20--35, 2008. Google ScholarDigital Library
- Nicholas, W., Vern, P., Stuart, S. and Robert, C. A taxonomy of computer worms, presented at the Proceedings of the 2003 ACM workshop on Rapid malcode, Washington, DC, USA, 2003. Google ScholarDigital Library
- Qing, S. and Wen, W. A survey and trends on Internet worms, Computers & Security, vol. 24, pp. 334--346, 2005.Google ScholarDigital Library
- Jai.n, P. and Sardana, A. A hybrid honeyfarm based technique for defense against worm attacks, in Information and Communication Technologies (WICT), 2011 World Congress on, 2011, pp. 1084--1089.Google Scholar
- Oudot, L. Fighting internet worms with honeypots, WWW-Seite, http://www.securityfocus.com/infocus/1740, 2003.Google Scholar
- Stafford, S. and Li, J. Behavior-Based Worm Detectors Compared Recent Advances in Intrusion Detection. vol. 6307, S. Jha, R. Sommer, and C. Kreibich, Eds., ed: Springer Berlin/Heidelberg, 2010, pp. 38--57. Google ScholarDigital Library
- Garuba, M., Chunmei, L. and Washington, N. A Comparative Analysis of Anti-Malware Software, Patch Management, and Host-Based Firewalls in Preventing Malware Infections on Client Computers, in Information Technology: New Generations, 2008. ITNG 2008. Fifth International Conference on, 2008, pp. 628--632. Google ScholarDigital Library
- Kreibich, C. and Crowcroft, J. Honeycomb: creating intrusion detection signatures using honeypots, ACM SIGCOMM Computer Communication Review, vol. 34, pp. 51--56, 2004. Google ScholarDigital Library
- Thakar, U., Varma, S. and Ramani, A. HoneyAnalyzer--analysis and extraction of intrusion detection patterns & signatures using honeypot, The Second International Conference on Innovations in Information Technology (IIT'05), 2005.Google Scholar
- Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J. and Owen, H Honeystat: Local worm detection using honeypots, Recent Advances in Intrusion Detection, vol. 3224, ed: Springer Berlin, 2004, pp. 39--58.Google ScholarCross Ref
- Mohammed, M. M. Z. E., Chan, H. A. and Ventura, N. Honeycyber: Automated signature generation for zero-day polymorphic worms, in Military Communications Conference, 2008. MILCOM 2008. IEEE, 2008, pp. 1--6.Google ScholarCross Ref
- Portokalidis, G. and Bos, H. SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots, Computer Networks, vol. 51, pp. 1256--1274, 2007. Google ScholarDigital Library
- Portokalidis, G., Slowinska, A. and Bos, H. Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation, ACM SIGOPS Operating Systems Review, vol. 40, pp. 15--27, 2006. Google ScholarDigital Library
- Yu, Y., Jun-wei, L., Fu-xiang, G., Ge, Y. and Qing-xu, D. Detecting and Defending against Worm Attacks Using Bot-honeynet, in Electronic Commerce and Security, 2009. ISECS '09. Second International Symposium on, 2009, pp. 260--264. Google ScholarDigital Library
- Anagnostakis, K. G., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E. and Keromytis, A. D. Detecting targeted attacks using shadow honeypots, presented at the Proceedings of the 14th conference on USENIX Security Symposium - Volume 14, Baltimore, MD, 2005. Google ScholarDigital Library
- Kreibich, C., Weaver, N., Kanich, C., Cui, W. and Paxson, V. GQ: Practical Containment for Measuring Modern Malware Systems, Technical Report TR-11-002, International Computer Science Institute2011.Google ScholarDigital Library
- Shamsuddin, S. and Woodward, M. Modeling protocol based packet header anomaly detector for network and host intrusion detection systems, Cryptology and Network Security, pp. 209--227, 2007. Google ScholarDigital Library
Index Terms
- Defending against internet worms using honeyfarm
Recommendations
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principlesThe rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the ...
Defending against hitlist worms using network address space randomization
Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms ...
Comments