[ISN] Researchers Propose Early Warning System for Worms

InfoSec News isn at c4i.org
Thu Apr 21 01:26:49 EDT 2005


By Ryan Naraine 
April 20, 2005 

Researchers at the University of Florida have designed an
Internet-worm early warning system that offers a new approach to
pinpointing the first sign of a malicious network attack.

Shigang Chen and Sanjay Ranka, professors in the university's Computer
and Information Science and Engineering department, outlined the
plumbing for the system in a research paper (here in pdf [1]) that
promises a fix for known weaknesses in existing early warning

The paper focuses on TCP-based worms and identifies ways of avoiding
false positives by looking at reply traffic from the targets instead
of monitoring Syn (synchronization) packets to keep track of half-open

"Our proposal integrates a set of techniques that can automatically
detect the concerted scan activity of an ongoing worm attack," Chen
explained. In an interview with Ziff Davis Internet News, he said the
system monitors a "used" address space and relies on RESET packets to
find the scan sources.

"This has greater accuracy and makes the system resilient to
antimonitor measures," he added.

The paper does not provide details on how worm propagation warnings
would be distributed or how the system would arrange detection of UDP
(User Datagram Protocol)-based worms, but Chen argues that the
research can be easily expanded to solve those issues.

"Once the system is in place and worm propagation is detected, you can
use all kinds of distribution mechanisms to get the alarm out. You can
set up subscriptions to distribute the data via e-mail, pagers,
newsgroups or any other existing mechanism," he said.

Chen's group has also designed a distributed anti-worm system,
described here in pdf, that offers perimeter-based defense against
high-bandwidth distributed denial-of-service attacks. That system,
Chen said, can be used by ISPs to provide security service to

With the worm early warning system, dubbed WEW, Chen said he believes
the "open problem" of thwarting attacks like the destructive Blaster,
CodeRed, Nimda and Sasser worms could be minimized.

"The problem has not been solved because nobody is detecting worms in
time. As we've seen with the big attacks, they were already widespread
before the industry could figure out it was a worm attack," Chen said.

Chen and Ranka's proposal also includes an antispoof protocol that
filters out the false scan sources to identify possible worm-infected
hosts. It also proposes the use of a new performance metric, system
sensitivity, to capture the responsiveness of an early warning system
in reporting an ongoing worm.

In theory, Chen sees the early warning system deployed at the gateway
of a large enterprise network to collect samples of Internet scan
activities. "The system detected potential worm outbreak by analyzing
the pattern of increase in external scan sources and comparing their
similarity," the researcher wrote.

"It captures the common signature from those sources in order to
assist human analysis or automatically reconfigure a filtering device
to block them," he added.

The primary task of Chen's worm early warning system is to monitor
outbound TCP RESET packets which would indicate failed inbound
connection attempts, Chen explained.

To work around the problem of false positives, the paper proposes to
filter out false scan sources.

"The goal is to have a system to issue warnings at the very early
stages of an attack and to provide information for security analysts
to control the damage."

Chen said the system can be deployed locally or codeployed among a
group of enterprise networks to provide comprehensive worm-detection

Chen said "honeypots" would be used to capture the attack signatures
of the scanning hosts, but conceded that the issue of creating
signatures was not fully addressed in the proposal.

He likened the need for an Internet-worm early warning system to
similar mechanisms that deal with real-life disasters like hurricanes,
floods and tornados.

"In the Internet world, the damage may not be loss of lives, but it's
still very significant," Chen said. "The network worm is still the
number one threat in the enterprise. It costs hundreds of millions of
dollars every year to fix compromised machines and clean up from a
major attack."

"An early warning system gives you some time to take urgent action
ahead of worm propagation. Just like with the hurricane warnings, you
can learn about the nature of the attack and figure out ways to put
defense systems in place before it becomes widespread," he added.

[1] http://www.cise.ufl.edu/~sgchen/papers/JSAC2005.pdf

More information about the ISN mailing list