Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks
Features
- Supplies unprecedented coverage on how to generate automated signatures for unknown polymorphic worms
- Describes attack detection approaches and automated signature generation systems
- Discusses experimental implementation of signature-generation algorithms and double-honeynet systems
- Details the design of double-honeynet systems
Summary
Able to propagate quickly and change their payload with each infection, polymorphic worms have been able to evade even the most advanced intrusion detection systems (IDS). And, because zero-day worms require only seconds to launch flooding attacks on your servers, using traditional methods such as manually creating and storing signatures to defend against these threats is just too slow.
Bringing together critical knowledge and research on the subject, Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks details a new approach for generating automated signatures for unknown polymorphic worms. It presents experimental results on a new method for polymorphic worm detection and examines experimental implementation of signature-generation algorithms and double-honeynet systems.
If you need some background, the book includes an overview of the fundamental terms and concepts in network security, including the various security models. Clearing up the misconceptions about the value of honeypots, it explains how they can be useful in securing your networks, and identifies open-source tools you can use to create your own honeypot. There’s also a chapter with references to helpful reading resources on automated signature generation systems.
The authors describe cutting-edge attack detection approaches and detail new algorithms to help you generate your own automated signatures for polymorphic worms. Explaining how to test the quality of your generated signatures, the text will help you develop the understanding required to effectively protect your communication networks. Coverage includes intrusion detection and prevention systems (IDPS), zero-day polymorphic worm collection methods, double-honeynet system configurations, and the implementation of double-honeynet architectures.
Table of Contents
The Fundamental Concepts
Introduction
Network Security Concepts
Automated Signature Generation for Zero-Day Polymorphic Worms
Our Experience and This Book’s Objective
References
Computer Networking
Computer Technologies
Network Topology
Point-to-Point Topology
Daisy-Chain Topology
Bus (Point-to-Multipoint) Topology
Distributed Bus Topology
Ring Topology
Dual-Ring Topology
Star Topology
Star-Wired Bus Topology
Star-Wired Ring Topology
Mesh Topology
Hierarchical or Tree Topology
Dual-Homing Topology
Internet Protocol
Transmission Control Protocol
IP Routers
Ethernet Switch
IP Routing and Routing Table
Discussion on Router
Access Mechanisms for Administrators
Security Policy for a Router
Router Security Policy Checklist
Network Traffic Filtering
Packet Filtering
Source Routing
Tools Used for Traffic Filtering or Network Monitoring
Packet Capture
Concluding Remarks
References
Intrusion Detection and Prevention Systems (ID PSs)
Introduction
IDPS Detection Methods
Signature-Based Detection
Anomaly-Based Detection
Stateful Protocol Analysis
IDPS Components
IDPS Security Capabilities
Types of IDPS Technologies
Network-Based IDPSs
Wireless IDPSs
NBA Systems
Host-Based IDPS
Integration of Multiple IDPSs
Multiple IDPS Technologies
Integration of Different IDPS Products
IDPS Products
Common Enterprise Network-Based IDPSs
Common Enterprise Wireless IDPSs
Common Enterprise NBA Systems
Common Enterprise Host-Based IDPSs
Concluding Remarks
References
Honeypots
Definition and History of Honeypots
Honeypot and Its Working Principle
History of Honeypots
Types of Honeypots
Types of Threats
Script Kiddies and Advanced Blackhat Attacks
Attackers’ Motivations
The Value of Honeypots
Advantages of Honeypots
Disadvantages of Honeypots
Roles of Honeypots in Network Security
Honeypot Types Based on Interaction Level
Low-Interaction Honeypots
High-Interaction Honeypots
Medium-Interaction Honeypots
An Overview of Five Honeypots
BackOfficer Friendly
Specter
Honeyd
ManTrap
Honeynets
Conclusion
References
Internet Worms
Infection
Code Injection
Edge Injection
Data Injection
Spreading
Hiding
Traffic Shaping
Polymorphism
Fingerprinting
Worm Components
Reconnaissance
Attack Components
Communication Components
Command Components
Intelligence Capabilities
Worm Life
Random Scanning
Random Scanning Using Lists
Island Hopping
Directed Attacking
Hit-List Scanning
Polymorphic Worms: Definition and Anatomy
Polymorphic Worm Definition
Polymorphic Worm Structure
Invariant Bytes
Polymorphic Worm Techniques
Signature Classes for Polymorphic Worms
Internet Worm Prevention Methods
Prevention of Vulnerabilities
Prevention of Exploits
Conclusion
References
Reading Resources on Automated Signature Generation Systems
Introduction
Hybrid System (Network Based and Host Based)
Network-Based Mechanisms
Host-Based Mechanisms
References
Signature Generation Algorithms for Polymorphic Worms
String Matching
Exact String-Matching Algorithms
Approximate String-Matching Algorithms
Machine Learning
Supervised Learning
Algorithm Selection
Logic-Based Algorithms
Learning Set of Rules
Statistical Learning Algorithms
Support Vector Machines
Unsupervised Learning
A Brief Introduction to Unsupervised Learning
Dimensionality Reduction and Clustering Models
Expectation–Maximization Algorithm
Modeling Time Series and Other Structured Data
Nonlinear, Factorial, and Hierarchical Models
Intractability
Graphical Models
Exact Inference in Graphs
Learning in Graphical Models
Bayesian Model Comparison and Occam’s Razor
Concluding Remark
References
Zero-Day Polymorphic Worm Collection Method
Introduction
Motivation for the Double-Honeynet System
Double-Honeynet Architecture
Software
Honeywall Roo CD-ROM
Sebek
Snort_inline
Double-Honeynet System Configurations
Implementation of Double-Honeynet Architecture
Double-Honeynet Configurations
Chapter Summary
References
Developed Signature Generation Algorithms
Introduction
An Overview and Motivation for Using String Matching
The Knuth–Morris–Pratt Algorithm
Proposed Substring Extraction Algorithm
A Modified Knuth–Morris–Pratt Algorithm
Testing the Quality of the Generated Signature for Polymorphic Worm A
Modified Principal Component Analysis
An Overview of and Motivation for Using PCA in Our Work
Our Contributions in the PCA
Determination of Frequency Counts
Using PCA to Determine the Most Significant Data for Polymorphic Worm Instances
Testing the Quality of the Generated Signature for Polymorphic Worm A
Clustering Method for Different Types of Polymorphic Worms
Signature Generation Algorithm Pseudocodes
Signature Generation Process
Testing the Quality of the Generated Signature for Polymorphic Worm A
Chapter Summary
Conclusion and Recommendations for Future Work
References
Author Bio(s)
Mohssen Mohammed received his B.Sc. (Honors) degree in Computer Science from Computer Man College for Computer Studies (Future University), Khartoum – Sudan in 2003. In 2006, received the M.Sc. degree in Computer Science from the Faculty of Mathematical Sciences – University of Khartoum, Sudan. In 2012 received Ph.D. degree in Electrical Engineering from Cape Town University, South Africa. He published several papers at top international conferences such as GLOBECOM and MILCOM. He has served as a Technical Program Committee member in numerous international conferences like ICSEA 2010, ICNS 2011. He got University of Cape Town prize for International Scholarship for Academic Merit (Years 2007, 2008, and 2009). From 2005 to 2012 he has been working as a permanent academic staff at the University of Juba, South of Sudan. Now he is working as Assistant Professor in the College of Computer Science & Information Technology, Bahri University, Khartoum Sudan. His research interest includes Network Security, especially Intrusion detection and prevention systems, Honeypots, Firewalls, and Malware Detection Methods.
Al-Sakib Khan Pathan received his Ph.D. degree in Computer Engineering in 2009 from Kyung Hee University, South Korea. He received B.Sc. degree in Computer Science and Information Technology from Islamic University of Technology (IUT), Bangladesh in 2003. He is currently an Assistant Professor at Computer Science department in International Islamic University Malaysia (IIUM), Malaysia. Till June 2010, he served as an Assistant Professor at Computer Science and Engineering department in BRAC University, Bangladesh. Prior to holding this position, he worked as a Researcher at Networking Lab, Kyung Hee University, South Korea till August 2009. His research interest includes wireless sensor networks, network security, and e-services technologies. He is a recipient of several awards/best paper awards and has several publications in these areas. He has served as a Chair, Organizing Committee Member, and Technical Program Committee member in numerous international conferences/workshops like HPCS, ICA3PP, IWCMC, VTC, HPCC, IDCS, etc. He is currently serving as the Editor-in-Chief of IJIDCS, an Area Editor of IJCNIS, Editor of IJCSE, Inderscience, Associate Editor of IASTED/ACTA Press IJCA and CCS, Guest Editor of some special issues of top-ranked journals, and Editor/Author of five published books. He also serves as a referee of some renowned journals. He is a member of Institute of Electrical and Electronics Engineers (IEEE), USA; IEEE Communications Society (IEEE ComSoc), USA, and IEEE ComSoc Bangladesh Chapter, and several other international organizations.
