ASIA & SKM ’12 - 42 Abstract—Computer worms pose a great threat to business
enterprise, large/small organization, government agencies and the internet at large. This is because of the sensitiveness of information that flow over their network. Computer worms possess characteristics that make them evade traditional network security methods unnoticed. Detecting such network attacks becomes an issue and even after detecting them, timely and effective trace back is another challenge. This paper reviews characteristics of computer worms, the technique of using intrusion detection system (IDS) behind firewalls in detecting worms, explaining the two basic schemes it employs in attack detection. This paper also reviews a survey and analysis of various reactive attack trace back approaches, suggesting the most effective approach in tracing back worm attacks.
Index Terms— Computer Worm, Intrusion Detection System, IP Trace Back, Network Security
I. INTRODUCTION
E live in the information age and it is very useful for us to share and store information conveniently for the purpose of education, research, increase in productivity and quality of service, electronic storage and easy retrieval etc.; one efficient and cost effective way of ensuring these is through the use of computer networks.
A network is a connected collection of devices and end systems such as computers, servers, printers which can communicate with each other and share resources [6]. Networks are implemented and in use in homes, small offices, large enterprise and in governmental organizations. Their components include personal computers, interconnections, switches, router, firewalls, etc. [6]. Each of these devices perform distinct functions to enable information storage or access information in a faster, reliable, secured, cost effective and convenient manner.
The internet, which is a ‘network of networks,’ has been growing rapidly because it directly affects business, education, governmental activities and social interaction [18]. Because of the benefits of using the internet, a lot of valuable and sensitive information travel through the network and these data transfer attracts attackers to steal, intercept or destroy valuable information and to disrupt normal network connection for fun, fame or money [18]. One way of deploying such attacks is through the deployment of computer worms.
A computer worm is malicious software (malware) designed to attack a network with the aim of either stealing information on the network, destroying network resources or to deny legitimate network users of needed resources- this
type of denial attack is called denial of service (DoS). It is a self-replicating special type of virus program that propagates itself via network connections, taking advantage of security flaws in computers on the network [14]. Worms do not need human intervention to propagate. Worms pose a big threat to network because they evade network security measures stealthy, that is, unnoticed.
A computer worm, after it is released, includes the following phases: target finding, worm transferring, worm activation, and worm infection. During the first two phases, the worm is active over the internet thus making it possible to be detected by network-based intrusion detection systems (NIDS). The other two phases are hard to detect by NIDS [14]. The first step of a worm’s life is to find targets. A worm may find its target or next victim using many different strategies. These strategies include: blind scan- the blind scan method includes sequential, random and permutation scanning, though they are probabilistic because of high failure connection rate and because the worm has no prior knowledge about the targets [21].
The second target finding strategy is using a hit-list. The hit-list is a list of pre-scanned vulnerable addresses; by this the worm knows exactly where the targets are. The variation for this type of target finding strategy is that the larger the size of the hit-list, the more accurate and the more damage it can cause.
Thirdly, the use of network topology can enable a worm to find its target because many hosts on the internet store information about other hosts on the network revealing their vulnerabilities [20].
Fourthly, a passive strategy is another approach worms employ in finding targets by patiently waiting for victims to communicate with where the worm is resident.
Lastly, web searching is another strategy used by worms to find their targets because web searches avoid being detected by traditional detection techniques [12].
The second phase of a worm’s life cycle is its transferring or propagation. It does this by employing three different schemes, namely: self-carried- this method allows the worm code to be transferred in a packet by itself. Second channel- this method allows the worm, after finding its target, to go into the target and download the worms code through a ‘backdoor’ that has been installed by some applications. Embedded- this method allows the worm to attach its code to legitimate traffic for example an e-mail in order to hide itself [20]. This method is very deceitful and often unnoticed.
The third phase of a worm’s life cycle is worm activation, that is, how the worm is transmitted over the network. There
Computer Worm Attack Using IDS and
Trace Back Approaches
Sanjay Misra and Akuboh Victor Uneojo
ASIA & SKM ’12 - 43 are two basic ways in which worms are transmitted over the
network; they are transmission control protocol (TCP) and user datagram protocol (UDP). The main difference is that TCP worms are connection oriented because they require a connection to be established before infection can begin, unlike UDP worms that are connectionless and requires no connection to infect targets, this makes them spread very rapidly [9].
The last phase of a worm’s life cycle is worm infection. This phase of the worm is associated with the actual worm code format. Worms usually send their code in a direct manner which causes detection systems to identify them quickly. Worms can be monomorphic in format; filling the code with irrelevant data but maintaining a single signature. They can also be polymorphic in format; that is, their code changes dynamically by scrambling them so that the worm takes different forms from different views though maintaining the same function. This type of worm format is very hard to be detected by signature-based detection. Another worm format is metamorphic worms. It changes not just appearance but also behavior [7].
Worm structures may have features that enable them to locate targets, propagate infections, a remote control that enables the author to control the worm remotely, an update interface that enables author to update the worm’s code. Some examples of worms are Stuxnet, Morris Worm, Code Red, Nimda, Slammer, Sasser, Witty, etc.
Detecting worm attacks has become a thing of concern because of the kind of havoc they can cause on networks. This research focuses on analyzing how intrusion detection systems (IDS) detect worm attacks. An intrusion detection system is hardware or software that is installed on the network or host computers that monitor data traffic on the network in order to discover illegitimate or malicious traffic that disobeys the security policy of a particular network [19]. IDS can be network-based or host-based. Network-based intrusion detection systems (NIDS) analyze network traffic at all layers of the open system interconnection (OSI) model and check for anomalous packet behavior or unwanted packet signatures, and when these are detected, it raises an alarm, calling for the attention of a security administrator. They are easy to deploy and can monitor traffic from many systems at once.
Host-based intrusion detection systems (HIDS) are usually software installed on host systems and they generally analyze network traffic and system specific settings such as local security policy, local log audits, and so on [19]. Although both NIDS and HIDS have their strengths and limitations, a use of both at different points in the same network improve the effectiveness of threat detection.
IDSs uses two schemes in detecting illegitimate traffic, these schemes are signature-based and anomaly-based detection methods.
It is not just enough to detect worms. The next thing that should be done is to contain them and trace them back to the source. This research will only analyze the approaches of tracing back attacks. Attack trace back just as the name implies, is merely the tracing of attacks back to their origin.
This can be seen as a sort of network forensics, which is the capture, recording and analysis of network events in order to discover the source of security attacks or other problem incidents. It is a reactive measure of attack trace back. There are many reactive approaches for attack trace back, they include; link testing, logging, ICMP (internet control message protocol) trace back and packet marking.
II. MOTIVATION,OBJECTIVES, AND LIMITATIONS
A. Motivation
A lot of hacking activities have been taking place on the internet and one method employed is the use of computer worms. These attacks disrupt a lot of business activities destroying their resources and causing huge financial damages. Data recovery procedures are more expensive than the cost of implementing a network. Our motive is to make sure that the network is secured using the appropriate measure and attack trace back should be effective to bring these attackers to book.
B. Objectives
The main aim of this research is to survey and analyze the different worm detection schemes used by intrusion detection systems (IDS) in order to come up with reasonable justification for the use of any of the schemes. The second aim is to survey and analyze the various approaches in reactive attack trace back in order to see the most effective approaches or a combination of approaches that will aid in improving the effectiveness of attack trace back.
C. Limitations
Attack trace back is largely dependent on detecting these attacks. A major challenge in attack detection is the use of steganography, which is the principle of hiding information behind objects, image, sound and even ordinary text files. The second limitation is the technique of IP spoofing. This technique allows an attacker to impersonate an IP address and pretends to be the sender of packets even while he is somewhere else. This makes attack trace back fruitless because the wrong host will be traced.
III. LITERATURE SURVEY
A lot of businesses and organizations depend on computer networks for efficient and effective operations. One of the biggest threats to such businesses and organizations is computer worms. Computer worms are malicious pieces of code that propagate themselves via network connections, exploiting the security lapses in computers on the network. They propagate without human intervention [14].
In 1988, Robert Tappar Morris launched the first computer worm at Cornell University. The worm was later called the “Morris Worm.” It caused expensive and wide spread damage on all kinds of computer. It takes advantage of buffer overflow vulnerability [16]. Its original intention was to discover the number of hosts on the internet, but flaws in the program caused the code to copy itself multiple times to already
ASIA & SKM ’12 - 44 infected hosts, slowing them down until they became
unusable.
Another known computer worm is the Code Red I; it was first discovered running on Microsoft’s internet information server (IIS) web service in 2001. It uses a blind scan which scans port 80 on random IP addresses in order to find vulnerable hosts and then launches a denial-of-service (DoS) attack. Later Code Red II was discovered which, unlike Code Red I, installs a ‘backdoor’ on infected systems.
Because of the havoc caused by computer worms on businesses and organizations, a need for detecting computer worms on networks arises. Security threats mainly come from intruders who are classified as either external intruders who are unauthorized users of machines they attack or internal intruders, who have restricted permission to the machines. Usually, traditional techniques such as authentication, encryption, and firewalls are used as a first line of security, but because of weak passwords, and vulnerabilities in firewalls these methods are unable to protect against malicious code.
In 1987, Dorothy Denning proposed the concept of intrusion detection as a solution to the problem of providing a sense of security in computer systems. The concept involves abnormal usage of the system. Although many other techniques were later used, these techniques included using a statistical approach, predictive pattern generation, expert systems, key stroke monitoring, state transition analysis, pattern matching and data mining techniques [10].
An ideal intrusion detection system should function in the following manner:
• It should be able to detect known and unknown worms
• Minimal processing overhead during detection • Very low level of administrator involvement • Correctly detect worms that change signature • Design should not be complex
• Require minimum memory
In recent times, the modern scheme being employed in detecting worm attacks is the use of intrusion detection systems. They are a piece of hardware or software placed usually behind firewalls to detect illegitimate traffic, they can be network-based called NIDS or host-based called HIDS. There are many proposed algorithms for these detection methods but the two most common schemes used are signature-based detection and anomaly-based detection [14].
Signature-based detection is a regular method used by IDSs to detect attacks that are known, this is because an IDS analyzes incoming packets and matches the signature to the signature of known malicious attacks that are in its database; if the signature is matched, it raises an alert. It does not need any knowledge of normal traffic; it just needs a signature database. It does not care how a worm finds its target, propagates itself, or what transmission scheme it uses.
One major challenge of signature-based IDSs are that because they needs to register a large number of known attacks, it consumes resources and takes time to search for known worm signatures. Another challenge is that, every day, worms are developed and so updating the database of signatures can be tasking and worms of unknown signatures can pass through the IDS.
The second scheme is anomaly-based detection. Unlike signature-based detection, it does not care about the worms’ code or their content; rather they are interested in the packet headers in order to identify the type of connection the packet used [4]. They monitor and analyze network traffic to check for network behavior that disobeys normal or legitimate network activities and trigger an alarm. These detection schemes require the definition of legitimate or normal network behavior in which the anomaly-based detection IDS will be trained based on “firing rule” as in some artificial neural network. This training helps it generate a pattern for legitimate traffic and triggers an alarm when a pattern generated does not correspond to the network traffic pattern it dims to legitimate. This training can be supervised or unsupervised.
The greatest challenge of anomaly-based detection is that, its whole activity is dependent on what was defined to it as normal network behavior. This means its training determines its performance [14].
Attack trace back is very important as it enables networks under attack, especially those of businesses and organizations, to hold attackers accountable for their malicious acts. Trace back methods can either be preventive or reactive [11]. Preventive methods are proactive in nature as they try to stop worm attacks before they even occur. Reactive measures focus on tracing attacks back to their source after they have occurred. A major challenge of reactive trace back is that it requires a large degree of cooperation from internet service providers (ISPs) which lead to legal and policy issues. This reactive trace back method is more effective if ISP cooperation is less needed and can be very effective in controlled networks like an enterprise network [1]. The characteristics of an ideal trace back system are:
• Should be able to trace an attack with a single packet • Minimal processing during trace back
• Very low level of ISP involvement
• Should not require additional memory for routers and other network devices
• High level of protection should be offered during trace back
• Correctly trace back attacks consisting of packets that undergo any number of transformations of any type [8]
The earliest reactive attack trace back approach is link testing. As the name implies, it traces packets from link to link, that is, hop-by-hop in order to determine the source of attack traffic. Starting from the router closest to the victim, it uses two testing schemes namely input debugging and controlled flooding [8]. Input debugging is a feature included in most routers. It involves the generating of attack signatures that match regular signatures contained in attack packets. It requires significant ISP cooperation in terms of time, personnel, and finance that may not be provided by some ISPs.
In 2000, Burch and Cheswich developed a link-testing trace back technique that does not require much of ISP cooperation [5]. This technique was called controlled flooding, this is because it tests links by flooding them with large bursts of traffic from the attacker.
Sager and Stone, in 1998 and 2000 respectively, suggested the use of log packets at key routers and then used data mining
ASIA & SKM ’12 - 45 techniques to determine the path that the packets traversed. Its
major challenge was that the logging of packets consumes router memory which in turn could affect the speed of transmission [15] [17].
Tatsuya Baba and Shigeyuki Matsuda, in 2002, proposed an alternate and innovative logging approach [2]. It involves logging packets only when malicious traffic is detected by sensors built on the network; this allows tracers to log packets upon request. And also in logging, only certain important characteristics will be logged not the entire packet. This requires less storage and thus increases in speed compared to traditional logging methods [1].
Another approach is the ICMP (internet control message protocol) trace back. This approach was introduced by Bellovin in 2000. The concept is to let every router to generate an ICMP trace back message or iTrace directed to the same destination as the selected packet. This iTrace message contains the next and previous hop information and the time stamp [3].
Another trace back approach proposed is the use of packet marking method. This approach allows a router to add a mark to packets before forwarding them to the next router. This mark is unique; to be traced to all the intermediate hops by monitoring each mark added to the packets. This technique involves two schemes, namely deterministic packet marking (DPM) and probabilistic packet marking (PPM) [13].
IV. ANALYSIS
After a survey of worm detection schemes of an intrusion detection system (IDS), Table I shows a clear comparison between signature-based and anomaly-based detection schemes.
Carefully observing Table I, the distinction between signature-based and anomaly-based detection schemes are clearly analyzed. The interpretation is that in comparing both in terms of design, signature-based detection schemes are easier because only the worm signatures need to be understood, generated and stored in their respective databases. An efficient look-up procedure is initiated but in the case of anomaly-based detection schemes, an effort has to be made to first understand normal network behavior, to know how a worm propagates, and what transmission scheme it uses; all
this knowledge is incorporated in them by training as in an artificial neural network, which allows them to understand and decide when network traffic is abnormal. This training phase is very difficult, expensive and time consuming. It is more like developing a “brain”, which makes design and tasking difficult.
In terms of implementation, signature-based detection schemes are difficult because, during the course of their normal operations, new worm will have been discovered and their corresponding signatures generated; updating signature databases can make the implementation clumsy, as ideally less administrator involvement is preferred, which makes IDSs more efficient. In the case of anomaly-based detection schemes, administrator involvement is almost 0% because they are more intelligent and need no database or database update to function, this feature makes their implementation easier and more reliable.
Detection speed using signature-based detection scheme largely depends on the size of the database; it can be fast for small worm signature databases, but when the database gets larger then searching becomes a factor that affects speed. Detection speed is very high with anomaly-based detection schemes because they are intelligent enough to discover packets that disobey normal network traffic. This intelligence is analogous to traffic police or a traffic light that regulates traffic movement of cars on the road.
Memory requirements in a signature-based detection scheme are largely dependent on the number of signatures they need to store. Whereas, anomaly-based detection schemes only require a little and invariably a smaller amount of memory; only required to store and recognize abnormal network traffic behavior.
Signature-based detection schemes are usually effective only when the worm is known, which is a constraint because new worms are developed every day. Anomaly-based detection schemes are intelligent and can be used to detect unknown worms which is an advantage considering the increase in development of new worms.
Although signature-based and anomaly-based detection schemes have their differences, strengths, and limitations, they can both be used to detect worm attacks as well as other sorts of attack.
Considering a survey of reactive attack trace back approaches, Table II illustrates the comparison of the different reactive attack trace backs.
TABLEII
QUALITATIVE COMPARISON OF DIFFERENT REACTIVE TRACE BACK
APPROACHES
Categories Input debugging Controlled flooding logging
ICMP trace back
Packet marking Compatibility High Low High Low Low Application Easy Fair Fair Easy Easy Post mortem
capability
N/A
DDoS N/A N/A Exellent Excellent Classification Reactive Reactive Reactive Reactive Reactive Application DDoS DDoS
DDoS and others DDoS and others TABLEI
COMPARISON BETWEEN SIGNATURE-BASED AND ANOMALY-BASED
DETECTION SCHEMES
Categories Signature-based Anomaly-based Design Easy Difficult Implementation Difficult Easy
Application Worms and others Worms and others Detection speed Depends High
Memory Depends Low
ASIA & SKM ’12 - 46 In Table II, the compatibility category shows the attack
trace back approaches’ compatibility with existing protocol, routers and switches. The implementation category explains their support for increment; Post mortem capability explains the ability of trace back approaches to generate unique methods of simplifying attack trace back. Classification is in terms of these approaches basically being reactive and not preventive. Application explains how they can be used in tracing back distributed denial of service (DDoS) attacks which is basically caused by computer worms and other attacks.
Looking at these attack trace back approaches from the perspective of an ideal trace back method, input debugging and packet flooding require a lot of ISP support which brings about legal and policy concerns even though they are highly compatible with existing protocol and routers.
Logging is a lot better compared to the link testing approach mentioned above because it can be used for post attack analysis, but it also require ISP involvement which has already been described as a concerning issue; it also requires a lot of memory to store logs, these excessively large memory requirements can lead to slow processing speeds in routers.
ICMP trace back and packet marking trace back can both be used for post-attack analysis and do not require ISP cooperation; but they do generate additional traffic, requiring modification to the protocol and in some cases, cannot be efficient in DDoS attacks.
V. CONCLUSION
It can be concluded that computer worms, as described in this research, poses some characteristics that enables them to evade traditional network security methods. In deploying the use of intrusion detection systems (IDS), considering the two basic intrusion detection schemes they use in terms of design, implementation, application, detection speed, memory requirement and classification, a careful analysis shows that anomaly-based detection schemes have more advantages. It can also be concluded that for worm attack trace backs, considering the reactive approaches in terms of compatibility, implementation, post-mortem capability, classification and application, also putting into account their corresponding advantages and disadvantages, that ICMP trace back and packet marking approaches are the most ideal.
Computer worms can be stealth in attack, propagate quickly, change their form and infect computers on networks, causing great financial and operational losses to businesses and organizations, We recommend the use of distributed intrusion detection systems (DIDS) by installing NIDS behind the network firewall and HIDS on hosts on the major points of packet entrance in the network, that is, the servers. The IDSs should be given preference if they use anomaly-based detection schemes. An IDS with the incorporation of both signature-based and anomaly-based detection schemes is very possible.
In the case of attack trace back, either ICMP or packet marking approaches will be ideal. Sometimes logging approaches are better because they can store attack detail information for a long time. But for real-time trace back, an
approach that incorporates both logging and either ICMP trace back or packet marking can be very effective.
REFERENCES
[1] Aljifri H. (2003): “IP trace back: A new denial-of-service deterrent”. Published by the IEEE computer society.
[2] Baba T and Matsuda S, (2002): “Tracing Network Attacks to Their Sources,” IEEE Internet Computing, vol. 6, no. 3, pp. 20–26. [3] Bellovin S, (2000): “ICMP trace back messages,” Internet Draft:
draft-bellovin-itrace-00.txt.
[4] Bolzoni S and Hartel P, (2006): “POSEIDON: “A 2-Tier Anomaly-Based Network Intrusion Detection System,” Proceeding 4th IEEE International Workshop Information Assurance.
[5] Burch H and Cheswick B (2000): “Tracing Anonymous Packets to Their Approximate Source,” Proceedings 14th Conference of Systems Administration, Usenix Association, pp. 313–322.
[6] Cisco learning product. (2009): “Interconnecting Cisco networking devices”. Part 1, Volume 1, Version 1.0.
[7] Glazer D, (2005): “Computer Worms,”
http://www.research.umbc.edu/~dgorin1/is432/worms.htm
[8] John A and Sivakumar T. (2009): DDoS: Survey of trace back methods. [9] Moore V et al., (2003): “Inside the Slammer Worm,” IEEE Security &
Privacy, vol. 1, pp. 33–39.
[10] Mukkamala S, Sung A. and Abraham A. (2005): “Intrusion Detection Using Ensemble of Soft Computing and Hard Computing Paradigms”. Journal of Network and Computer Applications, Elsevier Science, Vol. 28, Issue 2, pp. 167-182.
[11] Murali B, Natarajan A and Sivanandam N. (2007): “New promising IP trace back approach and its comparison with existing approaches” Information Technology Journal 6 (2):182-188.
[12] Niels Provos J and Wang K, (2006): “Search Worms,” Proceeding ACM WORM ’06.
[13] Park K and Lee H. (2001): “On the effectiveness of probabilistic packet marking for IP Trace back under a denial of service attack. In
Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies.
[14] Pele L.; Mehdi S. and Xiao S. (2008): “A survey of internet worm detection and containment”. IEEE communication surveys, first quarter, volume 10. No. 1. Pp. 22-27.
[15] Sager G, (1998) “Security Fun with OCxmon and cflowd,” presented at the Internet 2 Working Group.
[16] Spafford E, (1989): “The Internet Worm Program: An Analysis,” Computer Communication Review.
[17] Stone R, (2000): “CenterTrack: An IP Overlay Network for Tracking DoS Floods,” Proceeding 9th Usenix Security Symposium, Usenix Association, pp. 199–212.
[18] Tachibana T. (2010): “Understanding the behaviour of worm through parallel worm simulator”. A research work at the California State University, Monteray Bay. USA.
[19] Tzeyoung W. (2009): Information Assurance Technology Analysis Center (IATAC), Information Assurance Tools Report – Intrusion Detection system. Sixth edition.
[20] Weaver V, Staniford S and Cunningham R, (2003): “A Taxonomy of Computer Worms,” Proceeding ACM WORM ’03.
[21] Zou T, Gong W and Cai S, (2005): “Routing Worm: A Fast, Selective Attack Worm Based on IP Address Information,” Proceedings 19th
ACM/IEEE/SCS Workshop Principles of Advanced and Distribution Simulation.
