The reliability and security of an IP network is essential in a world where computer networks are a key element in intra-entity and inter-entity communications and transactions. While the current network security systems have been around for years, to date none have been able to deliver on the final goal of providing full protection against all malicious attacks with little associated cost and annoyance.
Providing a security solution requires an understanding of possible threat scenarios and their related requirements. There are many types of security concerns that must be considered in a network, among which, the network worms are regarded as a growing threat. Lately, large scale worms spread all over the Web, producing serious damages both to the network/service providers and users. Attacks on network security increased tenfold between 1993 and 2003, from 1,334 to 137,529 (CERT Coordination Center). Furthermore, 20-40 new or variant virus threats were reported daily to TrendMicro in 2003. The number of attacks between January and June, 2003 exceeded 70,000, which is the double of those of the previous year (Reuters). Viruses cost businesses around the world $55 billion in 2003, up from $13 billion in 2001 (TrendMicro).
A worm is a self propagating program that resides in the memory of the attacked system and duplicates itself, without altering the resident applications and files, but using parts of the operating system. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other applications. By hijacking trusted applications such as web servers, mail transfer agents and log-in servers, which typically run with elevated privileges, worms can gain full access to system resources, and cause a complete system compromise. Even though the impact of a single worm on any given piece of network equipment can be benign, the cumulative effects of tens of thousands of infected network devices spreading the malware to other devices connected to the network can be disastrous.
Network security is one of the biggest challenges of the Internet, due to Internet's unrestricted connectivity, openness, and widespread software homogeneity. Infected hosts with high bandwidth network connections can initiate thousands of connections requests/second, each of which has the potential to spread the infection. Worm detection must be performed quickly to recognize and identify the attacker. Also, antivirus systems are of little use if they fail to be triggered quickly after a host is infected.
Furthermore, many security experts believe that the newer communications channels, such as instant messaging (IM) and VoIP, pose a very serious threat to networks. According to Gartner Group research, 58% of network security managers stated that instant messaging poses the most dangerous security risk to their enterprise. Symantec Security Response predicts that the next major worm exploit will be IM-based. It is assumed that IM exploit could spread to half a million computers in just 30 seconds. One implication is that “signature based” techniques cannot prevent the initial outbreak; a “behavior based” approach is needed.
Stealth worms, or slow-spreading worms, are worms that make infection attempts at a rate significantly below the rate of the normal traffic. Also, worms that escape notice without being specifically designed to do so are sometimes also described as stealth viruses/worms. A stealth worm has various mechanisms designed to avoid detection by antivirus software. Typically, when an antivirus software runs, the stealth worm hides itself in the memory, and uses various tricks to also hide changes it has made to any host software and data. For example, a stealth worm may maintain a copy of the original, uninfected data in a certain area of the host memory and monitor the host activity. When the antivirus software attempts to find if data has been altered, the worm redirects it to the storage area that maintains the original, uninfected data, so that the antivirus software is tricked into believing that the host is healthy.
While the techniques used by the stealth worms limit the infection rate, these worms merely require a little more time to achieve the same growth as the fast worms, while being significantly harder to catch as they blend in with the normal traffic. The purpose of worms is also changing: with the new emphasis on crime and monetary profits, stealth worms are being used to target particular companies or customer to steal passwords, credit card information and so on. This means that many stealth worms are designed to stay-under-the-radar by purposely not infecting many machines so as to remain undetected. The implication is that stealth worms have a very different behavior than the flash worms and require different detection techniques.
Ideally, a network operator strives to identify fast an infected machine and quarantine it as soon as possible; otherwise, the infection could well spread before any alarm is raised. However, the price to pay for detecting and preventing security attacks is overwhelming. Today, enterprises deploy a layered defense model, which includes firewalls, anti-virus systems, access management and intrusion detections systems (IDS). Besides being expensive, responsiveness of these defense systems is impacted by the fact that the current solutions are based on multiple components, which may have problems to communicate and coordinate the required counter-measures.
A methodology for detection of Internet worms is presented in the article “The Monitoring and Early Detection of Internet Worms” (Zou et al.), August 2004. The system proposed in this article uses a Kalman filter to estimate traffic parameters in a known epidemic model. The problem with this approach is twofold: first, the Kalman filters are difficult to implement, and second, assuming that a worm spreads according to a specific class of epidemic models is dangerous, as the malware could be coded in a way so as to avoid this type of behavior.
Most research on worm detection has focused so far on catching fast spreading worms. For example, the co-pending patent application Ser. No. 11/450,348 entitled: “Method for Estimating the Fan-In and/or Fan-Out of a Node” (Rabinovitch), filed on 12 Jun. 2006 and assigned to Alcatel describes a method for detecting anomalies in traffic patterns and a traffic anomalies detector are presented. The method and the detector are based on estimating the fan-in of a node, i.e. the number of distinct sources sending traffic to a node, based on infrequent, periodic sampling. Destinations with an abnormally large fan-in are likely to be the target of an attack, or to be downloading large amounts of material with a P2P application. The method and the anomalies detector are extremely simple to implement and exhibit excellent performance on real network traces.
Co-pending patent application Ser. No. 11/656,434 (Chow et al.) fully identified above describes a malware detection and response system based on traffic pattern anomalies detection, whereby packets on each port of a network element (NE) are counted distinctly over a selected period of time, according to their transmission protocol and traffic direction. An attack is declared when an individual count or combination of counts exceeds a threshold. The system can be incorporated into the fast path, that is, the data plane, enabling communications systems such as switches, routers, and DSLAMs to have built-in security at a very low cost.
However, as discussed above, detecting a worm that scans fast has its own set of techniques, which cannot apply to slow worms. Little work (if any) has been done on detecting worms that spread at a rate that is so slow that they can not be detected by the above mentioned types of methods. The above described malware detection method will not notice anything unusual in case of worms that only attempt a single probe in each time window, or even a single probe in many time windows.