1. Field of Invention
This invention relates to a method of detecting computer viruses (hereinafter as viruses) and, in particular, to a method of detecting network worms (hereinafter as worms.)
2. Related Art
A worm is a malicious program that exploits the vulnerabilities existing in popular network services of computers to propagate it. A computer virus and worm are both took as a kind of malicious programs. However, viruses propagate themselves by infecting and parasiting a host (such as a program, file, or storage medium), their propagation mainly relies on the negligence of computer users or the opportunities of file sharing. Therefore, the speed and breadth of the propagation of viruses are not as well as the ones of worms. Note that the characteristic of worms usually causes a serious congestion of network traffic as they propagate. An infected computer usually propagates the worm hosting in it excessively. In order to propagate the worms, the infected computer usually scans other computers continuously with the best effort, and therefore its behavior forms a feature of situation that there are many scanning continually originated from the infected computer. According to the survey for several popular anti-virus (AV) companies, the number of worms (including their variations) found per year are about four hundred. Due to the characteristic of worms that they propagate themselves by exploiting the internet, most of them also tend to perform some network attacks. Aside from AV software, a few intrusion detection systems (IDS) are also able to detect a few specific worms. For example, the well-known open source IDS—Snort—can detect the CodeRed and Nimda worms. However, most of worm detection is done by AV software. For known malicious programs or worms, AV software is usually able to effectively determine whether a program residing in a computer or on a delivery is malicious. AV software can detect worms quickly by matching them with the code signature of known worms. However, for an unknown worm (i.e. new worm) or a worm variation, their detection methods may be ineffective. For example, the appearance of the MS-IIS CodeRed or Nimda worm have made a huge amount of Web or email servers fail to service normally and result in serious network congestion. The subsequent Blaster worm or Sasser worm also cause wide propagation and great damages to networks in a very short time. For such unknown types or variations of worms, AV or IDS software can only ask users to download new detection methods. As the software fails in detecting such new types or variations of worms, there appears a zero day in the AV protection or IDS detection for all users, companies, or institutes. Normally, once a new type or variations of virus or worm has been discovered, the AV company is usually able to release an updated version to defense it during a few hours or to a few days. However, the public users or servers may need a few weeks to a month in order to update their AV software with the defense against the new types or variations of viruses or worms. The IDS detection method may take a longer time. In other words, the zero day of IDS detection is longer than the one of AV protection. During the zero-day period, the IDS and AV software are unable to detect the propagation of any new type or variations of worms, but only the flooding or scanning events. In the AV protection safety period, the AV software becomes able to detect and then product detection reports about them. Finally, in the IDS detection safety period, the IDS can also detect and then product worm events (see Table 1).
TABLE 1Worm prevention and detection zero dayIDS detection safetyIDS detection zero dayperiodInformationAV protection safetysecurity eventsAV protection zero dayperiodFlooding eventxxxScanning eventxxxDetection reportxxWorm eventx
The observations or phenomena above are repeatedly appearing and consistent with the conclusion inferred from Table 1. When new types or variations of worms appear, there forms a zero day of the AV protection or IDS detection. During this period, the original detection and protection software all fail to defense against them. This disadvantage of prior art in the worm prevention and detection of course fail to prevent such damage. This is why the worms can propagate widely and cause great damage. The essential reason why the prior art is ineffective in detecting unknown types or variations of worms is due to the fact that the current worm detection method is based upon certain fixed signatures or activities left by malicious programs. The former method is essentially the same as the typical virus detection method, whereas the latter checks whether the system parameter or registry is written with specific mutex or values or they leave certain files. These types of methods are effective for detecting known malicious programs, but obviously ineffective for the unknown types. This argument is also supported by the fact that AV or security related companies keep asking users to download latest updates or worm variations detection codes and the fact that there are a lot of damage or financial loss due to new worms.
The prior art also suffers from inconvenience in use. Because they can only detect known malicious programs, their client (including personal users, companies and institutes) have to regularly download new virus codes or update their protection programs. This is a burden. Once there is a miss of update or downloading, the protection or detection zero day shown in Table 1 will be formed again.
In view of the foregoing facts, it is imperative to design a new detection method for detecting new types or variations of worms.