Malicious computer worms (or Internet worms) are a danger to any computer that is accessible via a computer network, such as the Internet. A computer worm is a self-replicating program, similar to a computer virus. However, unlike a virus, which attaches itself to and infects an executable file on a computer, a worm is self-contained and does not need to be part of another program to propagate itself.
Worms are often designed to exploit the file transmission capabilities of many computers. A worm uses a network to send copies of itself to other systems and it does so without any necessary human intervention, such as forwarding by email, which is a common method of spreading a virus. Scan-based worms use a form of scanning (transmission of packets) from an infected host to a potential new host as a propagation technique. Based on the potential host's response to this scan (i.e., does the potential host respond positively, or does the response indicate that the potential host will not accept additional packets from the infected host), the infected host determines whether to spread the worm to the potential host. It is also possible that a worm can be carried in a single packet. In this situation, the infected host transmits the packet to another address without the need for a response from the potential new host.
Typical approaches to preventing a worm outbreak involve worm detection, dissection and signature development. Signature development occurs once the worm has been identified, and a common pattern is found which can be used to identify the worm. This signature must then be propagated throughout the network, either to a firewall running security software or to each individually connected computer running a certain security program. Once the security program receives the signature, the database of signatures the security program recognizes as malicious is updated, and the computer running the security program is protected against the identified worm. But this approach does not address the case of previously unidentified worms for which no signature has been identified.
Previously unidentified, fast spreading worms are a reality, as amply demonstrated by worms such as the Stammer worm. The release and propagation of the Slammer worm in 2003 was a revolutionary event in the study of computer worm propagation. It not only demonstrated in an unprecedented way the scale and disruption that is possible in the real world with a relatively compact worm, it also showed the ineffectiveness of current techniques in detecting and countering these new fast spreading worms. More specifically, in the early phase of Slammer propagation, it doubled in size every 8.5 seconds. It reached a maximum scan rate of 55 million addresses per second and was able to infect more than 90 percent of vulnerable hosts within 10 minutes. In the end, even though Slammer carried no malicious payload and its main damage was in network resource (bandwidth and CPU) consumption, it served as a wake-up call to network administrators and the computer security industry.
With these kinds of fast spreading worms, the traditional approach of signature-based detection is no longer sufficient. Worms can infect all vulnerable hosts well before a signature can be identified. Several approaches have been proposed utilizing non-signature based detection means. One such approach detects a worm by monitoring the correlation between the incoming and outgoing packets at a network connection. More specifically, this approach studies the correlation of the payloads and packet headers of the incoming and outgoing packets. However, this correlation is not always reliable. Specifically, the technique was most effective against earlier worms that used a fixed destination port, or a portion of the network address specifying the port where the packet is received on the network connection, which made correlation studies easier as a single destination port could be monitored across the network. However, recent worm attacks randomize the destination port on the network connection. This renders monitoring of destination port incoming and outgoing packets and studying the correlation between the two packet types less reliable for worm detection.
Another non-signature based approach involves detecting a worm by identifying the exponential growth trend of scanning rates on a particular network connection. However, this process requires studying the growth trend over a given interval of time. Different worms have different propagation times. For example, a worm may inhabit a host computer for an hour before propagating to a new host. If the wrong interval of time is chosen to study the growth trend, then relevant information relating to the growth trend is missed and a worm cannot be effectively detected.
What is needed is a fast method to detect worms lacking known signatures. This method should be accurate and robust (i.e., it must quickly and accurately identify different propagation characteristics of different worms), and work quickly enough so that a worm can be detected at the inception of the worm spread, before its propagation hits its exponential growth rate.