Publications and other reference materials referred to herein, including reference cited therein, are incorporated herein by reference in their entirety and are numerically referenced in the following text and respectively grouped in the appended Bibliography which immediately precedes the claims.
The variety of electronic threats (eThreats) to computerized devices can be classified into three main categories: worm-related, non-worm related (i.e., virus, Trojan) and probes (i.e., adware, spyware, spam, phishing). The scientific community focuses on detection of new worms, since they propagate in an alarming speed. Other types of eThreats receive significantly smaller attention in the literature.
eThreat detection systems can be classified into host-based systems and network-based systems based on the source of the audit data they use. Typically, in both cases, new eThreats are detected by a security expert using anomaly detection based system. Then, after analyzing an instance of the eThreat, experts manually derive the signature that will be used by anti-virus software and intrusion detection/prevention systems for online detection of the eThreat. The manual signature extraction is an expensive and slow process.
Different techniques for automatic eThreat detection and containment have been proposed. The proposed techniques can be divided into four main categories: scan detection, honeypots, behavioral analysis, and static analysis of executables. The first two techniques are more generic and can be applied for the detection of various eThreat types, while the other two techniques are applicable only for the detection of worms. Each of said categories will be discussed briefly later in this description. The main drawback of scan detection methods and honeypots-based methods is that they are able to detect only specific types of worms. Behavior analysis methods require expensive training and are typically capable of detecting the existence an eThreat in predefined applications only. Static analysis techniques have difficulty handling obfuscated and/or encrypted eThreats. One common drawback of all said techniques is the high false alarm rate associated with them.
Therefore, an automatic and real time detection of unknown eThreats of various types is still an open challenge.
Static Analysis of Executables
Systems belonging to this category take an executable as an input and classify it as belonging to the “normal” or “malicious” class without running it. Several approaches for performing said classification have been proposed. Typically, these approaches are based on various machine learning and data mining techniques that produce classifiers, for example, in the form of decision trees or rules. One common way for producing a classifier is to collect data components which are labeled either as “malicious” or “normal”, and then to apply a learning algorithm on the labeled data components, thereby to construct a classifier which is capable of determining whether another data component which is new and unseen before belongs to the “normal” class or to the “malicious” class.
The major disadvantage of the static analysis approach based techniques is their inability to deal with obfuscated and encrypted eThreats.
Behavior-Based Detection Approach
Typically, the systems belonging to this category build models of normal program behavior and then attempt to detect deviations in the observed behavior from the normal model. Variety of anomaly detection techniques utilizing this approach have been proposed.
A main drawback which is involved in the anomaly-detection based techniques is the requirement for complex and frequent training of the system to separate “noise” and natural changes from real eThreats. Updates of legitimate program may result in false alarms, while eThreats actions that seem to be normal may cause missed detections. Further, most applications that are based on anomaly detection identify attacks only on specific processes.
The Scan Detection Approach
One of the first approaches for detecting random propagated worms is the use network “telescopes”. Network “telescopes” are network devices that monitor unused IP addresses [1]. Such devices are able to detect randomly propagated worms in real time. An interesting extension of this technique has been proposed in [2]. The authors of [2] propose a system for Monitoring and Early Detection of Internet Worms. The system consists of monitoring devices (placed on sub-net routers) and a Centralized Malware Warning Center (MWC). The monitoring devices log incoming traffic to unused local IP addresses and outgoing traffic to the same ports, and continuously send observation data to the MWC. The MWC collects and aggregates reports in every monitoring interval in real-time. For each TCP or UDP port, MWC has a predefined alarm threshold. If the monitored scan traffic is found to be above the alarm threshold, the MWC activates an estimation logic module that verifies whether the number of reports increases exponentially over time. If the answer is positive, the system triggers an alarm.
There are two significant drawbacks associated with the pure scan detection approach, as follows: (a) The scan detection approach can detect only randomly propagated worms; and (b) The scan detection approach can only provide the IP address of infected sites, and can not provide any other characteristics to further serve the containment clearance process. Systems such as presented in [3, 4] try to overcome these drawbacks. In [3], for example, the authors point out that network worms must generate significant traffic that contains common substrings, wherein said traffic is directed between a variety of different sources and destinations. The system proposed in [3] detects such traffic and automatically generates signatures by extracting common byte patterns from suspicious flows. This approach works under the assumption that there is a single payload substring that remains invariant in all worm instances, an assumption that does not hold for polymorphic worms, for example. In [4], the authors present a system that automatically generates signatures that consist of multiple disjointed content sub-strings, such as protocol framing, return addresses, and poorly obfuscated code. According to the presented results, this system detects polymorphic worms with low false negatives and false positives.
The Honeypots Approach
Still another approach for the detection worm is to use Honeypots. A Honeypot is a vulnerable network decoy which is used for disturbing attackers, for early warnings about new attack techniques, and for performing a thorough analysis of the attackers' strategies [5]. By definition, a honeypot does not run legitimate services, and therefore it should not receive or generate any network traffic. This fact removes the existence of false positives and false negatives that are a major problem for other types of detection systems. Further, the body of the attack can be manually captured and then analyzed to extract a signature. The slow review of the log which has to be manually performed, and its dependency on how quickly the honeypot has been compromised by an eThreat, makes honeypots unsuitable for real-time detection.
Argos [6] tries to overcome these problems. In [6] the authors note that in order for an attacker to compromise some program, the attacker must change with his own input the execution flow of the program by overwriting a code which is normally derived from a trusted source. The proposed system is an x86 emulator which tracks network data throughout the execution and identifies their invalid use as jump targets, function addresses, instructions, etc. When an attack is detected, the system automatically creates a signature and supplies it to a cooperative IDS/IPS. Argos approach is designed as a honeypot that runs real services and its IP address is published in the hope of making it visible to attackers employing hit lists rather than random IP scanning. This technique gives a comprehensive solution for the detection, characterization, and containment of self-propagated worms, but other eThreat types remain unhandled.
A wide research on worm propagation techniques has been published. Most of this research addresses the spread of worms in the context of the global Internet. Vogt [7], for example, builds a simulation network to test the impact of various strategies on the overall rate of propagation. According to the report of Vogt the factors with the largest impact on the propagation are:    1. Address selection techniques: Fully random, local preference random, and sequential scanning.    2. Threading: A single thread of scanning produces a slower rate of propagation than multiple threads.    3. Pre-scanning: Performing pre-scanning to determine if a host is listening on a given port.    4. Method of scanning or infection: The use of efficient techniques to minimize the wait time for infection or for having the scan results.
All the abovementioned approaches, techniques, and systems do not provide so far a complete and fully reliable solution to the problem of the spreading of eThreats, particularly malwares, within networks of many computers. Each solution has its advantages and drawbacks. Therefore, many systems apply several protection approaches that work in parallel. Of course, the more approaches and techniques that operate in parallel, the more reliable the network becomes. However, a complete solution has not yet been found, and additional solutions are still necessary.