[ Pobierz całość w formacie PDF ]

UDP port 1434 at random addresses. Blaster will increase the number of TCP packets directed to TCP port 135 and
the number of tftp requests on UDP port 69.
These signs of worms are much more obvious in hindsight, after a worm has been thoroughly studied. The
problem is that a new worm attack might exploit any number of many known vulnerabilities. A more serious
possibility that a new worm might take advantage of a new unknown vulnerability. Signature-based detection would
obviously fail for new attacks which do not match a known signature. Anomaly detection looking for  worm-like
behavior is more promising for detecting new unknown attacks. However, anomaly detection is difficult because
worms do not share a single typical behavior. Worms might exhibit certain signs, such as: a dramatic increase in the
volume of network traffic, perhaps congestion; a steady increase in scans and probes (especially a multiplication in a
specific type of scan); and a sudden change in the traffic behavior of hosts (symptomatic of an infected host).
However, these signs are not completely reliable indicators of a worm attack. For example, port scans are always
going on in the background traffic of the Internet. Sudden congestion may be caused by a number of ordinary
reasons. It is difficult to identify a worm attack for certain until a worm has been captured.
4. Open Issues
7
The main problem with intrusion detection is its accuracy. The goal of intrusion detection is 100 percent
detection accuracy with no false positives or false negatives, but current IDS technology is not close to achieving
that level of accuracy or reliability. It is particularly difficult to reliably detect new attacks. The majority of IDS
products depend on misuse detection but this is limited to known signatures and depend on constant updates. Many
IDS products combine misuse detection and anomaly detection because anomaly detection is is more promising to
detect new unknown attacks. The challenge in anomaly detection is to minimize false positives.
Performing intrusion detection in real time is an important requirement for virus/worm attacks because new
outbreaks must be contained as early as possible. Without real-time detection, viruses and worms might be able to
outrace security defenses. However, high-speed networks will involve enormous volumes of data to collect and
process rapidly. The capabilities for real-time traffic processing is built into modern firewalls and routers/switches,
but the fraction of traffic that is actual attack traffic might be very small. That is, enormous processing power is
spent to detect rare events.
Finally, a recent trend is to combine intrusion detection with an active response system, such as automatic
configuration of routers or firewalls to block attack traffic. Traditionally, IDSs simply generate alarms to the
network administrator to take further action. Typically system administrators are required to sift through voluminous
logs of alerts to identify real intrusions. This process would be too slow and time consuming for viruses and worms,
which can spread within minutes. Automated response is important to contain a virus/worm outbreak at an early
stage. Unfortunately, the unreliability and inaccuracy of current IDSs is a problem. An automated response to false
alarms could be the completely wrong course of action. Again, the accuracy of intrusion detection is the key issue.
References
[1] R. Richardson,  2003 CSI/FBI Computer crime and security survey, available at http://www.goscsi.com.
[2] F. Cohen,  Computer viruses: theory and experiments, Computers and Security, vol. 6, pp. 22-35, Feb.
1987.
[3] J. Shoch, J. Hupp,  The 'worm' programs - early experience with a distributed computation,
Communications of ACM, vol. 25 , pp. 172-180, March 1982.
[4] CERT advisory CA-2003-20,  W32/Blaster worm, available at http://www.cert.org/advisories/CA-2003-
20.html.
[5] Symant ec Secur i t y Response,  W32. Sobi g. F@mm,  avai l abl e at
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html.
[6] S. Northcutt, J. Novak, Network Intrusion Detection, 3rd ed., Pearson Education, 2003.
[7] J. Anderson, Computer Security Threat Monitoring and Surveillance, James P. Anderson Co., Fort
Washington, PA, 1980.
[8] D. Denning,  An intrusion detection model, IEEE Transactions on Software Engineering, vol. 13, pp. 222-
232, Feb. 1987.
8
[9] CERT incident note IN-2001-08,  Code Red worm exploiting buffer overflow in IIS indexing service DLL,
available at http://www.cert.org/incident_notes/IN-2001-08.html.
[10] CERT advisory CA-2001-26,  Nimda worm, available at http://www.cert.org/advisories/CA-2001-26.html.
[11] CERT advisory CA-2003-04,  MS-SQL server worm, available at http://www.cert.org/advisories/CA-2003-
04.html.
9 [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • szopcia.htw.pl