Transcript Wed, 19 Sep
Wormshield
Signature based filter for worms
A review by
Geoffrey Allan Cheung
• A worm is a malware that exploits
vulnerabilities in software to self propagate
through the internet.
• Worm shield is a system that uses
signature based filtering to identify worms
and prevent them from spreading.
Previous systems and Wormshield
Comments and Criticisms
• This paper has a lot of references, which
is reassuring
• However the paper takes the time to
explain how several of the previous
systems worked rather than just saying
how Wormshield is different
•
“In summary, our work on WormShield is complementary to Autograph [16]
and Earlybird [32], since distributed fingerprint filtering and aggregation can
be used to improve the two systems as well. PAYL [37] uses the “Z-string” of
packet payload . . . Polygraph [27] generates the signatures of polymorphic
worms with multiple disjoint string tokens . . . DOMINO [41] builds an
overlay network among active-sink nodes . . . Worminator [23] summarizes
portscan alerts . . . Vigilante [6], . . . “
Signature based filtering
• Signature based filtering in Wormshield
considers both frequency and dispersion.
• Dispersion – The number of distinct ip
addresses (either source or destination) in
the packets containing the investigated
signature.
DATs
(Distributed aggregation trees)
• But the real difference in Wormshield is
that it uses distributed aggregation trees to
get a global view of the worm in the
internet.
• Why can’t we do without these? The root
node would get overloaded during a large
worm outbreak.
How do they work?
Trade offs
• We want the local thresh hold to be low.
So that a worm can be detected as early
as possible.
• However if the thresh hold is too low then
too much network traffic will be created.
More criticisms
• The paper is backed up by lots of data and details on assumptions.
• Pg 96: “essages”?
“aggregation at root monitors requires . . . essages”
• False negatives could not be checked due to the nature of the
simulation.
• False positives were checked as a constant (10, 50) rather than as a
ratio because no known worms when testing. (e.g 10 false
signatures out of 20GB of trace data)
Still, it shows a better tradeoff.
More monitors is better
Even more criticisms
• Why is the 99th percentile curve faster than
the average isolated monitors curve?
Limitations
• Despite the limitations of not being able to
handle polymorphic worms, some
protection is better than none right?