Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks: 1st Edition (Hardback) book cover

Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks

1st Edition

By Mohssen Mohammed, Al-Sakib Khan Pathan

Auerbach Publications

337 pages | 52 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781466557277
pub: 2013-05-21
Currently out of stock
$105.00
x


FREE Standard Shipping!

Description

Able to propagate quickly and change their payload with each infection, polymorphic worms have been able to evade even the most advanced intrusion detection systems (IDS). And, because zero-day worms require only seconds to launch flooding attacks on your servers, using traditional methods such as manually creating and storing signatures to defend against these threats is just too slow.

Bringing together critical knowledge and research on the subject, Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks details a new approach for generating automated signatures for unknown polymorphic worms. It presents experimental results on a new method for polymorphic worm detection and examines experimental implementation of signature-generation algorithms and double-honeynet systems.

If you need some background, the book includes an overview of the fundamental terms and concepts in network security, including the various security models. Clearing up the misconceptions about the value of honeypots, it explains how they can be useful in securing your networks, and identifies open-source tools you can use to create your own honeypot. There’s also a chapter with references to helpful reading resources on automated signature generation systems.

The authors describe cutting-edge attack detection approaches and detail new algorithms to help you generate your own automated signatures for polymorphic worms. Explaining how to test the quality of your generated signatures, the text will help you develop the understanding required to effectively protect your communication networks. Coverage includes intrusion detection and prevention systems (IDPS), zero-day polymorphic worm collection methods, double-honeynet system configurations, and the implementation of double-honeynet architectures.

Table of Contents

The Fundamental Concepts

Introduction

Network Security Concepts

Automated Signature Generation for Zero-Day Polymorphic Worms

Our Experience and This Book’s Objective

References

Computer Networking

Computer Technologies

Network Topology

Point-to-Point Topology

Daisy-Chain Topology

Bus (Point-to-Multipoint) Topology

Distributed Bus Topology

Ring Topology

Dual-Ring Topology

Star Topology

Star-Wired Bus Topology

Star-Wired Ring Topology

Mesh Topology

Hierarchical or Tree Topology

Dual-Homing Topology

Internet Protocol

Transmission Control Protocol

IP Routers

Ethernet Switch

IP Routing and Routing Table

Discussion on Router

Access Mechanisms for Administrators

Security Policy for a Router

Router Security Policy Checklist

Network Traffic Filtering

Packet Filtering

Source Routing

Tools Used for Traffic Filtering or Network Monitoring

Packet Capture

Concluding Remarks

References

Intrusion Detection and Prevention Systems (ID PSs)

Introduction

IDPS Detection Methods

Signature-Based Detection

Anomaly-Based Detection

Stateful Protocol Analysis

IDPS Components

IDPS Security Capabilities

Types of IDPS Technologies

Network-Based IDPSs

Wireless IDPSs

NBA Systems

Host-Based IDPS

Integration of Multiple IDPSs

Multiple IDPS Technologies

Integration of Different IDPS Products

IDPS Products

Common Enterprise Network-Based IDPSs

Common Enterprise Wireless IDPSs

Common Enterprise NBA Systems

Common Enterprise Host-Based IDPSs

Concluding Remarks

References

Honeypots

Definition and History of Honeypots

Honeypot and Its Working Principle

History of Honeypots

Types of Honeypots

Types of Threats

Script Kiddies and Advanced Blackhat Attacks

Attackers’ Motivations

The Value of Honeypots

Advantages of Honeypots

Disadvantages of Honeypots

Roles of Honeypots in Network Security

Honeypot Types Based on Interaction Level

Low-Interaction Honeypots

High-Interaction Honeypots

Medium-Interaction Honeypots

An Overview of Five Honeypots

BackOfficer Friendly

Specter

Honeyd

ManTrap

Honeynets

Conclusion

References

Internet Worms

Introduction

Infection

Code Injection

Edge Injection

Data Injection

Spreading

Hiding

Traffic Shaping

Polymorphism

Fingerprinting

Worm Components

Reconnaissance

Attack Components

Communication Components

Command Components

Intelligence Capabilities

Worm Life

Random Scanning

Random Scanning Using Lists

Island Hopping

Directed Attacking

Hit-List Scanning

Polymorphic Worms: Definition and Anatomy

Polymorphic Worm Definition

Polymorphic Worm Structure

Invariant Bytes

Polymorphic Worm Techniques

Signature Classes for Polymorphic Worms

Internet Worm Prevention Methods

Prevention of Vulnerabilities

Prevention of Exploits

Conclusion

References

Reading Resources on Automated Signature Generation Systems

Introduction

Hybrid System (Network Based and Host Based)

Network-Based Mechanisms

Host-Based Mechanisms

References

Signature Generation Algorithms for Polymorphic Worms

String Matching

Exact String-Matching Algorithms

Approximate String-Matching Algorithms

Machine Learning

Supervised Learning

Algorithm Selection

Logic-Based Algorithms

Learning Set of Rules

Statistical Learning Algorithms

Support Vector Machines

Unsupervised Learning

A Brief Introduction to Unsupervised Learning

Dimensionality Reduction and Clustering Models

Expectation–Maximization Algorithm

Modeling Time Series and Other Structured Data

Nonlinear, Factorial, and Hierarchical Models

Intractability

Graphical Models

Exact Inference in Graphs

Learning in Graphical Models

Bayesian Model Comparison and Occam’s Razor

Concluding Remark

References

Zero-Day Polymorphic Worm Collection Method

Introduction

Motivation for the Double-Honeynet System

Double-Honeynet Architecture

Software

Honeywall Roo CD-ROM

Sebek

Snort_inline

Double-Honeynet System Configurations

Implementation of Double-Honeynet Architecture

Double-Honeynet Configurations

Chapter Summary

References

Developed Signature Generation Algorithms

Introduction

An Overview and Motivation for Using String Matching

The Knuth–Morris–Pratt Algorithm

Proposed Substring Extraction Algorithm

A Modified Knuth–Morris–Pratt Algorithm

Testing the Quality of the Generated Signature for Polymorphic Worm A

Modified Principal Component Analysis

An Overview of and Motivation for Using PCA in Our Work

Our Contributions in the PCA

Determination of Frequency Counts

Using PCA to Determine the Most Significant Data for Polymorphic Worm Instances

Testing the Quality of the Generated Signature for Polymorphic Worm A

Clustering Method for Different Types of Polymorphic Worms

Signature Generation Algorithm Pseudocodes

Signature Generation Process

Testing the Quality of the Generated Signature for Polymorphic Worm A

Chapter Summary

Conclusion and Recommendations for Future Work

References

About the Authors

Mohssen Mohammed received his B.Sc. (Honors) degree in Computer Science from Computer Man College for Computer Studies (Future University), Khartoum – Sudan in 2003. In 2006, received the M.Sc. degree in Computer Science from the Faculty of Mathematical Sciences – University of Khartoum, Sudan. In 2012 received Ph.D. degree in Electrical Engineering from Cape Town University, South Africa. He published several papers at top international conferences such as GLOBECOM and MILCOM. He has served as a Technical Program Committee member in numerous international conferences like ICSEA 2010, ICNS 2011. He got University of Cape Town prize for International Scholarship for Academic Merit (Years 2007, 2008, and 2009). From 2005 to 2012 he has been working as a permanent academic staff at the University of Juba, South of Sudan. Now he is working as Assistant Professor in the College of Computer Science & Information Technology, Bahri University, Khartoum Sudan. His research interest includes Network Security, especially Intrusion detection and prevention systems, Honeypots, Firewalls, and Malware Detection Methods.

Al-Sakib Khan Pathan received his Ph.D. degree in Computer Engineering in 2009 from Kyung Hee University, South Korea. He received B.Sc. degree in Computer Science and Information Technology from Islamic University of Technology (IUT), Bangladesh in 2003. He is currently an Assistant Professor at Computer Science department in International Islamic University Malaysia (IIUM), Malaysia. Till June 2010, he served as an Assistant Professor at Computer Science and Engineering department in BRAC University, Bangladesh. Prior to holding this position, he worked as a Researcher at Networking Lab, Kyung Hee University, South Korea till August 2009. His research interest includes wireless sensor networks, network security, and e-services technologies. He is a recipient of several awards/best paper awards and has several publications in these areas. He has served as a Chair, Organizing Committee Member, and Technical Program Committee member in numerous international conferences/workshops like HPCS, ICA3PP, IWCMC, VTC, HPCC, IDCS, etc. He is currently serving as the Editor-in-Chief of IJIDCS, an Area Editor of IJCNIS, Editor of IJCSE, Inderscience, Associate Editor of IASTED/ACTA Press IJCA and CCS, Guest Editor of some special issues of top-ranked journals, and Editor/Author of five published books. He also serves as a referee of some renowned journals. He is a member of Institute of Electrical and Electronics Engineers (IEEE), USA; IEEE Communications Society (IEEE ComSoc), USA, and IEEE ComSoc Bangladesh Chapter, and several other international organizations.

Subject Categories

BISAC Subject Codes/Headings:
COM037000
COMPUTERS / Machine Theory
COM051230
COMPUTERS / Software Development & Engineering / General
COM053000
COMPUTERS / Security / General