Advertisement

Defending Against Next Generation Through Network/Endpoint Collaboration and Interaction

  • Spiros Antonatos
  • Michael Locasto
  • Stelios Sidiroglou
  • Angelos D. Keromytis
  • Evangelos Markatos
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 30)

Abstract

Over the past few years we have seen the use of Internet worms, i.e.,malicious self-replicating programs, as a mechanism to rapidly invade and compromise large numbers of remote computers [33]. Although the first worms released on the Internet were large-scale, easy-to-spot massive security incidents [6, 19, 20, 26], also known as flash worms [32], it is currently envisioned (and we see already see signs, in the wild) that future worms will be increasingly difficult to detect, and will be known as stealth worms. This may be partly because the motives of early worm developers are thought to have been centered around self-gratification brought by the achievement of compromising large numbers of remote computers, while the motives of recent worm and malware developers have progressed to more mundane (and sinister) financial and political gains.

Keywords

Intrusion Detection Application Community Remote Computer Dark Space Centralize Farm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    P. Akritidis, K. G. Anagnostakis, and E. P. Markatos. Efficient content based worm detection. In Proceedings of the 40th IEEE International Conference on Communications (ICC), 2005.Google Scholar
  2. [2]
    K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Proceedings of the 14th USENIX Security Symposium, pp. 129–144, August 2005.Google Scholar
  3. [3]
    S. Antonatos, P. Akritidis, E. P. Markatos, and K. G. Anagnostakis. Defending against hit list worms using network address space randomization. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 30–40, November 2005.Google Scholar
  4. [4]
    S. Antonatos, K. G. Anagnostakis and E. P. Markatos. Honey@home: A new approach to large-scale threat monitoring. To appear in the Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM), November 2007.Google Scholar
  5. [5]
    M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The internet motion sensor: A distributed blackhole monitoring system. In Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pp. 167–179, February 2005a.Google Scholar
  6. [6]
    M. Bailey, E. Cooke, F. Jahanian, D. Watson, and J. Nazario. The blaster worm: Then and now. In IEEE Security & Privacy Magazine, 3(4):26–31, 2005b.CrossRefGoogle Scholar
  7. [7]
    J. Bethencourt, J. Franklin, and M. Vernon. Mapping internet sensors with probe response attacks. In Proceedings of the 14th USENIX Security Symposium, pp. 193–208, August 2005.Google Scholar
  8. [8]
    E. Cooke, M. Bailey, Z. M. Mao, and D. McPherson. Toward understanding distributed blackhole placement. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 54–64, October 2004.Google Scholar
  9. [9]
    D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. HoneyStat: Local worm detection using honepots. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 39–58, October 2004.Google Scholar
  10. [10]
    T. Detristan, T. Ulenspiegel, Y. Malcom, and M. Underduk. Polymorphic shellcode engine using spectrum analysis. In Phrack, 11(61), August 2003.Google Scholar
  11. [11]
    R. Dingledine, N. Matthewson, and P. Syverson. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium, August 2004.Google Scholar
  12. [12]
    G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pp. 272–280, October 2003.Google Scholar
  13. [13]
    D. M. Kienzle and M. C. Elder. Recent worms: A survey and trends. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 1–10, 2003.Google Scholar
  14. [14]
    H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium, pp. 271–286, August 2004.Google Scholar
  15. [15]
  16. [16]
    M. E. Locasto, S. Sidiroglou, and A. D. Keromytis. Software self-healing using collaborative application communities. In Proceedings of the 13th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pp. 95–106, February 2006.Google Scholar
  17. [17]
    D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In IEEE Security & Privacy Magazine, 1(4):33–39, 2003.CrossRefGoogle Scholar
  18. [18]
    D. Moore, C. Shannon, and J. Brown. Code-Red: A case study on the spread and victims of an Internet worm. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement (IMW), pp. 273–284, 2002.Google Scholar
  19. [19]
    G. Portokalidis, A. Slowinska, and H. Bos. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of ACM SIGOPS Eurosys, April 2006.Google Scholar
  20. [20]
    M. A. Rajab, F. Monrose, and A. Terzis. On the effectiveness of distributed worm monitoring. In Proceedings of the 14th USENIX Security Symposium, pp. 225–237, August 2005.Google Scholar
  21. [21]
    M. A. Rajab, F. Monrose, and A. Terzis. Fast and evasive attacks: Highlighting the challenges ahead. In Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 206–225, September 2006.Google Scholar
  22. [22]
    M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of USENIX LISA, pp. 229–238, 1999.Google Scholar
  23. [23]
    C. Shannon and D. Moore. The spread of the Witty worm. In IEEE Security & Privacy Magazine, 2(4):46–50, 2004.CrossRefGoogle Scholar
  24. [24]
    Y. Shinoda, K. Ikai, and M. Itoh. Vulnerabilities of passive internet threat Monitors. In Proceedings of the 14th USENIX Security Symposium, pp. 209–224, August 2005.Google Scholar
  25. [25]
    S. Sidiroglou, G. Giovanidis, and A. D. Keromytis. A Dynamic mechanism for recovering from buffer overflow attacks. In Proceedings of the 8th Information Security Conference (ISC), pp. 1–15, September 2005.Google Scholar
  26. [26]
    S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. Keromytis. Building Ra Reactive Immune System for Software Service. In Proceedings of the USENIX Annual Technical Conference, pp. 149–161, April 2005.Google Scholar
  27. [27]
    S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In Proceedings of OSDI, pp. 45–60, 2004.Google Scholar
  28. [28]
    L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley, Boston, MA, 2003.Google Scholar
  29. [29]
    S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pp. 33–42, November 2004.Google Scholar
  30. [30]
    S. Staniford, V. Paxson, and N. Weaver. How to own the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium, August 2002.Google Scholar
  31. [31]
    P. Szor and P. Ferrie. Hunting for metamorphic. In Proceedings of the Virus Bulletin Conference, pp. 123–144, September 200 l.Google Scholar
  32. [32]
    K. Xinidis, I. Charitakis, S. Antonatos, K. G. Anagnostakis, and E. P. Markatos. An active splitter architecture for intrusion detection and prevention. In IEEE Transactions on Dependable Secure Computing, 3(1):31–44, 2006.CrossRefGoogle Scholar
  33. [33]
    V. Yegneswaran, P. Barford, and D. Plonka. On the design and use of internet sinks for network abuse monitoring. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 146–165, October 2004.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  • Spiros Antonatos
    • 1
  • Michael Locasto
    • 2
  • Stelios Sidiroglou
    • 2
  • Angelos D. Keromytis
    • 2
  • Evangelos Markatos
    • 1
  1. 1.Foundation for Research and Technology HellasHeraklionGreece
  2. 2.Department of Computer ScienceColumbia UniversityNew YorkUSA

Personalised recommendations