Record:   Prev Next
Author Nazario, Jose
Title Defense and Detection Strategies against Internet Worms
Imprint Norwood : Artech House, 2003
©2004
book jacket
Descript 1 online resource (318 pages)
text txt rdacontent
computer c rdamedia
online resource cr rdacarrier
Note Defense and Detection Strategies against Internet Worms -- Contents vii -- Foreword xvii -- Preface xxi -- Acknowledgments xxvii -- 1 Introduction 1 -- 1.1 Why worm-based intrusions? 2 -- 1.2 The new threat model 3 -- 1.3 A new kind of analysis requirement 4 -- 1.4 The persistent costs of worms 5 -- 1.5 Intentions of worm creators 6 -- 1.6 Cycles of worm releases 7 -- References 8 -- Part I Background and Taxonomy 9 -- 2 Worms Defined 11 -- 2.1 A formal definition 12 -- 2.2 The five components of a worm 12 -- 2.3 Finding new victims: reconnaissance 14 -- 2.4 Taking control: attack 15 -- 2.5 Passing messages: communication 15 -- 2.6 Taking orders: command interface 16 -- 2.7 Knowing the network: intelligence 17 -- 2.8 Assembly of the pieces 18 -- 2.9 Ramen worm analysis 19 -- 2.10 Conclusions 21 -- References 21 -- 3 Worm Traffic Patterns 23 -- 3.1 Predicted traffic patterns 23 -- 3.2 Disruption in Internet backbone activities 26 -- 3.3 Observed traffic patterns 28 -- 3.4 Conclusions 34 -- References 34 -- 4 Worm History and Taxonomy 37 -- 4.1 The beginning 38 -- 4.2 UNIX targets 44 -- 4.3 Microsoft Windows and IIS targets 53 -- 4.4 Related research 63 -- 4.5 Conclusions 65 -- References 65 -- 5 Construction of a Worm 69 -- 5.1 Target selection 69 -- 5.2 Choice of languages 72 -- 5.3 Scanning techniques 74 -- 5.4 Payload delivery mechanism 75 -- 5.5 Installation on the target host 76 -- 5.6 Establishing the worm network 77 -- 5.7 Additional considerations 78 -- 5.8 Alternative designs 78 -- 5.9 Conclusions 80 -- References 80 -- Part II Worm Trends 81 -- 6 Infection Patterns 83 -- 6.1 Scanning and attack patterns 83 -- 6.2 Introduction mechanisms 89 -- 6.3 Worm network topologies 91 -- 6.4 Target vulnerabilities 97 -- 6.5 Payload propagation 99 -- 6.6 Conclusions 102 -- References 102 -- 7 Targets of Attack 103 -- 7.1 Servers 103
7.2 Desktops and workstations 105 -- 7.3 Embedded devices 108 -- 7.4 Conclusions 110 -- References 110 -- 8 Possible Futures for Worms 113 -- 8.1 Intelligent worms 113 -- 8.2 Modular and upgradable worms 1187 -- 8.3 Warhol and Flash worms 122 -- 8.4 Polymorphic traffic 126 -- 8.5 Using Web crawlers as worms 127 -- 8.6 Superworms and Curious Yellow 129 -- 8.7 Jumping executable worm 130 -- 8.8 Conclusions 131 -- References 132 -- Part III Detection 135 -- 9 Traffic Analysis 137 -- 9.1 Part overview 137 -- 9.2 Introduction to traffic analysis 138 -- 9.3 Traffic analysis setup 139 -- 9.4 Growth in traffic volume 142 -- 9.5 Rise in the number of scans and sweeps 143 -- 9.6 Change in traffic patterns for some hosts 148 -- 9.7 Predicting scans by analyzing the scan engine 150 -- 9.8 Discussion 156 -- 9.9 Conclusions 158 -- 9.10 Resources 158 -- References 159 -- 10 Honeypots and Dark (Black Hole) Network Monitors 161 -- 10.1 Honeypots 162 -- 10.2 Black hole monitoring 164 -- 10.3 Discussion 170 -- 10.4 Conclusions 172 -- 10.5 Resources 173 -- References 173 -- 11 Signature-Based Detection 175 -- 11.1 Traditional paradigms in signature analysis 176 -- 11.2 Network signatures 177 -- 11.3 Log signatures 180 -- 11.4 File system signatures 190 -- 11.5 Analyzing the Slapper worm 195 -- 11.6 Creating signatures for detection engines 198 -- 11.7 Analysis of signature-based detection 204 -- 11.8 Conclusions 206 -- 11.9 Resources 206 -- References 208 -- Part IV Defenses 209 -- 12 Host-Based Defenses 211 -- 12.2 Host defense in depth 213 -- 12.3 Host firewalls 213 -- 12.4 Virus detection software 214 -- 12.5 Partitioned privileges 216 -- 12.6 Sandboxing of applications 219 -- 12.7 Disabling unneeded services and features 221 -- 12.8 Aggressively patching known holes 223 -- 12.9 Behavior limits on hosts 225 -- 12.10 Biologically inspired host defenses 227
12.11 Discussion 229 -- 12.12 Conclusions 230 -- References 230 -- 13 Firewall and Network Defenses 233 -- 13.1 Example rules 234 -- 13.2 Perimeter firewalls 236 -- 13.3 Subnet firewalls 239 -- 13.4 Reactive IDS deployments 239 -- 13.5 Discussion 242 -- 13.6 Conclusions 242 -- References 243 -- 14 Proxy-Based Defenses 245 -- 14.1 Example configuration 246 -- 14.2 Authentication via the proxy server 249 -- 14.3 Mail server proxies 249 -- 14.4 Web-based proxies 251 -- 14.5 Discussion 253 -- 14.6 Conclusions 254 -- 14.7 Resources 254 -- References 254 -- 15 Attacking the Worm Network 257 -- 15.1 Shutdown messages 259 -- 15.2 "I am already infected" 260 -- 15.3 Poison updates 261 -- 15.4 Slowing down the spread 262 -- 15.5 Legal implications of attacking worm nodes 263 -- 15.6 A more professional and effective way to stop worms 264 -- 15.7 Discussion 266 -- 15.8 Conclusions 267 -- References 267 -- 16 Conclusions 269 -- 16.1 A current example 269 -- 16.2 Reacting to worms 270 -- 16.3 Blind spots 273 -- 16.4 The continuing threat 273 -- 16.5 Summary 275 -- 16.6 On-line resources 275 -- References 277 -- About the Author 279 -- Index 281
This is the first book focused exclusively on Internet worms, offering you solid worm detection and mitigation strategies for your work in the field. This ground-breaking volume enables you to put rising worm trends into perspective with practical information in detection and defense techniques utilizing data from live networks, real IP addresses, and commercial tools. The book helps you understand the classifications and groupings of worms, and offers a deeper understanding of how they threaten network and system security
Description based on publisher supplied metadata and other sources
Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2020. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries
Link Print version: Nazario, Jose Defense and Detection Strategies against Internet Worms Norwood : Artech House,c2003 9781580535373
Subject Computer security.;Computer networks -- Security measures.;Computer viruses
Electronic books
Record:   Prev Next