160 likes | 268 Views
Wormshield. Signature based filter for worms A review by Geoffrey Allan Cheung. A worm is a malware that exploits vulnerabilities in software to self propagate through the internet. Worm shield is a system that uses signature based filtering to identify worms and prevent them from spreading.
E N D
Wormshield Signature based filter for worms A review by Geoffrey Allan Cheung
A worm is a malware that exploits vulnerabilities in software to self propagate through the internet.
Worm shield is a system that uses signature based filtering to identify worms and prevent them from spreading.
Comments and Criticisms • This paper has a lot of references, which is reassuring • However the paper takes the time to explain how several of the previous systems worked rather than just saying how Wormshield is different
“In summary, our work on WormShield is complementary to Autograph [16] and Earlybird [32], since distributed fingerprint filtering and aggregation can be used to improve the two systems as well. PAYL [37] uses the “Z-string” of packet payload . . . Polygraph [27] generates the signatures of polymorphic worms with multiple disjoint string tokens . . . DOMINO [41] builds an overlay network among active-sink nodes . . . Worminator [23] summarizes portscan alerts . . . Vigilante [6], . . . “
Signature based filtering • Signature based filtering in Wormshield considers both frequency and dispersion. • Dispersion – The number of distinct ip addresses (either source or destination) in the packets containing the investigated signature.
DATs (Distributed aggregation trees) • But the real difference in Wormshield is that it uses distributed aggregation trees to get a global view of the worm in the internet. • Why can’t we do without these? The root node would get overloaded during a large worm outbreak.
Trade offs • We want the local thresh hold to be low. So that a worm can be detected as early as possible. • However if the thresh hold is too low then too much network traffic will be created.
More criticisms • The paper is backed up by lots of data and details on assumptions. • Pg 96: “essages”? “aggregation at root monitors requires . . . essages” • False negatives could not be checked due to the nature of the simulation. • False positives were checked as a constant (10, 50) rather than as a ratio because no known worms when testing. (e.g 10 false signatures out of 20GB of trace data)
Even more criticisms • Why is the 99th percentile curve faster than the average isolated monitors curve?
Limitations • Despite the limitations of not being able to handle polymorphic worms, some protection is better than none right?