1 / 16

Wormshield

Wormshield. Signature based filter for worms A review by Geoffrey Allan Cheung. A worm is a malware that exploits vulnerabilities in software to self propagate through the internet. Worm shield is a system that uses signature based filtering to identify worms and prevent them from spreading.

teague
Download Presentation

Wormshield

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wormshield Signature based filter for worms A review by Geoffrey Allan Cheung

  2. A worm is a malware that exploits vulnerabilities in software to self propagate through the internet.

  3. Worm shield is a system that uses signature based filtering to identify worms and prevent them from spreading.

  4. Previous systems and Wormshield

  5. Comments and Criticisms • This paper has a lot of references, which is reassuring • However the paper takes the time to explain how several of the previous systems worked rather than just saying how Wormshield is different

  6. “In summary, our work on WormShield is complementary to Autograph [16] and Earlybird [32], since distributed fingerprint filtering and aggregation can be used to improve the two systems as well. PAYL [37] uses the “Z-string” of packet payload . . . Polygraph [27] generates the signatures of polymorphic worms with multiple disjoint string tokens . . . DOMINO [41] builds an overlay network among active-sink nodes . . . Worminator [23] summarizes portscan alerts . . . Vigilante [6], . . . “

  7. Signature based filtering • Signature based filtering in Wormshield considers both frequency and dispersion. • Dispersion – The number of distinct ip addresses (either source or destination) in the packets containing the investigated signature.

  8. DATs (Distributed aggregation trees) • But the real difference in Wormshield is that it uses distributed aggregation trees to get a global view of the worm in the internet. • Why can’t we do without these? The root node would get overloaded during a large worm outbreak.

  9. How do they work?

  10. Trade offs • We want the local thresh hold to be low. So that a worm can be detected as early as possible. • However if the thresh hold is too low then too much network traffic will be created.

  11. More criticisms • The paper is backed up by lots of data and details on assumptions. • Pg 96: “essages”? “aggregation at root monitors requires . . . essages” • False negatives could not be checked due to the nature of the simulation. • False positives were checked as a constant (10, 50) rather than as a ratio because no known worms when testing. (e.g 10 false signatures out of 20GB of trace data)

  12. Still, it shows a better tradeoff.

  13. More monitors is better

  14. Even more criticisms • Why is the 99th percentile curve faster than the average isolated monitors curve?

  15. Limitations • Despite the limitations of not being able to handle polymorphic worms, some protection is better than none right?

More Related