WO2008079103A2 - System and method for detection and mitigation of network worms - Google Patents

System and method for detection and mitigation of network worms Download PDF

Info

Publication number
WO2008079103A2
WO2008079103A2 PCT/US2006/019634 US2006019634W WO2008079103A2 WO 2008079103 A2 WO2008079103 A2 WO 2008079103A2 US 2006019634 W US2006019634 W US 2006019634W WO 2008079103 A2 WO2008079103 A2 WO 2008079103A2
Authority
WO
WIPO (PCT)
Prior art keywords
host
computer
network
behavior
protocol
Prior art date
Application number
PCT/US2006/019634
Other languages
French (fr)
Other versions
WO2008079103A3 (en
Inventor
Karthikeyan K. Sadhasivam
Shuguang Zhang
Ravi K. Varanasi
Original Assignee
Cisco Technology, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology, Inc. filed Critical Cisco Technology, Inc.
Priority to PCT/US2006/019634 priority Critical patent/WO2008079103A2/en
Publication of WO2008079103A2 publication Critical patent/WO2008079103A2/en
Publication of WO2008079103A3 publication Critical patent/WO2008079103A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An intrusion detection system for a computer network includes a knowledge database that contains a baseline of normal host behavior, and a correlation engine that monitors network activity with reference to the knowledge database. The correlation engine accumulating information about anomalous events occurring on the network and then periodically correlating the anomalous events. The correlation engine generates a worm outbreak alarm when a certain number of hosts exhibit a role-reversal behavior. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. 37 CFR 1.72(b).

Description

SYSTEM AND METHOD FOR DETECTION AND MITIGATION OF NETWORK WORMS
FIELD OF THE INVENTION
[0001] The present invention relates generally to digital computer network technology; more particularly, to intrusion detection systems for network-based computer systems.
BACKGROUND OF THE INVENTION
[0002] With the rapid growth of the Internet and computer network technology in general, network security has become a major concern to companies around the world. The fact that the tools and information needed to penetrate the security of corporate networks are widely available has only increased that concern. Because of the increased focus on network security, network security administrators often spend more effort protecting their networks than on actual network setup and administration. [0003] Confidential information normally resides in two states on a computer network. It can reside on physical storage media, such as a hard disk or memory of a device such as a server, or it can reside in transit across the physical network wire in the form of packets. A packet is a block of data that carries with it the information necessary to deliver it, analogous to an ordinary postal letter that has address information written on the envelope. A data packet switching network uses the address information contained in the packets to switch the packets from one physical network connection to another in order to deliver the packet to its final destination. In modern computer network technology, network nodes such as gateway devices, routers, and switches are commonly utilized to forward data packets toward their destinations. The format of a packet is usually defined according to a certain protocol. For example, the format of a packet according to the widely-used Internet protocol (IP) is known as a datagram. [0004] Computer viruses and worms are two types of malicious programs designed to attack and compromise the security of a network. A computer virus attaches itself to a program or file so it can spread from one computer to another through the process of sharing infected files or sending e-mails with viruses as attachments in the e-mail. Most often, viruses are attached to an executable file, which means the virus may exist on a computer or network node but it cannot damage the computer's hardware, software, or files unless a user runs or opens the malicious program. [0005] A worm is similar to a virus by its design, but is much more insidious than a virus insomuch as it has the ability to propagate without direct human action (such as running an infected program). A worm takes advantage of file or information transport features on a computer system, which allows it to rapidly propagate throughout a network unaided. A big danger with a worm is its ability to replicate itself so that a single host computer can send out hundreds or thousands of copies of the worm to other computers in the network, thereby creating a huge devastating effect. For example, a worm may scan hundreds of computer nodes across a local access network (LAN) looking for a vulnerable host. When a worm finds a vulnerable hose, it tries to infect it and continue the replication process down the connectivity line.
[0006] A worm's ability to propagate itself rapidly (and often surreptitiously) is essential to its success in disrupting the integrity of a network by compromising Web servers, network servers, and individual computers. For example, the recent "MySQL" worm attack was reported to have infected approximately 4,500 computer systems per hour in the early hours following outbreak. Detection of a worm may occur when the worm starts consumes large amounts of system memory or network bandwidth, which may cause certain network nodes to stop responding. Evidence of a worm attack may also be found in a significant upsurge in scans performed on a particular port of a network device. For example, a past outbreak of the MySQL worm was evidenced by a massive number of port 3306 scans during a relatively short time period.
[0007] Current Intrusion Detection System (IDS) or Intrusion
Prevention System (IPS) technologies usually discover worm attacks via comparisons of network traffic against known attack signatures. Basically, data packets traveling across the network are inspected for the presence of a particular byte signature associated with a known worm. Knowledge of the worm's signature is typically obtained by extensive analysis of the malicious code after it has been detected on a victim network. This conventional worm detection technique is described in U.S. Patent Application No. 2005/0022018, which teaches a system for detecting and preventing the spread of malicious code in which a local analysis center provides a signature update to a network IDS. Another signature technique is described at http://www.cs.ucsd.edU/Dienst/UI/2.0/Describe/ncstrl. ucsd_cse/CS2003- 0761.
[0008] The signature update approach to detecting and stopping a worm attack is illustrated in Figure 1 , which shows a timeline of a worm's propagation in an enterprise network. The example of Figure 1 begins with an infected laptop computer connecting to a corporate network at time "TV As soon as the laptop connects to the network, the worm starts replicating itself by infecting nearby hosts. The worm continues to spread in an undetected manner until the time, T2, when network users or a system administrator first reports a problem with network operations or with particular computer nodes. At this point, the arduous and time-consuming process of manually analyzing and reverse-engineering the worm begins. Once a corresponding signature of the worm has been identified, a small piece of software (known as a "patch") designed to fix or shore up the vulnerability is then installed onto each and every node of the network. The creation of a patch is shown occurring at time T3 in Figure 1. [0009] One problem with existing signature update approaches is that it usually takes a long time (e.g., 4-5 hours) to generate a working patch after a worm has been detected. During this interval (e.g., from T2 to T3) the worm may continue to spread and infect tens of thousands of additional computers. Another drawback is that signature databases must be constantly updated, and the intrusion detection system must be able to compare and match activities against large collections of attack signatures. That is to say, a signature-based IDS only operates on known attacks. In addition, if signatures definitions are too specific the IDS may miss variations or mutations of known attacks. The signatures also need to be configured for each branch/installation of the network. For a large corporation the overhead associated with maintaining the signature database information can be very costly. [0010] Profile-based intrusion detection, sometimes called anomaly detection, is another security methodology that has been used to detect malicious network activity. Anomaly detection systems examine ongoing network traffic, activity, transactions, or behavior for anomalies on networks that deviates from a "normal" host-host communications profile. By keeping track of the services used/served by each host and the relationships between hosts, anomaly-based intrusion detection systems can observe when current network activity deviates statistically from the norm, thereby providing an indicator of attack behavior.
[0011] U.S. Patent No. 6,681 ,331 teaches a dynamic software management approach to analyzing the internal behavior of a system in order to assist in the detection of intruders. Departures from a normal system profile represent potential invidious activity on the system. U.S. Patent No. 6,711 ,615 describes a method of network surveillance that includes receiving network packets (e.g., TCP) handled by a network entity and building long-term and short-term statistical profiles. A comparison between the building long-term and short-term profiles is used to identify suspicious network activity.
[0012] One problem with conventional anomaly detection systems is that the baseline of normal behavior can easily change, causing anomaly- based IDS systems to be prone to false positives where attacks may be reported based on events that are in fact legitimate network activity, rather than representing real attacks. (A false negative occurs when the IDS fails to detect malicious network activity. Similarly, a true positive occurs when the IDS correctly identifies network activity as a malicious intrusion; a true negative occurs when the IDS does not report legitimate network activity as an intrusion.) Traditional anomaly detection systems can also impose heavy processing overheads on networks.
[0013] By way of further background, U.S. Patent No. 6,785,818 teaches a programmable control module adapted to determine when a change in mapping constitutes a malicious code attack. U.S. Patent No. 6,681 ,331 teaches a dynamic software management approach to analyzing the internal, normal behavior of a system in order to assist in the detection of intruders. U.S. Patent No. 6,711,615 describes a method of network surveillance that includes receiving network packets (e.g., TCP) handled by a network entity and building long-term and short-term statistical profiles. A comparison between the building long-term and short-term profiles is used to identify suspicious network activity. A network surveillance system that compares statistical profiles to identify suspicious network activity is disclosed in U.S. Patent No. 6,708,212.
[0014] Thus, there remains an unsatisfied need for an intrusion detection system and method capable of quickly detecting a worm attack, as distinguished from legitimate network behavior, and mitigating the effects of the attack.
BRIEF DESCRIPTION OF THE DRAWINGS
[0015] The present invention will be understood more fully from the detailed description that follows and from the accompanying drawings, which however, should not be taken to limit the invention to the specific embodiments shown, but are for explanation and understanding only.
[0016] Figure 1 is a timeline that illustrates a prior art signature- based worm detection approach.
[0017] Figure 2 is a diagram of a typical corporate network configuration in accordance with one embodiment of the present invention.
[0018] Figure 3 is a block diagram showing the basic architecture of a network intrusion detection device according to one embodiment of the present invention.
[0019] Figure 4 is a conceptual diagram of a module with knowledge database and correlation engine components according to one embodiment of the present invention.
[0020] Figure 5 is a network node diagram showing propagation across a network of a worm having a particular infection vector.
[0021] Figure 6 is a block diagram that illustrates worm alert correlation and alert alarms according to one embodiment of the present invention. [0022] Figure 7 is a flowchart showing a generalized worm detection process according to one embodiment of the present invention.
[0023] Figure 8 is a flowchart showing worm detection and mitigation processes according to one embodiment of the present invention.
DETAILED DESCRIPTION
[0024] A system and method for real-time detection of a network worm attack is described. In the following description specific details are set forth, such as devices, protocols, configurations, etc., in order to provide a thorough understanding of the present invention. However, persons having ordinary skill in the networking arts will appreciate that these specific details may not be needed to practice the present invention. [0025] Figure 2 is an exemplary network with an intrusion detection system in accordance with one embodiment of the present invention. A core corporate network 10 is shown having a plurality of nodes or devices that provide a gateway to various services, servers, applications, and subnetworks. For example, device 11 is shown connected with a set of file servers and/or application servers; device 12 connects network 10 with an outside network (e.g., the Internet); and devices 13 & 14 provide a gateway to computer nodes remotely located in corporate buildings "A" & "B", respectively. Also included in the diagram of Figure 2 is an intrusion detection (ID) device 16 that embodies intrusion detection hardware/firmware/software that includes anomaly detection (AD) functionality in accordance with one embodiment of the present invention. Alternatively, the intrusion detection function of device 16 can be distributed among one or more of network devices that act as traffic gateways. In still other embodiments, a method of intrusion detection according to the present invention may be implemented in machine-readable code stored in firmware, software, on a hard disk, etc., for execution on a general purpose processor. [0026] Figure 3 is a generalized block diagram showing an exemplary
ID device 16 that includes a processor 21 coupled with a memory unit 22, one or more hardware / software modules 20, and an input/output (I/O) interface 24 via a system bus 23. Modules 20 implement an IDS/IPS with anomaly detection (AD) using a knowledge database 31 coupled to a correlation engine 32, as depicted in Figure 4. It is appreciated that knowledge database 31 and correlation engine 32 may comprise separate hardware devices coupled to the system bus 23, or, alternatively, knowledge database 31 and correlation engine 32 may be implemented as software programs or modules that run on one or more processors. In other words, the AD engine may be implemented as separate hardware devices, memory locations (storing executable code), firmware devices, software modules, or other machine-readable devices. (In the context of the present application, therefore, the term "module" is to be understood as being synonymous with both hardware devices and computer-executable software code, programs or routines.)
[0027] As previously explained, the IDS/IPS of the present invention may also be distributed in the network, rather than residing on a single node or device 16. Another possibility is to implement the knowledge database and correlation engine functions on various gateway nodes of the network. [0028] In accordance with one embodiment of the present invention knowledge database 31 is generated by gathering information about normal network activity over a period of time (e.g., 4-6 hours) for the purpose of creating an activity baseline. That is, knowledge database 31 summarizes information about the kind and frequency of traffic generated by each and every node in the network. A baseline of normal behavior of the various network elements is then maintained in memory. In most cases, learning continues as the network is constantly monitored, new behaviors are detected, and the store of network activity and behavior is dynamically updated to track normal changes in host relations and network activity. In other words, the knowledge database of normal activity need not be static; it may evolve overtime as the network is reconfigured, expands, new users are added, etc.
[0029] When the AD engine of ID device 16 observes anomalous or abnormal behavior (i.e., activity that deviates from the baseline of normal activity) on the network, correlation engine 32 records the abnormality by an entry in an alert memory or storage unit 34 (see Figure 6). Note that an alert event may also be produced by an external device, such as an IDS associated with a sub-network or a computer system administrator (CSA). Once an alert event is produced, either by an AD module or another external device, correlation engine 32 begins tracking the abnormality to determine whether the abnormality represents legitimate or malicious network activity. [0030] There may be many valid reasons why a host deviates from its normal network activities. Examples include cases where the corporate network is reconfigured, or a new website is launched. Another example of activity that is not malicious, but outside of the bounds of daily normal activity, is where a host resets a password or other credentials. Because a given AD alert of abnormal behavior does not necessarily indicate a worm outbreak, correlation engine 32 tracks the abnormality to determine whether the particular behavior or activity is repeated or spreads in a pattern across the network.
[0031] Figure 5 is a network diagram showing propagation of a worm having a particular infection (i.e., attack) vector through a plurality of nodes A-F. Assume that the AD module of ID device 16 observes host "A" communicating with host "B" using a particular application or protocol, and that such communications have never been observed previously. This abnormal activity event is recognized by correlation engine 32 and the event information is stored in alert storage 34 (see Figure 6). The particular attack vulnerability shown in Figure 5 is on Transmission Control Protocol port 445 (TCP/445). Assume further that another AD alert event is generated when host "A" communicates with host "C" using the same application. At this point, the correlation engine not only recognizes that another abnormality occurred, but also that a pattern is emerging, i.e., host "A" communicating with another host using the same application or protocol. [0032] According to the present invention, correlation engine 32 includes a unit or module (shown by block 35 in Figure 6) for correlating alert events in order to identify patterns in abnormal behavior. When the pattern repeats itself in a certain manner, a worm alert alarm signal is generated. Periodic correlation of alerts is shown in Figure 6 by correlation unit 35 coupled with alert storage 34. Unit 35 generates a worm alert alarm output signal when a certain number of hosts exhibit behavior that exceeds a predetermined threshold. The trigger point mechanism (as represented by block 36) may also be made dependent upon activity that exceeds a particular threshold of normal behavior within a set time period. In other words, since worms tend to propagate very rapidly, infrequent AD events stretched out over long time periods may be ignored by the ID system. [0033] In the embodiment shown, the worm alert alarm signals generated by unit 35 include a list of infected hosts and protocols involved in the worm attack. Outputs may be sent to a signature event action processor (SEAP) 37, AD engine 38, as well as various external devices 39. SEAP 37 is responsible for coordinating the data flow from the signature event in the alarm channel to an event handler designed to take action mitigating spread of the worm. The output to AD engine 38 may notify the knowledge database with information about the infected hosts.
[0034] Continuing with the example of Figure 5, hosts "B" and "C" are shown exhibiting the same type of behavior as host "A". The same pattern is then repeated on hosts "D", "E", and "F". Correlation engine 32 accumulates these alert events related to the various hosts and new usages; it then periodically examines and correlates these events to determine when a new worm attack is present on the network. According to the present invention, a worm outbreak is declared when correlation engine 32 discovers a predetermined number of hosts exhibiting role-reversal behavior involving a common protocol within a given time period. In other words, when the number of hosts exhibiting role-reversal behavior exceeds a certain threshold, correlation engine 32 declares a worm outbreak using the associated protocol.
[0035] Figure 7 is a flowchart that illustrates a sequence of events in the real-time worm detection method according to one embodiment of the present invention. Assume that a compromised host Hi is trying to spread a worm across the network by communicating with hundreds of new hosts. When Hi is successful in infecting one of its victims, say, host H2, the victim then repeats the process by contacting hundreds of new hosts until it is able to successfully infect another host, e.g., host H3. Thus, the first AD event recognized by the correlation engine is host Hi as a client of a certain protocol (e.g., protocol-x) contacting host H2, which is shown by block 41. Block 42 shows host H2 as a server of protocol-x communicating with host H1. The next event in the sequence is host H2, now acting as a client of protocol-x, contacting host H3, is represented by block 43. The key event of host H2 becoming a client just after being a server, is referred to as role- reversal behavior at host H2 using protocol-x. This role-reversal behavior indicates to correlation engine 32 that host H2 is compromised in the same manner as host H2, and is exhibiting the same type of replicating behavior characteristic of a worm outbreak. According to one embodiment of the present invention, a worm outbreak is declared when a predetermined number (e.g., 40) of role-reversal events are observed occurring within a relatively short time period (say, 1 second).
[0036] As soon as a worm outbreak has been identified as described above, the particular attack vector (e.g., TCP/445) is extracted for use by SEAP 37 or other devices, nodes, administrators, etc., involved in the attack mitigation process. The attack vector is particularly useful in mitigating the attack since, for example, it enables the shutting down of vulnerable services or compromised hosts or nodes.
[0037] Figure 8 is a flowchart showing the overall worm detection and mitigation processes according to one embodiment of the present invention. The process begins with the production of an AD event (block 46), followed by accumulation of information about the event (e.g., host, application, protocol) in storage by the correlation engine (block 47). Block 48 represents the periodic examination of the AD events by the correlation engine to determine whether a pattern of abnormal behavior exceeds a predetermined threshold limit. In the context of the description provided above, the key trigger occurs when a certain number of hosts exhibit role-reversal behavior within a given time period. If the abnormal activity is below the threshold limit, the monitoring and tracking of AD events continues as before. On the other hand, if the threshold limit has been exceeded, a worm outbreak is declared (block 49), worm alarm alerts are generated by the correlation engine, and mitigation actions are commenced based on the extracted infection vector (block 50).
[0038] It is appreciated that a variety of different mitigating actions may be taken by the IDS/IPS depending upon the particular infection vector. For example, if the infection vector involves TCP/80 (which is normally used as an Internet access interface) the mitigation action may not include blocking of that particular port. Instead, the port can remain open but all traffic to new hosts may be blocked. In other words, the knowledge database may be consulted to determine which destination websites each host normally communicates with; traffic to those websites will be allowed, but all traffic to new websites will be blocked. This action has the effect of isolating the worm outbreak. Of course, in other instances, infected hosts on the network may simply be shut down to halt further spread of the worm. [0039] Still another alternative mitigating action is to re-direct all traffic associated with a particular service to an entirely different network or subnetwork, removed from the corporate production network. Yet another mitigation option is to inspect all packets passing through the IDS node or certain gateway nodes on the network for identifying characteristics of the particular infection vector. In this manner, traffic may be halted (or approved) on a per packet basis.
[0040] It should also be understood that elements of the present invention may also be provided as a computer program product which may include a machine-readable medium having stored thereon instructions which may be used to program a computer (or other electronic device) to perform a process. The machine-readable medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, magnet or optical cards, propagation media or other type of media/machine-readable medium suitable for storing electronic instructions. For example, elements of the present invention may be downloaded as a computer program product, wherein the program may be transferred from a remote computer (e.g., a server) to a requesting computer (e.g., a customer or client) by way of data signals embodied in a carrier wave or other propagation medium via a communication link (e.g., a modem or network connection). [0041] Furthermore, although the present invention has been described in conjunction with specific embodiments, those of ordinary skill in the computer networking arts will appreciate that numerous modifications and alterations are well within the scope of the present invention. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.

Claims

CLAIMSWe claim:
1. An intrusion detection system (IDS) for a network that includes a plurality of hosts, comprising: a knowledge database containing a baseline of normal host behavior; and a correlation engine that monitors network activity with reference to the knowledge database, the correlation engine accumulating information about anomalous events occurring on the network and periodically correlating the anomalous events, the correlation engine generating a worm outbreak alarm when a number of the hosts exhibiting a role-reversal behavior exceeds a predetermined threshold.
2. The IDS of claim 1 further comprising: one or more processors; and one or more modules coupled to the processor, the one or more modules implement the knowledge database and correlation engine.
3. The IDS of claim 2 wherein the information includes an infection vector characteristic of a worm.
4. The IDS of claim 3 wherein the infection vector involves a particular protocol, and the one or more processors are operable to stop a new behavior of a host on the network that involves the particular protocol.
5. An intrusion detection system (IDS) for a network that includes a plurality of hosts, comprising: means for monitoring network activity with reference to a knowledge baseline of normal host behavior and for accumulating information about anomalous events occurring on the network and periodically correlating the anomalous events, the means generating a worm outbreak alarm when a number of infected hosts exhibiting a role-reversal behavior exceeds a predetermined threshold; and one or more processors operable to isolate the infected hosts in realtime.
6. A computer-implemented method for discovering a worm outbreak on a network comprising: detecting a number of hosts on the network exhibiting role-reversal behavior wherein:
(a) a first host acts as a client of a protocol and contacts a second host;
(b) the second host acts as a server of the protocol and replies to the first host;
(c) the second host acts as a client of the protocol and contacts a third host; and issuing a worm outbreak alarm when the number of hosts exhibiting role-reversal behavior exceeds a predetermined threshold in a given time period.
7. The computer-implemented method of claim 6 further comprising: determining that contact of the second host by the first host is an anomalous event in consultation with a knowledge database containing a baseline of normal host behavior.
8. The computer-implemented method of claim 7 further comprising: gathering information about network activity over a predetermined period of time to establish the baseline of normal host behavior.
9. The computer-implemented method of claim 8 further comprising: storing information about the anomalous event in a memory; extracting an infection vector characteristic of the worm outbreak from the stored information after issuance of the worm outbreak alarm.
10. A computer-implemented method for real-time discovery / mitigation of a worm outbreak on a network comprising: establishing a knowledge base of normal host behavior for the network; consulting the knowledge base to detect anomalous events on the network; storing information about the anomalous events in a memory; correlating the anomalous events to determine when a number of infected hosts on the network are exhibiting role-reversal behavior, wherein:
(a) a first host acts as a client of a protocol and contacts a second host; (b) the second host acts as a server of the protocol and replies to the first host;
(c) the second host acts as a client of the protocol and contacts a third host; and issuing a worm outbreak alarm when the number of hosts exhibiting role-reversal behavior exceeds a predetermined threshold in a given time period.
11. The computer-implemented method of claim 10 further comprising: stopping a behavior from a host involving the protocol.
12. The computer-implemented method of claim 10 further comprising: isolating the infected hosts in real-time.
13. The computer-implemented method of claim 10 further comprising: extracting an infection vector characteristic of the worm outbreak from the stored information.
14. The computer-implemented method of claim 10 further comprising: updating the knowledge base with the stored information.
15. A computer program product comprising a computer useable medium and computer-readable code embodied on the computer useable medium, execution of the computer readable code causing a computer network device to: detect a number of hosts on a network exhibiting role-reversal behavior wherein:
(a) a first host acts as a client of a protocol and contacts a second host;
(b) the second host acts as a server of the protocol and replies to the first host;
(c) the second host acts as a client of the protocol and contacts a third host; and issue a worm outbreak alarm when the number of hosts exhibiting role-reversal behavior exceeds a predetermined threshold in a given time period.
16. The computer program product of claim 15 wherein execution of the computer-readable code further causes the computer network device to: determine that contact of the second host by the first host is an anomalous event in consultation with a knowledge database containing a baseline of normal host behavior.
17. The computer program product of claim 16 wherein execution of the computer-readable code further causes the computer network device to: gather information about network activity over a predetermined period of time to establish the baseline of normal host behavior.
18. The computer program product of claim 16 wherein execution of the computer-readable code further causes the computer network device to: store information about the anomalous event; extract an infection vector characteristic of the worm outbreak.
19. The computer program product of claim 15 wherein execution of the computer-readable code further causes the computer network device to: isolate the hosts infected by the worm outbreak in real-time.
20. A computer program product comprising a computer useable medium and computer-readable code embodied on the computer useable medium, execution of the computer readable code causing a computer network device to: establish a knowledge base of normal host behavior for a network; detect anomalous events on the network with reference to the knowledge base; store information about the anomalous events in a memory; correlate the anomalous events to determine when a number of infected hosts on the network are exhibiting role-reversal behavior, wherein:
(a) a first host acts as a client of a protocol and contacts a second host;
(b) the second host acts as a server of the protocol and replies to the first host;
(c) the second host acts as a client of the protocol and contacts a third host; and issue a worm outbreak alarm when the number of hosts exhibiting role-reversal behavior exceeds a predetermined threshold in a given time period.
21. The computer program product of claim 15 wherein execution of the computer-readable code further causes the computer network device to: stop a behavior from a host involving the protocol.
22. The computer program product of claim 15 wherein execution of the computer-readable code further causes the computer network device to: isolate the infected hosts in real-time.
23. The computer program product of claim 15 wherein execution of the computer-readable code further causes the computer network device to: extract an infection vector characteristic of the worm outbreak from the stored information.
PCT/US2006/019634 2006-05-18 2006-05-18 System and method for detection and mitigation of network worms WO2008079103A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2006/019634 WO2008079103A2 (en) 2006-05-18 2006-05-18 System and method for detection and mitigation of network worms

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2006/019634 WO2008079103A2 (en) 2006-05-18 2006-05-18 System and method for detection and mitigation of network worms

Publications (2)

Publication Number Publication Date
WO2008079103A2 true WO2008079103A2 (en) 2008-07-03
WO2008079103A3 WO2008079103A3 (en) 2009-04-16

Family

ID=39563061

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/019634 WO2008079103A2 (en) 2006-05-18 2006-05-18 System and method for detection and mitigation of network worms

Country Status (1)

Country Link
WO (1) WO2008079103A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447525B2 (en) 2017-06-05 2019-10-15 Microsoft Technology Licensing, Llc Validating correlation between chains of alerts using cloud view
CN112769595A (en) * 2020-12-22 2021-05-07 北京百度网讯科技有限公司 Abnormality detection method, abnormality detection device, electronic device, and readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020017958A1 (en) * 2000-06-06 2002-02-14 Van Zeijl Paulus Thomas Maria Phase lock circuit
US20030200464A1 (en) * 2002-04-17 2003-10-23 Computer Associates Think, Inc. Detecting and countering malicious code in enterprise networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020017958A1 (en) * 2000-06-06 2002-02-14 Van Zeijl Paulus Thomas Maria Phase lock circuit
US20030200464A1 (en) * 2002-04-17 2003-10-23 Computer Associates Think, Inc. Detecting and countering malicious code in enterprise networks

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447525B2 (en) 2017-06-05 2019-10-15 Microsoft Technology Licensing, Llc Validating correlation between chains of alerts using cloud view
CN112769595A (en) * 2020-12-22 2021-05-07 北京百度网讯科技有限公司 Abnormality detection method, abnormality detection device, electronic device, and readable storage medium
CN112769595B (en) * 2020-12-22 2023-05-09 阿波罗智联(北京)科技有限公司 Abnormality detection method, abnormality detection device, electronic device, and readable storage medium

Also Published As

Publication number Publication date
WO2008079103A3 (en) 2009-04-16

Similar Documents

Publication Publication Date Title
US8161554B2 (en) System and method for detection and mitigation of network worms
US7228564B2 (en) Method for configuring a network intrusion detection system
US20190020667A1 (en) Non-rule based security risk detection
US20040117658A1 (en) Security monitoring and intrusion detection system
Stiawan et al. The trends of intrusion prevention system network
US20030188189A1 (en) Multi-level and multi-platform intrusion detection and response system
US20060037077A1 (en) Network intrusion detection system having application inspection and anomaly detection characteristics
JP2009504104A (en) System and method for realizing adaptive security by dynamically learning network environment
KR100947211B1 (en) System for active security surveillance
US20170070518A1 (en) Advanced persistent threat identification
CN114006723B (en) Network security prediction method, device and system based on threat information
CN113839935A (en) Network situation awareness method, device and system
US20090276852A1 (en) Statistical worm discovery within a security information management architecture
CN114006722B (en) Situation awareness verification method, device and system for detecting threat
US10205738B2 (en) Advanced persistent threat mitigation
KR100446816B1 (en) Network for integrated security management service
Coulibaly An overview of intrusion detection and prevention systems
CN114172881B (en) Network security verification method, device and system based on prediction
WO2008079103A2 (en) System and method for detection and mitigation of network worms
CN113904920B (en) Network security defense method, device and system based on collapse equipment
Czekster et al. Requirements for designing mobile and flexible applications for online invasion detection and remote control
Prabhu et al. Network intrusion detection system
Karthikeyan et al. Network Intrusion Detection System Based on Packet Filters
Hasegawa et al. An incident response support system based on seriousness of infection
CN114006802B (en) Situation awareness prediction method, device and system for collapse equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06760240

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06760240

Country of ref document: EP

Kind code of ref document: A2