Towards A Hybrid Honeyfarm Based Technique For Defense Against Worm Attacks

Pragya Jain
Department of Electronics & Computer Engineering Indian Institute of Technology Roorkee Roorkee, Uttarakhand, INDIA pjainpec@iitr.ernet.in

Anjali Sardana
Department of Electronics & Computer Engineering Indian Institute of Technology Roorkee Roorkee, Uttarakhand, INDIA anjlsfec@iitr.ernet.in

Abstract with the increasing speed of Internet and

proliferation of network applications, the threat of Internet worms has increased. With new worms appearing at fast pace off late, the conventional classification and defense techniques are not adequate to cover wide spectrum of recent worm attacks like stuxnet (2010), morto (June 2011), and Duqu (Oct 2011). Honeypots have been found to be effective for zero day threats, and recent trend for defending against worms leverages the advantages of honeypot alone, or honeypots combined with either signature or anomaly based detection. Although such honeypot based techniques are effective, yet a scattered deployment of honeypots is resource intensive and impractical due to distributed cost. Moreover, the techniques suffer from one or more limitations of high false positives, false negatives, reduced sensitivity and specificity. In this paper we propose a novel hybrid solution against internet worm which uses honeypots in conjuncture with both signature based detection and anomaly based detection. This paper discusses the emergence of Internet worm, its development cycle and focuses on various worm propagation models. Later this paper discusses a classification of worms which is more exhaustive compared to the earlier classifications. It includes recent worm attacks as well as gives a better and quicker understanding of the recent worm behavior aiding in the design of accurate defense mechanisms. Further an exhaustive comparison of all the existing defense techniques is given which justifies the need of our proposed solution. Our proposed scheme combines detection scheme (i.e. signature based and anomaly based) with containment scheme, taking the advantages of both and hence developing an effective defense against Internet worms.
Keywords-internet worm, honeypot, anomaly based detection, signature based detection.

I.

INTRODUCTION

An internet worm is a computer program that replicates itself without user intervention. Generally worms exploit

technical vulnerabilities. Since Internet worms are fully automated, their behavior is repetitious and hence predictable[1]. Morris worm, the first major worm attack, caused loss of $10 million in the year 1988. CodeRed worm, in 2001 caused $2.62 billion damage. Every coming year worm attacks proved to be bigger in terms of both number of infected machines and economically. The major attacks and their economic impact are listed in Fig 1. Along with increase in number of infected machines each upcoming worm was using new techniques for replicating. Melissa in 1999 was the first mass-mailer worm ILOVEU in 2000 was the first to use social engineering and similarly NIMDA in 2001, SLAMMER in 2003, myDoom in 2005 and so on, are few of the examples which have used novel techniques for propagation. The latest attack is stuxnet worm, reported in June 2010, is the first to attack the computer assisted industrial control system (ICS). Stuxnet worm attacked particular type of ICS: one is supervisory control and data acquisition (SCADA) systems and another that controls nuclear plants. Nowadays worms are having much more than malicious payload which can result in distributed denial of service (DDoS) attack, spam distribution, spoofing, cyber crime or anything that attacker chooses. Moreover the techniques for worm propagation have advanced from simple email propagation, through social networks to hybrid, hence traditional countermeasures namely worm detector, antimalware software, patch management, firewall, IDS and recently honeypot based defense methods are resilient to recent worm attack. These have one or more disadvantage. Here we propose a novel hybrid scheme that integrates anomaly and signature detection with honeypot, taking the advantages of both and hence developing an effective defense against Internet worms This paper is organized as follows. Section II discusses the life cycle of a worm. Section III discusses how Internet worms emerged. Section IV discusses the classification which incorporates all the worm attacks till present. Section V discusses various worm propagation models. Section VI focuses on all the defense mechanisms against worms and their key features. It includes traditional defense like antimalware software, firewall, IDS etc. then honeypot based and finally hybrid of honeypot with signature base and anomaly based. Section VII identifies the research gaps and

section VIII proposes a hybrid approach against worms.

Section IX concludes the paper.

Figure 1: Major worm attacks [2-6] II. LIFE CYCLE OF A WORM

Life cycle of a worm consists of three phases namely infection phase, payload phase and propagation phase (see Fig 2). Each of this is explained below: a. Infection phase: This is the phase in which a worm chooses its initial victim. It does this by exploiting some vulnerability in the software. Vulnerability may be any open port, weak passwords or any specific vulnerability of particular software. b. Payload phase: After choosing the initial victim, worm launches its malicious code in the victims computer. A worm, nowadays, not just contain the malicious code but a lot more than that.

victims. Worms can propagate by any medium for e.g emails, file sharing sites, flash drives etc III. BRIEF HISTORY: WORM ATTACKS

Figure 2 : Life cycle of a Worm c. Propagation phase: Since worms spread by propagating themselves to other machines, this is done in the propagation phase by continuously hunting the other

Creeper, in year 1971, is generally accepted as the first computer worm. It was developed as an experiment to test a mobile application. Later Reaper program was made to delete the Creeper. During 1970s notion of computer worm and virus was not in use. The term "worm" was created by John Shoch and Jon Hupp at Xerox PARC in 1979, inspired by the network-based multi-segmented "tapeworm" monster in John Brunner's novel, The Shockwave Rider [7]. Shoch and Hupp used worm to refer to any multi-segmented computation spread over multiple computers. Meanwhile many self replicating codes were written but they did not come in worm category but belong to virus category as they were not capable of propagating by themselves. Christmas Tree EXEC was the first widely disruptive replicating network program, which paralyzed several international computer networks in December 1987. But, on November 1988, the famous Morris worm disabled 6000 machines connected to the internet (which was almost 10 percent of the total machines connected to the internet) and caused loss of $10 million due to lost access to internet. Morris worm, written by a Cornell student, Robert Morris, was the first major worm attack[8]. It was among the first to use a combination of attacks to spread quickly: cracking password files; exploiting the debug option in the Unix "sendmail" program; and carrying out a buffer overflow attack through a vulnerability in the Unix "finger" daemon program. Later, it was found in the investigation that, Robert Morris had not written such a code intentionally but he was trying to gauge the number of host connected to the internet which turned into an attack. Morris worm is considered as first major worm attack because of massive damage. Happy99, is the second major worm attack occurred on June 20, 1999. It was the first worm to use emails for its propagation[9]. It attaches itself to the email and displays

the firework and wishes Happy New Year to the victim; while in the background, the worm alters the host machine's winsock32.dll file, the computer's doorway to the Internet. Then, each time a user initiates e-mail or newsgroup activity, by either receiving or sending e-mail or posting to a newsgroup, Happy99 spams the newsgroup or e-mail recipient with copies of itself. Any type of activity on port 25 (Simple Mail Transfer Protocol (SMTP)) or 119 (Network News Transfer Protocol (NNTP)) will trigger spam activity. It also keeps a list of the spammed e-mail addresses and newsgroups in a separate file called LISTE.SKA. Spanska2 speculated that between 9,000 and 15,000 computers had been infected with the worm. After two month internet was again hit by Melissa worn which caused $1.1 billion loss. Though, Melissa worm was not the first electronic mail worm, yet it was the first mass mailer worm i.e. for each infection it would send 50 copies of itself by using victims address book. After several months, Love Letter worm[10] struck the internet again causing enormous loss. Code red worm appeared in 2001 and broke all the records of earlier worm attacks[11]. The attack used by the Code Red worm was against an indexing utility installed by default on Microsoft IIS Web servers. After code red worm attack the major attacks were Nimda, Blaster, Sobig, myDoom etc. In 2005, Samy was the first ever cross site scripting worm, developed to propagate across the MySpace socialnetworking site[12]. Its author, Samy Kamkar is known as father of all XSS social networking worms. The worm carried a payload that would display the string "but most of all, Samy is my hero" on a victim's profile. When a user viewed that profile, they would have the payload planted on their page. Within just 20 hours of its October 4, 2005 release, over one million users had run the payload, making Samy one of the fastest spreading viruses of all time. Execution of the payload resulted in a "friend request" automatically being made to the author of the virus and in messages containing the payload being left on the profiles of the friends of the victim. Conficker, in November 2008, was one of the examples of using multiple modes of propagation[13]. Conficker is a Dynamic Link Library (DLL), Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems that uses a Remote Procedure Call (RPC) buffer overflow to push the code onto a Windows machine. Conficker then directs the infected computer to communicate with another address space[14]. There have been five main variations of Conficker, used generally by the members of the Conficker Working Group, namely A, B, B++, C and E. In 2010, Stuxnet has been reported as the first ever malware which has affected the infrastructure of a country[15]. Security researchers says that Stuxnet is the

first ever malware to exploit the vulnerability in Programming Logic Controller. Stuxnet has targeted Siemens industrial software and equipment running Microsoft Windows. It has the payload that infected Siemens Supervisory Control and Data Acquisition (SCADA) systems that controls some very important industrial processes like nuclear power plant and hydro power plants. According to Symantec, the worm has affected mainly the countries Iran (58% machines infected), Indonesia (18.22%) and India (8.31%). The most recent attacks are Morto worm and DuQu worm in 2011. Researchers have found Stuxnet like features in DuQu and hence call it as a predecessor of stuxnet. IV. INTERNET WORM: A NOVEL CLASSIFICATION

A lot of worm classifications have been published in literature [1, 16, 17]. However, these classifications were superficial and do not cover the latest Internet worms. In [18] we proposed a novel classification of Internet worms which covers magnitude of recent worm attacks unlike previous classifications. This classification includes the cross site scripting and botnet worm attacks, which are the latest techniques to spread the malicious code. Also, our classification incorporates distinct classes of propagation based attack namely exploit based, embedded and botnet. This classification categorizes Internet worms on the basis of multiple factors that include target discovery, activation, payloads and human activation as shown in Fig 3. 1. Target discovery: Target discovery is done in the infection phase when worm chooses new victims. There are many ways by which a worm can choose new machines to exploit: Scanning: In order to find the new victims, worms on the infected host scans the network. Scanning can be random, sequential or topological. Topological worm scans the local network (i.e. ip-addresses in the subnet), discovers the local topology and gathers the information. According to the information, it selects new victims. Blaster worm is a example. Pre-generated target list: It is possible that worm on the infected host already has a list of new victims. Externally generated list: When attacker is controlling the infected host, as in case of botnet, master sends the list of targets. MyDoom worm belongs to this category. Passive: These worms either wait for potential victims to contact the worm or rely on user behavior to discover new targets. Happy99 is a worm of such type. Every time an email or newspost is sent, the worm sends a second email or newspost to one of the addresses from address book of user

2. Payload: On the basis of payload worms can be classified as monomorphic, polymorphic or metamorphic. Monomorphic: These worms contain simple self replicating code in its payload. Polymorphic: These worms change their payload each time they replicate. Metamorphic: Monomorphic worms are those which change their behavior by changing payload as well as appearance by using some encryption techniques. .

Embedded: Worms attach itself to something for e.g. e-mail, social networking sites and provoke the users to open those attachments. Melissa, storm worm, Happy99 etc are the example of email worms. While Happy99 replicated itself every time user send a mail; storm worm and Melissa were the mass mailers i.e. they replicate themselves to more than one addresses from the address book. Samy worm is an example of cross site scripting worm. It was developed to propagate across the MySpace social-networking site. Exploit based: These worms exploit some vulnerabilities present in the system for e.g. buffer overflow. Example is SQL Slammar worm which exploited a buffer overflow bug in Microsoft's SQL Server and Desktop Engine database products. Exploit based can be further sub categorized into self carried and second channel. Second channel means worms using some other means like file sharing networks for propagation. E.g. of second channel worm is Blaster worm and Koobface. Botnet: Botnet is a group of compromised hosts under the control of botmaster. Compromised machines action is totally controlled and initiated by the commands sent by botmaster. MyDoom is an example. 4. Activation: Although worms are self replicating and self-propagating, they need to be activated. For example email-worm cant propagate until a user clicks on the email attachment. Activation may be of any type: Human Activation: Worms propagate by users activity e.g. data transfer, forward email etc. Code red is an example. Scheduled: Worm may contain a specific time in its code and propagate according to that time. Self activation: Each time worm propagates it can scheduled itself for next time V. WORM PROPAGATION MODELS

An accurate Internet worm propagation model can have an insight into worm behavior, identify the weakness in the worm spreading chain and provide accurate prediction for the purpose of damage assessment for a new worm threat [16, 19]. Worm propagation models can be categorized as epidemic model and two factor models. Figure 3: Internet Worm: Novel classification. 3. Propagation: Worms are also classified on the basis of propagation techniques. Broadly, on the basis of propagation strategies, worms can be grouped into three categories: 3.1 Simple epidemic model In the classical simple epidemic model, each host belongs to one of the two groups [19] (see fig 4(a))

Susceptible individuals, S(t) : these are the systems that have neither been attacked by the worms nor have any defense (vaccine) against them. Infective individuals, I(t) : Systems that have been attacked by the worms, come into this category. The mathematical equation for number of infected host is given by ()/ = ( )( ) (1) Where S(t)= N- I(t), N is the total population and is infection rate. Thus ()/ = ( )[ ( ) ] (2) The disadvantage of simple epidemic model is that can describe the propagation status in the initial stage but difficult later. 3.2 Kermack McKendrick model General epidemic model is also known as Kermack McKendrick model. This model extends the simple epidemic model such that each host now belongs to one of the three groups [1, 19]s: (see fig 4(b)) Susceptible individuals, S(t) Infective individuals, I(t) Removed individuals, R(t) : systems that have been patched from the attack and developed immunity against it. ()/ = ( )( ) ()/ (3) ( )/ = () (4) is the removal rate The KM model improves the simple epidemic model by considering that some infectious hosts either recover or die after some time. However, this model is still not perfectly suitable for modeling Internet worm propagation, as human countermeasures will remove both susceptible and infectious hosts from circulation. Furthermore the infection rate is assumed to be constant, which is not true for a fast spreading worm. 3.3 Susceptible-infectious-susceptible model Susceptible-infectious-susceptible model is an extended form of KM model with an assumption that recovered host has the same possibility of being infected as susceptible host. Mathematical equation for infected host is[19]: ()/ = ( )()[ ] () 3. 4 Two factor model Traditional epidemic models have not considered two important factors [1, 19]: (1) Countermeasures taken by users and ISPs which can cause the removal of both susceptible and infected hosts and (2) Decreased infection (5)

rate caused by large amount of scan traffic. Thus a new model was developed in which was taken as a function of time i.e. (t)and a new group was added ,Q(t), the number of host removed from the susceptible population (see fig 4(c)): Mathematical equations are given as ()/ = ( )()( ) ( )/ ( ) = () ( ) ( ) (6) (7)

(a)

(b)

(c) Figure 4: (a) Simple epidemic model (b) Kermack Mckendrick Model (c) Two Factor model To solve the equation dynamic properties of the worm should be known: (t): it is determined by the impact of the worm traffic on the Internet infrastructure and the spreading efficiency of the worm code. R(t), Q(t): they involve people's awareness of the worm, patching and filtering difficulties. VI. DEFENSE MECHANISMS

Developing an effective defense is very essential as a worm can severely hamper the working of internet. The various defense mechanisms explained in this paper have been categorized as: First is traditional approach that includes worm detector, anti-malware software, patch management, firewalls and intrusion detection system. Second approach is honeypot based approach. Honeypots acts as a deception tool for luring the attacker and logging its activities[20]. The gathered information is further used to develop the countermeasure. Combination of honeypot either with signature based detection or anomaly based detection also comes in honeypot based detection approach. Finally, integrated approach that combines honeypot with both, signature based detection and

anomaly based detection and hence takes the advantages of both and minimizes the disadvantages. 4.1 Traditional defense mechanisms The various defense approaches are: Worm detectors: Worm detectors scan the network and indicate the presence of worms based on the factors like number of new connections, failed connections etc. [21] These factors represent very specific characteristics of worms. TRW (Threshold Random Walk) detector works on the basis of the assumption that worm randomly selects the targets and hence number of failed connections is very high. Thus, TRW works best for random scanning worm. Destination-Source correlation detector detects a worm infection by correlating an incoming connection on a given port with subsequent outgoing infections on that port. If connection rate exceeds threshold, alarm is raised. A different threshold is set for each port. Another worm detector is Protocol Graph detector which builds a graph of hosts communicating over a given protocol (nodes are hosts). Abnormal graph size for a given window indicates presence of worm. Worm detectors are very easy to deploy but no detector stands out as the best in all situations. A detector that performs outstandingly for random scanning may not work for topological worm for e.g. TRW is best for random scanning worms but topological worm with large supply of neighbors is not at all detectable by TRW while PGD (Protocol Graph Detector) has high detection rate for topological worms. Patch management: As already mentioned that worms generally exploits the technical vulnerabilities. Thus, a defense is required that patches these vulnerabilities to stop the further propagation of worms. Patch management is the process of detecting and repairing known software or operating system vulnerabilities to prevent exploitation of the vulnerability by malicious code[22]. This process can either be an automatic or manual process. Examples of vendors offering automated patch management systems include, but are not limited: Microsoft, Patchlink, Shavlik, and Symantec. Patch management can be an effective tool against worms and can reduce related damages by stopping the further spread of worm. Code Red and Blaster are malware that exploited known buffer overflow vulnerabilities, respectively, in Microsoft Internet Information Services and the Windows Remote Procedure Call. In a 24-hour period, Code Red and Blaster, respectively, infected 265,000 and 336,000

PCs. The estimated cost to clean-up Code Red exceeded $2 billion, whereas the cost of Blaster exceeded $500 million. Companies that had patched against the vulnerabilities exploited by Code Red and Blaster likely did not suffer the same consequences as companies that had not patched. But organizations must take care while practicing this defense approach as patches have the potential to break applications and operating systems. By knowing the statistics of number of worm attacks it can be noticed that the number of published vulnerabilities and speed with which these vulnerabilities are exploited is increasing rapidly. To practice this defense, an organization will research and test software patches before general deployment. This may present a challenge as a CERT report states, The number of newly discovered vulnerabilities reported to the CERT/CC continues to more than double each year. It is difficult for administrators to keep up to date with patches. Another challenge is to deploy the patch as soon as vulnerability is discovered. Anti malware software: Anti-malware software is a generic term that refers to either anti-virus or antispyware software. These products use signature files and heuristic technologies to detect malware[22]. Known worms are detected by the information contained in signature files. These signatures are required to update regularly. In heuristic detection behavior patterns are examined to determine whether the code or program exhibits worm characteristics. Examples of anti-malware software vendors include, but are not limited, to the following: Avira, BitDefender, Counterspy, Microsoft, McAfee, Symantec, TrendMicro, and Webroot. Nowadays, vendors of anti-malware software provide the automatic updates of signature. But there are several disadvantages associated with the anti-malware software. First of all, no single anti-malware product is capable of detecting all kinds of worms. Installing multiple anti-malware products, however improves the detection rate and increase the security but also increases the computational burden on the host. If deployed in an organization than it increases the administration burden. Then, heuristic detection of anti-malware software can be evaded by some worms. Next, though vendors provides the automatic update features but the speed which these updates should be propagated must be faster than worm propagation speed , as soon as worm is detected. Finally, antimalware systems are not capable of detecting unknown worms.. Wrapper program: Wrapper programs are used to ``filter'' network connections, rejecting or allowing certain types of connections (or connections from a

pre-determined set of systems). Overlaps in trust may still allow infection to occur (A trusts B but not C; B trusts C; C infects B which infects A). Firewalls: Firewalls can be deployed either on host or at the network periphery. Host-based firewalls are installed directly on the client computer to monitor and control inbound and outbound traffic[22]. Traffic is either allowed or denied based on the basis of rules configured in the host-based firewall. Examples of host-based firewall vendors include, but are not limited, to: CheckPoint (ZoneLabs), Microsoft, and Symantec. If a firewall is deployed at the network periphery then organizations can detect external threats but network based firewalls cannot detect the insider threat. Hostbased firewalls default blocking of non-standard ports can be used to propagate worms but they also fail in providing defense against worms that use standard port such as port 80 (HTTP), for their propagation. Both host-based and network based firewall fails in case of internal threat i.e. attack by a node within a network. Intrusion detection system: IDS overcomes the disadvantages of firewalls for e.g. firewalls fails in case of encrypted traffic, firewalls cant detect internal threats. IDS quietly listen to network traffic in order to detect abnormal or suspicious activity, thereby reducing the risk of intrusion[23]. IDSes can be either signature based i.e. detect the worms by comparing the signatures stored, or anomaly based i.e. raise an alarm for any anomalous activity. IDSes can be deployed on host as well as on network. The examples of IDS are, but not limited to: Snort[24], BRO, and Vanguard Enforcer. Firewalls, anti-malware software, patch management system; worm detectors and other security products all perform functions essential to system security. IDSes are not intended to replace any /all of above mentioned security mechanism. However, by monitoring the event logs generated by these systems, as well as monitoring the system activities for signs of attack, intrusion detection systems provide an added measure of integrity to the rest of the security infrastructure. However, it has some disadvantages also. Mostly, they have to operate on encrypted packets where analysis of packets is complicated and they cannot directly detect attacks within properly encrypted traffic. If deployed as network based IDS, the probability of so called false negatives (attacks are not detected as attacks) is high as it is difficult to control the whole network while if deployed as host-based IDS, they do not see the impacts of an attack.

4.2 Recent defense mechanisms Honeypot is based on a concept to expose the vulnerabilities and lure the attackers so that when any attacker try to communicate with deployed honeypot, it monitors and logs the attackers activities and according to that try to develop the security for our system[20]. Thus, looking only at traffic on honeypot provides us with the major benefit of knowing that one is dealing with suspicious traffic, since whole point of honeypots is to capture such traffic[20]. Honeypots against worms can be used in two ways: one is using honeypot as a standalone defense and another is integrated i.e. honeypots used in conjuncture with either signature based detection or anomaly based detection. A brief discussion of each of these defense approaches has been done below: Honeypot technology has evolved very rapidly because of its simplicity, low risk and many other advantages over other. Honeypot is based on developing the countermeasure by knowing the attack strategy of the enemy rather than defensive approach adopted by traditional techniques. Thus honeypots present an additional level of security [20]. HoneyComb[25], honeyAnalyzer[26], HoneyStat[27], HoneyCyber[28], etc are few examples which uses honeypots as a effective defense and these are compared in table 1.HoneyComb[25] is used to automatically generate the signaturesfor intrusion detection system. It uses Longest Common Substring algorithm. The disadvantage of Honeycomb is overcome by honeyAnalyzer[26] by incorporating semantic awareness. But both honeycomb and honeyAnalyzer do not generate the signatures for zero day attacks. Also they have no means by which polymorphic worm can be detected. HoneyStat[27] focuses on the local network attacks while honeyCyber[28] focuses only on polymorphic worms. In comparison to the detection scheme i.e. signature based detection (e.g. SNORT) or anomaly based detection used independently, honeypots give lesser number of false alarm but it can be further improved by using integration of these two approaches. 4.3 Integrated defense Signature based detection and anomaly based detection are well known detection scheme whereas honeypot is considered as an effective containment scheme. In integrated defense mechanism honeypot is used either with signature detection or anomaly based detection 4.3.1 Honeypot with signature based detection Most deployed worm-detection systems are signaturebased which belongs to the misuse-detection category.

They look for the specific byte sequences (called attack signatures). Normally, attack signatures are manually identified by human experts through careful analysis of the byte sequence from captured attack traffic. The signature-based approaches have the advantage over the anomaly-based systems in that they are simple and able to operate online in real time. Combining honeypots with signature based detection gives the advantages of both. The problem is that they can only detect known attacks with identified signatures that are produced by experts. SweetBait[29] and Argos[30] are the two examples of integrated detectors that uses honeypots in conjuncture with signature based detection. Table1 identifies the disadvantages with this approach. 4.3.2 Honeypot with anomaly based detection This integrated approach integrates the honeypot and anomaly detection which offers a tradeoff between false positive and false negative rate[31]. It incorporates the advantages of both i.e. honeypots as well as anomaly based. Honeypot is used to improve the accuracy of detecting worm attacks, while anomaly detection system is used to enlarge detection scope. Shadow Honeypots [32] is an example of this approach. Since anomaly based detection is used, there is no requirement to bother about size of signature database or any kind of specific worm like polymorphic worm or scanning worm. Detection is in the terms of anomalous behavior. The only problem with this approach is the computational cost for the training of anomaly detectors. VII. RESEARCH GAPS

complexity is reduced and the system is capable of detecting wide spectrum of worm attacks including polymorphic worms. VIII. PROPOSED SOLUTION In this paper we propose a novel hybrid solution against internet worm which uses honeypots in conjuncture with both signature based detection and anomaly based detection (see Fig 5). Honeyfarm is a solution to simplify large honeypot deployments [33]. A distributed collection of honeypots is effective in discovering and analyzing new worms before large number of systems are infected but such a system is impractical due to maintenance cost required [34]. Honeyfarm is a centralized collection of honeypots i.e. instead of deploying honeypots on every network; simply deploy honeypots in a single location. Attackers are redirected to the farm irrespective of what network they are on or probing. At first level we use Signature based detection, for known worm attacks, that makes the system operate in real time. Any deviation from the normal behavior is easily detected by anomaly detector in second level. Last level is honeypots which helps in detecting zero day attacks not detected by the previous 2 levels. Low interaction honeypots (for emulating services) are deployed to track the attackers activities while high interaction honeypots do the systematic study of the attacks and help in finding vulnerabilities of the system so that a better prevention system can be developed. Controller redirects the traffic to the respective honeypots for e.g. if malicious traffic is making a database query, controller will forward it to the honeypot emulating database service. In order to reduce the risk of controller getting attacked, the role of controller is rotated among the honeypots periodically.

The comparative study of honeypot based detection methods is given in table 1. Honeypot based approaches overcome the various disadvantages of traditional approaches. However, there is no single approach that is capable of detecting all the existing as well as hypothetical worms. For e.g. there are very limited solutions to topological worms, passive worm, metamorphic worms etc. Integrated approaches combine the best features of detection and containment schemes still some loopholes exist. Integrated approach that combines signature base detection with honeypot is not detecting polymorphic worms (as they change their payload). Another problem faced by this approach is generation of redundant signatures. Finally only known worm attacks can be detected. However, integration of anomaly based detection with honeypots overcomes the problem of detection of zero day attacks yet computation cost for building various anomaly profiles is very high. Hence there is a need to incorporate the best features of the two integrated approaches so that the computational

Figure 5: Hybrid honeyfarm based defense against worms

IX.

CONCLUSIONS

In this paper we have discussed a classification of worms that categorizes the Internet worms in a way that it covers wide spectrum of worm attacks. Worm propagation models provide an insight into the behavior of the worms. These models thus help in developing an effective defense against worms. Various countermeasures against worms, their advantages and disadvantages, have been discussed. Honeypots are preferred over traditional methods as they are simple, pose low risks and are very effective in Table 1: Honeypot based Defense Approaches

defense against worms. But the scattered deployment of honeypots is resource intensive and impractical due to maintenance cost. Hybrid honeyfarm based approach is proposed ,in which deployment of honeypots along with signature based detector and anomaly based detector is at single location. Centralized deployment of honeypots leverages the advantages of honeyfarm and hence a robust and effective defense against worms becomes feasible.

REFERENCES [4] [1] P. Li, M. Salour, and X. Su, "A survey of internet worm detection and containment," Communications Surveys & Tutorials, IEEE, vol. 10, pp. 20-35, 2008. [2]http://en.wikipedia.org/wiki/Timeline_of_computer_vir uses_and_worms. [3] B. Cashell and S. Library of Congress. Congressional Research, "The economic impact of

[5] [6] [7]

cyber-attacks," Congressional Research Service, Library of Congress2004. S. C. Shih and H. J. Wen, "E-enterprise security management life cycle," Information management & computer security, vol. 13, pp. 121-134, 2005. R. Power, 2002 CSI/FBI computer crime and security survey: Computer Security Institute, 2002. http://en.wikipedia.org/wiki/Koobface. J. Nazario, Defense and detection strategies against Internet worms: Artech House Publishers, 2004.

[8]

[9] [10]

[11]

[12] [13] [14]

[15]

[16]

[17]

[18]

[19] [20]

[21]

[22]

[23]

H. Orman, "The Morris worm: a fifteen-year perspective," Security & Privacy, IEEE, vol. 1, pp. 35-43, 2003. N. Weaver, "A Brief History of the Worm," Security Focus Online, vol. 26, 2001. M. Bishop, "Analysis of the ILOVEYOU Worm," Internet: http://nob. cs. ucdavis. edu/classes/ecs1552005-04/handouts/iloveyou. pdf, 2000. D. Moore, C. Shannon, and k. claffy, "Code-Red: a case study on the spread and victims of an internet worm," presented at the Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, Marseille, France, 2002. J. Grossman, "Cross-site scripting worms and viruses," Whitehat Security, vol. 2006, 2006. S. Shin and G. Gu, "Conficker and beyond: a largescale empirical study," 2010, pp. 151-160. L. Runheng, G. Liang, and J. Yan, "Propagation Model for Botnet Based on Conficker Monitoring," in Information Science and Engineering (ISISE), 2009 Second International Symposium on, 2009, pp. 185-190. T. M. Chen, "Stuxnet, the real start of cyber warfare? [Editor's Note]," Network, IEEE, vol. 24, pp. 2-3, 2010. S. Qing and W. Wen, "A survey and trends on Internet worms," Computers & Security, vol. 24, pp. 334-346, 2005. W. Nicholas, P. Vern, S. Stuart, and C. Robert, "A taxonomy of computer worms," presented at the Proceedings of the 2003 ACM workshop on Rapid malcode, Washington, DC, USA, 2003. P. Jain and A. Sardana, "A hybrid honeyfarm based technique for defense against worm attacks," in Information and Communication Technologies (WICT), 2011 World Congress on, 2011, pp. 10841089. S. Misslinger, "Internet Worm Propagation," Technische University Munchen, 2003. L. Oudot, "Fighting internet worms with honeypots," WWW-Seite, http://www.securityfocus.com/infocus/1740, 2003. S. Stafford and J. Li, "Behavior-Based Worm Detectors Compared Recent Advances in Intrusion Detection." vol. 6307, S. Jha, R. Sommer, and C. Kreibich, Eds., ed: Springer Berlin / Heidelberg, 2010, pp. 38-57. M. Garuba, L. Chunmei, and N. Washington, "A Comparative Analysis of Anti-Malware Software, Patch Management, and Host-Based Firewalls in Preventing Malware Infections on Client Computers," in Information Technology: New Generations, 2008. ITNG 2008. Fifth International Conference on, 2008, pp. 628-632. R. Heady and U. o. N. M. D. o. C. Science, The architecture of a network-level intrusion detection

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

system: Department of Computer Science, College of Engineering, University of New Mexico, 1990. M. Roesch, "Snort-lightweight intrusion detection for networks," Proceedings of LISA '99: 13th Systems Administration Conference1999, pp. 229238. C. Kreibich and J. Crowcroft, "Honeycomb: creating intrusion detection signatures using honeypots," ACM SIGCOMM Computer Communication Review, vol. 34, pp. 51-56, 2004. U. Thakar, S. Varma, and A. Ramani, "HoneyAnalyzer analysis and extraction of intrusion detection patterns & signatures using honeypot," The Second International Conference on Innovations in Information Technology (IIT05), 2005. D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen, "Honeystat: Local worm detection using honeypots," 2004, pp. 39-58. M. M. Z. E. Mohammed, H. A. Chan, and N. Ventura, "Honeycyber: Automated signature generation for zero-day polymorphic worms," in Military Communications Conference, 2008. MILCOM 2008. IEEE, 2008, pp. 1-6. G. Portokalidis and H. Bos, "SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots," Computer Networks, vol. 51, pp. 1256-1274, 2007. G. Portokalidis, A. Slowinska, and H. Bos, "Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation," ACM SIGOPS Operating Systems Review, vol. 40, pp. 15-27, 2006. Y. Yu, L. Jun-wei, G. Fu-xiang, Y. Ge, and D. Qing-xu, "Detecting and Defending against Worm Attacks Using Bot-honeynet," in Electronic Commerce and Security, 2009. ISECS '09. Second International Symposium on, 2009, pp. 260-264. K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis, "Detecting targeted attacks using shadow honeypots," presented at the Proceedings of the 14th conference on USENIX Security Symposium Volume 14, Baltimore, MD, 2005. C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson, "GQ: Practical Containment for Measuring Modern Malware Systems," Technical Report TR11-002, International Computer Science Institute2011. N. Weaver, V. Paxson, and S. Staniford, "Wormholes and a honeyfarm: Automatically detecting novel worms," USENIX Security,2003.