Many worm detectors have been proposed and are being deployed, but the literature does not clearly indicate which one is the best. New worms such as IKEE.B (also known as the iPhone worm) continue to present new challenges to worm detection, further raising the question of how effective our worm defenses are. In this paper, we identify six behavior-based worm detection algorithms as being potentially capable of detecting worms such as IKEE.B, and then measure their performance across a variety of environments and worm scanning behaviors, using common parameters and metrics. We show that the underlying network trace used to evaluate worm detectors significantly impacts their measured performance. An environment containing substantial gaming and file sharing traffic can cause the detectors to perform poorly. No single detector stands out as suitable for all situations. For instance, connection failure monitoring is the most effective algorithm in many environments, but it fails badly at detecting topologically aware worms.

The Cornell commission: on Morris and the worm

Behavior-based worm detectors compared

Virtually every day data breach incidents are reported in the news. Scammers, fraudsters, hackers and malicious insiders are raking in millions with sensitive business and personal information. Not all incidents involve cunning and astute hackers. The involvement of insiders is ever increasing. Data information leakage is a critical issue for many companies, especially nowadays where every employee has an access to high speed internet. In the past, email was the only gateway to send out information but with the advent of technologies like SaaS (e.g. Dropbox) and other similar services, possible routes have become numerous and complicated to guard for an organisation. Data is valuable, for legitimate purposes or criminal purposes alike. An intuitive approach to check data leakage is to scan the network traffic for presence of any confidential information transmitted. The existing systems use slew of techniques like keyword matching, regular expression pattern matching, cryptographic algorithms or rolling hashes to prevent data leakage. These techniques are either trivial to evade or suffer with high false alarm rate. In this thesis, 'known file content' detection in network traffic using approximate matching is presented. It performs content analysis on-the-fly. The approach is protocol agnostic and filetype independent. Compared to existing techniques, proposed approach is straight forward and does not need comprehensive configuration. It is easy to deploy and maintain, as only file fingerprint is required, instead of verbose rules.

File Detection in Network Traffic Using Approximate Matching

This special issue will give you a greater understanding of what CSIRTs are and how they work. For the security researcher, these articles highlight challenges faced by operational security, presenting opportunities for new research avenues. Security practitioners can use the diverse perspectives presented in these articles to help them be more effective at their jobs. And policy makers can gain insights into how their work might impact these critical organizations.

On Computer Security Incident Response Teams

The UNIX operating system was developed in a friendly, collaborative environment without any particular predefined objectives. As it entered less friendly environments, expanded its functionality, and became the basis for commercial, infrastructure, and home systems, vulnerabilities in the system affected its robustness and security. This paper presents a brief history of UNIX vulnerabilities, beginning with a report written in 1981-1983, but never published. It examines how the nature of vulnerabilities has (and has not) changed since then, and presents some thoughts on the future of vulnerabilities in the UNIX operating system and its variants and other UNIX-like systems.

/pdf/reflections-on-unix-vulnerabilities-11qouvcc6z.pdf

Reflections on UNIX Vulnerabilities

Weaponized software is the latest development in a decades-old battle of virus-antivirus co-evolution. Reactively adaptive malware and automated binary transformation are two recently emerging offensive and defensive (respectively) technologies that may shape future cyberwarfare weapons. The former intelligently learns and adapts to antiviral defenses fully automatically in the wild, while the latter applies code mutation technology to defense, transforming potentially dangerous programs into safe programs. These technologies and their roles within the landscape of malware attack and defense are examined and discussed.

/pdf/stealthy-software-next-generation-cyber-attacks-and-defenses-z5foh426jl.pdf

The Cornell commission: on Morris and the worm

Citations

Behavior-based worm detectors compared

File Detection in Network Traffic Using Approximate Matching

On Computer Security Incident Response Teams

Reflections on UNIX Vulnerabilities

Stealthy software: Next-generation cyber-attacks and defenses