Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks

Polymorphic worm attacks are considered one of the top threats to Internet security. They can be used to delay networks, steal information, delete information, and launch flooding attacks against servers. This book supplies unprecedented coverage of how to generate automated signatures for unknown p...

Celý popis

Uložené v:
Podrobná bibliografia
Hlavný autor: Mohammed, Mohssen
Médium: E-kniha
Jazyk:English
Vydavateľské údaje: United Kingdom Auerbach Publications 2013
CRC Press
Auerbach Publishers, Incorporated
Vydanie:2
Predmet:
Computer algorithms
Computer networks
Computer viruses
Data processing Computer science
Machine theory
Security measures
Approximate String Matching
Packet Filtering
Worm Body
Ubuntu Linux
Low Interaction Honeypot
Bus Topology
IP Address
Dual Ring Topology
Tcp Port
VMware GSX Server
Worm Signature
Factor Graphs
Supervise Ml
Signature Generation Process
Stateful Protocol Analysis
Address Space
GSX Server
Decryption Routine
Sensitive Information
High Interaction Honeypot
Outbound Connections
Polymorphic Worms
Research Honeypots
Cd Rom Drive
VMware Workstation
ISBN:9781466557284, 1466557281, 9781466557277, 1466557273, 9780367380038, 036738003X
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Obsah:
  • Cover -- Half Title -- Title Page -- Copyright Page -- Dedication -- Contents -- Preface -- About the Authors -- Chapter 1 The Fundamental Concepts -- 1.1 Introduction -- 1.1.1 Network Security Concepts -- 1.1.2 Automated Signature Generation for Zero-day Polymorphic Worms -- 1.2 Our Experience and This Book's Objective -- References -- Chapter 2 Computer Networking -- 2.1 Computer Technologies -- 2.2 Network Topology -- 2.2.1 Point-to-Point Topology -- 2.2.2 Daisy-Chain Topology -- 2.2.3 Bus (Point-to-Multipoint) Topology -- 2.2.4 Distributed Bus Topology -- 2.2.5 Ring Topology -- 2.2.6 Dual-Ring Topology -- 2.2.7 Star Topology -- 2.2.8 Star-Wired Bus Topology -- 2.2.9 Star-Wired Ring Topology -- 2.2.10 Mesh Topology -- 2.2.11 Hierarchical or Tree Topology -- 2.2.12 Dual-Homing Topology -- 2.3 Internet Protocol -- 2.4 Transmission Control Protocol -- 2.5 IP Routers -- 2.6 Ethernet Switch -- 2.7 IP Routing and Routing Table -- 2.8 Discussion on Router -- 2.8.1 Access Mechanisms for Administrators -- 2.8.2 Security Policy for a Router -- 2.8.3 Router Security Policy Checklist -- 2.9 Network Traffic Filtering -- 2.9.1 Packet Filtering -- 2.9.2 Source Routing -- 2.10 Tools Used for Traffic Filtering or Network Monitoring -- 2.10.1 Packet Capture -- 2.11 Concluding Remarks -- References -- Chapter 3 Intrusion Detection and Prevention Systems (IDPSs) -- 3.1 Introduction -- 3.2 IDPS Detection Methods -- 3.2.1 Signature-Based Detection -- 3.2.2 Anomaly-Based Detection -- 3.2.3 Stateful Protocol Analysis -- 3.3 IDPS Components -- 3.4 IDPS Security Capabilities -- 3.5 Types of IDPS Technologies -- 3.5.1 Network-Based IDPSs -- 3.5.2 Wireless IDPSs -- 3.5.3 NBA Systems -- 3.5.4 Host-Based IDPS -- 3.6 Integration of Multiple IDPSs -- 3.6.1 Multiple IDPS Technologies -- 3.6.2 Integration of Different IDPS Products -- 3.7 IDPS Products
  • 5.9 Conclusion -- References -- Chapter 6 Reading Resources on Automated Signature Generation Systems -- 6.1 Introduction -- 6.1.1 Hybrid System (Network Based and Host Based) -- 6.1.2 Network-Based Mechanisms -- 6.1.3 Host-Based Mechanisms -- References -- Chapter 7 Signature Generation Algorithms for Polymorphic Worms -- 7.1 String Matching -- 7.1.1 Exact String-Matching Algorithms -- 7.1.2 Approximate String-Matching Algorithms -- 7.2 Machine Learning -- 7.2.1 Supervised Learning -- 7.2.2 Algorithm Selection -- 7.2.3 Logic-Based Algorithms -- 7.2.4 Learning Set of Rules -- 7.2.5 Statistical Learning Algorithms -- 7.2.6 Support Vector Machines -- 7.3 Unsupervised Learning -- 7.3.1 A Brief Introduction to Unsupervised Learning -- 7.3.2 Dimensionality Reduction and Clustering Models -- 7.3.3 Expectation-Maximization Algorithm -- 7.3.4 Modeling Time Series and Other Structured Data -- 7.3.5 Nonlinear, Factorial, and Hierarchical Models -- 7.3.6 Intractability -- 7.3.7 Graphical Models -- 7.3.8 Exact Inference in Graphs -- 7.3.9 Learning in Graphical Models -- 7.3.10 Bayesian Model Comparison and Occam's Razor -- 7.4 Concluding Remark -- References -- Chapter 8 Zero-day Polymorphic Worm Collection Method -- 8.1 Introduction -- 8.2 Motivation for the Double-Honeynet System -- 8.3 Double-Honeynet Architecture -- 8.4 Software -- 8.4.1 Honeywall Roo CD-ROM -- 8.4.2 Sebek -- 8.4.3 Snort_inline -- 8.5 Double-Honeynet System Configurations -- 8.5.1 Implementation of Double-Honeynet Architecture -- 8.5.2 Double-Honeynet Configurations -- 8.6 Chapter Summary -- References -- Chapter 9 Developed Signature Generation Algorithms -- 9.1 Introduction -- 9.2 An Overview and Motivation for Using String Matching -- 9.3 The Knuth-Morris-Pratt Algorithm -- 9.3.1 Proposed Substring Extraction Algorithm -- 9.3.2 A Modified Knuth-Morris-Pratt Algorithm
  • 3.7.1 Common Enterprise Network-Based IDPSs -- 3.7.2 Common Enterprise Wireless IDPSs -- 3.7.3 Common Enterprise NBA Systems -- 3.7.4 Common Enterprise Host-Based IDPSs -- 3.8 Concluding Remarks -- References -- Chapter 4 Honeypots -- 4.1 Definition and History of Honeypots -- 4.1.1 Honeypot and Its Working Principle -- 4.1.2 History of Honeypots -- 4.1.3 Types of Honeypots -- 4.2 Types of Threats -- 4.2.1 Script Kiddies and Advanced Blackhat Attacks -- 4.2.2 Attackers' Motivations -- 4.3 The Value of Honeypots -- 4.3.1 Advantages of Honeypots -- 4.3.2 Disadvantages of Honeypots -- 4.3.3 Roles of Honeypots in Network Security -- 4.4 Honeypot Types Based on Interaction Level -- 4.4.1 Low-Interaction Honeypots -- 4.4.2 High-Interaction Honeypots -- 4.4.3 Medium-Interaction Honeypots -- 4.5 An Overview of Five Honeypots -- 4.5.1 BackOfficer Friendly -- 4.5.2 Specter -- 4.5.3 Honeyd -- 4.5.4 ManTrap -- 4.5.5 Honeynets -- 4.6 Conclusion -- References -- Chapter 5 Internet Worms -- 5.1 Introduction -- 5.2 Infection -- 5.2.1 Code Injection -- 5.2.2 Edge Injection -- 5.2.3 Data Injection -- 5.3 Spreading -- 5.4 Hiding -- 5.4.1 Traffic Shaping -- 5.4.2 Polymorphism -- 5.4.3 Fingerprinting -- 5.5 Worm Components -- 5.5.1 Reconnaissance -- 5.5.2 Attack Components -- 5.5.3 Communication Components -- 5.5.4 Command Components -- 5.5.5 Intelligence Capabilities -- 5.6 Worm Life -- 5.6.1 Random Scanning -- 5.6.2 Random Scanning Using Lists -- 5.6.3 Island Hopping -- 5.6.4 Directed Attacking -- 5.6.5 Hit-List Scanning -- 5.7 Polymorphic Worms: Definition and Anatomy -- 5.7.1 Polymorphic Worm Definition -- 5.7.2 Polymorphic Worm Structure -- 5.7.3 Invariant Bytes -- 5.7.4 Polymorphic Worm Techniques -- 5.7.5 Signature Classes for Polymorphic Worms -- 5.8 Internet Worm Prevention Methods -- 5.8.1 Prevention of Vulnerabilities -- 5.8.2 Prevention of Exploits
  • 9.3.3 Testing the Quality of the Generated Signature for Polymorphic Worm A -- 9.4 Modified Principal Component Analysis -- 9.4.1 An Overview of and Motivation for Using PCA in Our Work -- 9.4.2 Our Contributions in the PCA -- 9.4.3 Determination of Frequency Counts -- 9.4.4 Using PCA to Determine the Most Significant Data for Polymorphic Worm Instances -- 9.4.5 Testing the Quality of the Generated Signature for Polymorphic Worm A -- 9.5 Clustering Method for Different Types of Polymorphic Worms -- 9.6 Signature Generation Algorithm Pseudocodes -- 9.6.1 Signature Generation Process -- 9.6.2 Testing the Quality of the Generated Signature for Polymorphic Worm A -- 9.7 Chapter Summary -- 9.8 Conclusion and Recommendations for Future Work -- References -- Index