| Project: |
Flash Worm Detection |
|
| Student Researchers: |
Falguni Negandhi, |
|
| Advisor: |
Mark Stamp |
|
| Institution: |
San Jose State University |
|
| Webpage: |
Project Description: goals and purpose of the project
Introduction
Computer networks are vulnerable to many types of attacks. Attackers can easily create worms and viruses that can be spread across the network. Both worms and viruses cause damages, but worms are more dangerous in a networked environment since they do not require human intervention to spread. In addition, it has been shown that worms can be constructed so as to spread very quickly through the network. These rapidly spreading worms are known as "flash" worms. It has been estimated that a well-designed flash worm could infect the entire Internet in less than 15 seconds. Due to the speed of infection, we cannot rely on manual detection of flash worms and, therefore, an automated means of detection is needed.
Goal and Purpose
The goal of this project is to create an automated detection mechanism for a flash worm attack on a network. Our plan is to build on previous work related to this particular problem. Specifically, we plan to automatically identify patterns in network traffic that are indicative of a flash worm attack. A crucial part of this work is to determine the false alarm rate of our proposed attack detection method. To do so, we will test our software on simulated network data, as well as real network data.
Process used on the project
We collected real Interent traffic data using Wireshark as our primary tool for gathering the data. The raw data was filtered to include the time, source, and destination and we simplified the data somewhat. Also, we grouped the traffic into discrete time intervals. This pre-processed data was then stored in a 3-D array, where x and y represent the source and destination, respectively, and z represents the time interval, that is, [source][destination][time interval].
We also created simulated data using the well-known network simulator NS2. Among other things, we used this tool to simulate a flash worm attack on a network. The NS2 data was then used to test out our code and see if we could, in fact, detect a flash worm. Of course, the NS2 data was filtered in the same way as the live (Wireshark) data.
During a flash worm attack, we expect to see a tree-like structure in network traffic. To detect an attack, we used graph theory techniques (applied to the matrices discussed above) to determine the maximum "height" of any tree in the data. Once a predetermined threshold height had been exceeded, we considered this an indicator of a possible flash worm attack.
Our software was successfully tested, showing that it would detect a (simulated) flash worm attack. In addition, the software works as it should when no flash worm is present, at least in our test cases.
Conclusions
The primary tangible result of this work is a successful implementation of a plausible flash worm detection strategy. The software appears to work well on simulated data, but has not been thoroughly tested on real network traffic.
In the process of this research, we encountered some problems that we did not completely resolve. Most importantly, loops create a challenge (e.g., A talks to B, then B talks to A, and so on), since care must be taken to distinguish these from trees. Due to some of our simplifications, this proved somewhat more difficult than expected. We expect to see many loops in real traffic, and these require some additional procession by our detection software. We currently understand how to deal with loops within our detection strategy, but we did not have sufficient time to fully implement this part of the detector.
A second unresolved problem is the false alarm rate. Due to various technical difficulties, we have not thoroughly tested our software on live data. Consequently, we cannot make any strong claims about the actual utility of our approach, since it depends heavily on the false alarm rate (even a small false alarm rate would render the tool impractical).
We plan to complete additional work on this project over the summer and, hopefully, we will believe we will completely resolve these two remaining issues.
Websites Developed and Publications
Web pages developed: