About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
The MITRE Digest
Advanced Research
Aviation Systems
Defense and Intelligence
Federal Sector Modernization
Health Transformation
Homeland Security

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps

 

 

 Home > News & Events > MITRE Publications > The MITRE Digest >
spacer

Closing a Can of Worms: Designing an Automated Worm Detection System

July 2006

Infected computer

On January 25, 2003, the Sapphire/Slammer worm was released onto the Internet. And it spread. Every 8.5 seconds, the number of computers infected doubled. Within ten minutes, the worm had infected 90 percent of vulnerable systems.

In all, most of the 75,000 computers vulnerable to the worm were contaminated. Models show that if the worm had been targeted at a widely used platform such as Windows XP, it would have infected between 8 and 20 million machines within a few seconds.

On the Internet, crawlies don't creep. They sprint.

But even the fastest computer worms won't be able to outrace the automated worm detection system that Dan Ellis, a MITRE information security scientist, is perfecting.

A Worm That Puts You on the Hook

Unlike a virus, which spreads from file to file, a computer worm is a self-replicating program that spreads from computer to computer. A virus, usually with the inadvertent help of a user, spreads from one system to another on human time scales—within hours or days. However, a worm doesn't need a computer user to open an email, click on a link, or run a program. A worm simply enters through a breach in the computer's security, copies itself, and then scans along the computer's network connections to find another vulnerable machine. That allows a worm to spread from machine to machine on computer time scales—milliseconds.

But worms can do more than destroy. They can also steal.

A Precision-Guided Weapon

"The Sapphire/Slammer worm was released to simply spread randomly on the Internet," says Ellis. "And, like most worms, it wasn't designed to do anything but spread as quickly as possible. A worm by itself is only a process that knows how to copy itself and insert itself into another machine.

"But what if the author of a worm targeted a specific objective, like one of our sponsor's systems? And what if the author gave his worm an instruction other than 'multiply and spread,' such as 'Retrieve every file relating to Classified Project X'? Then it becomes a precision-guided weapon."

On the servers of MITRE's sponsors resides information that could cause harm to our nation's interests if it fell into the wrong hands. A worm as quick as Sapphire/Slammer could infiltrate a company's servers, ransack them, and abscond with its plunder before any human user could spot the attack.

Guarding these servers from attack is a national priority. That's why Ellis has designed a method where the network itself can recognize and react to a worm infestation.

A Family Conversation

Most companies take great pains to protect their servers from worms and viruses. But there is always the danger that a worm strikes before the proper security patch can be implemented. Even a run-of-the-mill worm could cause a company expensive problems. A typical worm infestation would overload switches and routers, bringing down the company's network. Every infested computer would need to be disconnected from the network and deloused; the cost in lost productivity would be steep. That's why a worm attack has to be stopped before the infestation spreads far enough to cause chaos.

The trouble is, if your security system was unable to recognize the worm before it entered the system, how is it going to find the worm once it's within the system? Ellis realized that you don't need to spot the worm; you simply need to spot the behavior the worm causes. Each worm has a different design, but every worm has the same purpose: spread. So what does that look like?

A worm sneaks on to a network and infects the first vulnerable computer it comes across. We'll call that Computer A. Once the worm has infested Computer A, it makes copies of itself and tries to transmit them to other computers on the network. Computer A starts talking to other computers to which it is connected. It strikes up a conversation with three computers—Computers B, C, and D—that are vulnerable to the worm. Computers B, C, and D become infected, and then they start talking to every computer they know. Computer B infects Computers E and F. Computer C infects Computer G. Computer D infects Computers H, I, and J. And then those computers start yakking.

Pull back from this scene and you will see that what the worm has created is a family tree. Computer A fathered Computers B, C, and D, who provided him with grandkids E, F, G, H, I, and J. And the family trait the computers all have in common is that they love to talk. Teach a server to recognize the formation of the Talkative Family Tree and equip it to remove every member of the family from the network and you can stop a worm infestation in its earliest stages.

Security Jujitsu

"Our initial data is telling us that we can recognize and stop an infestation on a network by the third generation, by the grandchildren," says Ellis. "In some cases, even by the second generation."

The strength of this detection method is that it uses a worm's own strengths against it. "A worm by its definition has to spread. And the only way for it to spread is through a family tree," he explains. "And the faster a worm spreads, the more quickly the family tree forms, the more quickly we can recognize it, and the more quickly we can stop it.

"The only effective way around the detection system would be to design a worm that doesn't spread or that spreads so slowly that the family tree is difficult to recognize. But forcing worms to adopt such a design would be a victory in itself."

Hunting the Worm in Its Natural Habitat

Ellis's idea is elegant in its simplicity. But testing his idea has proved far from simple. Building a simulated network, dropping a worm into it, and then finding it again is the testing equivalent of shooting a fish in a barrel. "If I create a world where only one worm exists, and nothing else, and then I detect the worm with high confidence, you're not going to give me a Nobel Prize," he says.

"So the hard part isn't detecting the worm, it's detecting the worm within the context of normal traffic. And since we don't know how to create normal enterprise network traffic in simulation, the only one place where you can get normal traffic is on an actual network. But, of course, you can't put real worms on a real network."

So Ellis is creating a worm emulator. The emulator will be tested on an actual network, and a small portion of the computers on this network will be outfitted with the worm emulator program. When an automated worm detection test is run, one of the computers outfitted with the emulator will be selected as Computer A. This computer will send out a message onto the network. The message will be meaningless to any machine not also equipped with the emulator and will be ignored. However, those computers equipped with the emulator, when they receive the message, will then send out messages of their own. The spreading emulator messages will form a family tree pointing back to Computer A, just as a propagating worm would.

The testing network will be equipped with Ellis's automated worm detection system. To pass, the system will need to detect the tell-tale family tree as quickly as possible, though the number of machines participating in the emulator test will be a small percentage of the actual network. (Ellis believes 300 emulator-equipped computers will provide him with a sufficient number for a viable test.)

Turning the Worm

Once the automated worm detection system has been tested and perfected, what's the next step? "We want to share this technology with networking companies," he says, "so that they can build it into their switches and routers. The switches and routers are what pass packets of information from computer to computer. Since the switchers and routers pass every message, they are the ones who build the family tree.

"So networking companies would want to design their technology to recognize a family tree and respond. Also, when the worm is detected, switches and routers can be reconfigured to quarantine infected machines. Thus, switches and routers are the optimal places to both detect and respond to worm attacks."

With MITRE devoting resources and creativity to network security and sharing that information with other computer specialists, there's reason to believe those sprinting worms will be slowed to a crawl—and ultimately, to a halt.

—by Christopher Lockheardt

Related Information

Articles and News

Technical Papers

 

Page last updated: July 21, 2006 | Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us