Defense and Detection Strategies against Internet Worms [Hardcover]

Jose Nazario (Author)

Book Description

ISBN-10: 1580535372 | ISBN-13: 978-1580535373 | Publication Date: October 2003

Focusing exclusively on Internet worms, this book offers you solid worm detection and mitigation strategies for your work in the field. This ground-breaking volume enables you to put rising worm trends into perspective with practical information in detection and defence techniques utilizing data from live networks, real IP addresses and commercial tools. It helps you understand the classifications and groupings of worms, and offers a deeper understanding of how they threaten network and system security. After examining how a worm is constructed and how its major life cycle steps are implemented, the book scrutinizes targets that worms have attacked over the years and the likely targets of the immediate future. Moreover, this reference explains how to detect worms using a variety of mechanisms and evaluates the strengths and weaknesses of three approaches - traffic analysis, honeypots and dark network monitors, and signature analysis. The book concludes with a discussion of four effective defences against network worms, including host-based defences, network firewalls and filters, application layer proxies, and a direct attack on the worm network itself.

Editorial Reviews

About the Author

Jose Nazario is a senior software engineer at Arbor Networks, an internet security company. He is also a consultant and researcher at Crimelabs Research, a think tank and consulting firm. He holds a Ph.D. in biochemistry from Case Western Reserve University. He has published extensively.

Product Details

• Hardcover: 322 pages
• Publisher: Artech House (October 2003)
• Language: English
• ISBN-10: 1580535372
• ISBN-13: 978-1580535373
• Product Dimensions: 9.5 x 7.1 x 0.8 inches
• Shipping Weight: 1.4 pounds (View shipping rates and policies)
• Average Customer Review: 5.0 out of 5 stars  See all reviews (2 customer reviews)
• Amazon Best Sellers Rank: #1,825,979 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

4 of 4 people found the following review helpful:

5.0 out of 5 stars Fun book on worms? Yes!, April 20, 2004

By 

Dr Anton Chuvakin "Dr. Anton Chuvakin" (CA, USA) - See all my reviews

This review is from: Defense and Detection Strategies against Internet Worms (Hardcover)

(...)

It is not very common to see an unusual security book nowadays as many authors cover every subject. However, such sexy subject as worms, did not, in my opinion, receive adequate coverage. This book does fill this important niche effectively!

It starts from motivation sections that, if not exciting, provide a good intro and immerses the reader into the subject and how to approach it (worm analysis principles).

It then goes into: five worm components: reconnaissance, attack, communication, command, intelligence. Lots of nice details on all worm activities are in there. One of the book's advantages is author's clear writing style, easy and enjoyable to read, even if you know the subject already.

Worm traffic is the highlight of the book as well as trends and infection patterns. Traffic analysis (linked to worm traffic patterns) is described from the basics and lab setup to advanced worm hunting. The techniques include volume monitoring, new scans/sweeps, change in traffic for some systems, etc.

Worm history and taxonomy are also discussed. Also, worm internals and worm construction are covered in great detail. Worm detection goes beyond traffic analysis to honeypots and black hole monitor as well as signatures detection.

Of course, the worm book can't be complete without defenses. The defenses go beyond worms to all malware and are classified into network and host defenses, as well as counterattacking the worm population and networks.

Future worms - as usual - is the most exciting part. Overall, the book is fun and useful (in my opinion) for both researchers and practitioners. Among its negative sides I can only list its relatively high price.

(...)

5 of 7 people found the following review helpful:

5.0 out of 5 stars The definitive guide to the history and development of worms, December 22, 2003

By 

Duncan R. Lowne (Oxford, England) - See all my reviews
(REAL NAME)   

This review is from: Defense and Detection Strategies against Internet Worms (Hardcover)

Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study. Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense Against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.

The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously. Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's "Shockwave Rider") through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.

The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.

Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.

The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the dangers of proactive defense.

Defense Against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.