Intrusion Detection for Virus and worms:
The programming of intrusion detection is necessary for virus and worms due to the reason that they can spread in a greater speed and attack the systems when compared to the attack done by the intruders directly. The infection due to these worms and viruses spread widely even without the proper notice of the network administrator, that means for the time that a network manager notice the spreading of worm is completed because the network administrator notice the existence of a worm or virus when only if the alarm indicates about the worm and he even takes some time to discover the worm in the meanwhile the worm spreads the infection.
The spreading of worms is done in few minutes of time for example the latest worms like Blaster, Sapphire/Slammer takes few minutes time to spread over millions of systems. Well programmed intrusion detection must be designed and implemented in the systems to identify the latest viruses and worms epidemics as soon as it is possible because of the reason that the latest epidemics of worms and viruses spread with an exponential rate of speed at the starting stage and this shown by the epidemiology. Thus if such new outbreak is identified soon, its effect on the system is decreased up to some extent.
As the designing of antivirus software is done to identify the worms and viruses that occur to the systems, the host-based intrusion detection system is considered as the utmost logical methodology at the initial researches. By running antivirus software of the desktop computers on all the host computers, a “host-based intruder detection system” is assumed easily because whenever a virus is detected in the system an alarm is broadcasted to the neighbours.
But there are some considerable limitations with this approach even if it is attractive. And the significant limitations are at first, expenses of IDS installation in all the hosts is the main drawback. The second one is, because of different reasons it is indicated that the desktop antivirus software is not installed regularly, sometimes it may not be updated and in some cases it is not turned on.
The third limitation is the capability of some worms and viruses as they can damage the antivirus software installed in the systems or can even turn-off the programs of anti-virus. The fourth and the last drawback of this approach is that a virus can be identified by the IDS based on host when only the virus has already to the host and this is too late to avoid certain attacks caused by the virus. Therefore this approach of host based intrusion detection system is not completely believable for detecting the intrusions.
The implementation of network-based intrusion detection system is done often as a firewall which is combined with the antivirus software. Typically as the worms and viruses are located at entry point of the network, the firewalls designed provides a common point for them. Along with these the designing of firewalls is done with special capabilities for inspecting and filtering the traffic that is delivered at a link speed of high level.
The possibility of integrating the antivirus software is not only for firewalls it can even be associated with the routers, gateways and switches. When compared to the host-based intrusion detection system, the network based intrusion system has the capability of identifying the latest worms and viruses at the initial stages of the attack and so it can identify the virus or worm before it spreads to the hosts.
Even the network-based IDS have some drawbacks but these are different from the host-based IDS disadvantages. The first one among the drawbacks of network-based IDS is avoiding of firewalls can be done as there are not faultless filters. The traffic directed towards a particular port which is considered as dangerous can be blocked by the firewalls, for an instance activities can be continued across the ports that are allowed.
The second drawback is,when the particular signature are used for configuring the firewalls then such firewalls are efficient for viewing, but common signatures are not there in viruses and worms. The spreading of these can be done in various approaches by receiving the benefits of infinite number of susceptibilities that known. The third drawback is even if the susceptibilities is known, as soon as it is discovered the worm that exploits that susceptibility can be viewed and thus it gets late for establishing a signature and distributing it for the attack.
The latest worms and viruses can be identified by observing the examples that are established in recent years.
- Code Red Worm: In “Microsoft’s IIS web servers” , attempts are made by the code red worm at least of three versions for abusing a buffer overflow vulnerability and this is represented as the susceptibility of Index Server ISAPI and announcement of this is done in the year 2001 on 18th of June. A packet that is transferred to the host which is taken as the victim is involved in the buffer overflow attack. The arbitrary code can be run at the host considered as victim by using the buffer overflow in case of the crafting of the packet is done carefully. The worm code red 1 is firstly identified in the year 2001 on 12th of July and this is identified after identifying its susceptibilities by taking one month of time in between. To perform the enquiry the worm creates a list of IP addresses which is pseudorandom to spread the infection, but this generation of list of IP addresses is done in identical manner because of a mistake made during the programming at the host that is infected with the worm.Therefore because of the identical list the spreading of worm is very slow as the enquiry of the worm is done on the similar computers. The second version of code red worm is identified in the year 2001 on 19th of July that is just a week after the identification of the first worm and in this the error caused in the earlier version is fixed that means the list of IP addresses is really maintained in pseudorandom for enquiring and so the spreading of this worm is very fast. It was discovered that more than 359,000 computers get infected by this version worm in just 14 hours. The recent version of code red II is identified in the IIS web servers during the same buffer overflow susceptibility exploitation and this is identified on 4th of august. But the enquiry of machine IP addresses by this version of worm is not based on random list entirely. Here only the randomness can be observed entirely for 1 address among 8 IP addresses, 4 addresses among these are included in the class A level of the address of the host that is infected and other 3 among eight addresses are included in class B level of the address of the host that is infected.
- SQL Slammer/Sapphire worm: Sapphire worm which took the advantage of buffer overflow weakness said to be identified in Jan 25 2003.this is seen in Microsoft sqlserver it is confirmed 6 months before its evaluation i.e. on July 2002. It is much flexible than other worms as it can be fixed in unique 404-byte UDP packet. But as far as Code Red is concerned it occupies 4000 bytes and Nimda occupies more than that up to 60,000 bytes. Once it started polluting the worm easily develops UDP packets holding the duplicates of sapphire at the maximum rate of the system. The diffusion rate was unanimously high.According to it the damage rate is 90% weak which takes only 10 minute not more than that it damages over 12000 servers.
- Blaster worm: Blaster worm is a versatile worm which makes DCOM RPC as it target this is due to its weakness it is identified just before a month from the time of its announcement i.e. on July 16, 2003. The worms interact once DCOM interface is done including RPC listening at the time of TCP port 135 is evolving on windows XP as well as on windows 2000 pcs. This occurs when buffer overflow occurs the worm enters into targeted machine to on the wireless shell on the selected port i.e.4444 and sends a circular to the targeted machine through UDP port 69. A tftp (trivial file transfer protocol) “get” control is the next message sent to port 4444 influences the machine to retrieve a replica of the worm ”msblast.exe” is the file we identify.
The examples here mentioned are used as witness to say that worms used many ways to spread and each of them needs to be identified separately in this case we take CODE RED can be identified first once there is any growth of TCP port 80 automatically detects and it leads to growth of well-shaped HTTP “GET” requests for “.ida” file (a buffer overflow attack). The Nimda worm is seen when there is a huge growth in attempts of Unicode Web travel Exploit. Sapphire worm is detected when the is unexpected raise on links which leads to an increase in 404-byte UDP packets creates the way to UDP port 1434 in casuals address.
Simultaneously blaster makes the growth of TCP packets which is processed towards the PORT no135 and also depends upon the no of tftp requests on UDP port 69 .these signs of worms are common in nature. After a worm has been case studied the problem is that another worm attacks and easily make use of the situation based on its weakness these are many in number every time signature based identification dost not connects it fails for new ones. Anomaly detection method is “worm like behaviour is more guaranteed” for new type of attacks.
Anyways anomaly detection is more complicated because a worm does not distribute process. Different worms may give different indications this leads to growth of the volume of network traffic, leads to emptiness a steady increase in scans raise to sudden change of traffic by hosts but still these could not be taken account of indicators as they are not dependable this could be given by anexample port scans are always run on background when internet is working. Despite of this reasons it is complicated to find worm attack at least one worm is caught.