Trojan Horses/WormsTrojan Horses/Worms

Vadolas MargaritisVadolas Margaritis

Bantes GeorgeBantes George

WormsWorms

In the last years, computer worms have In the last years, computer worms have infected hundreds of thousands Internet infected hundreds of thousands Internet servers and personal computers in just a servers and personal computers in just a few minutes, resulting in financial few minutes, resulting in financial damages of approximately one billion damages of approximately one billion dollars for business, governments and dollars for business, governments and service providers service providers

WormsWorms

2 CodeRed2 CodeRed - - more than 359,000 internet more than 359,000 internet servers infected in just 14 hoursservers infected in just 14 hours

SlammerSlammer - 55 million scans per second in - 55 million scans per second in just a few minutesjust a few minutes

WormsWorms

The term ‘worm’ came out from a science The term ‘worm’ came out from a science fiction novel in 1975, named The fiction novel in 1975, named The Shockwave Rider, written by John Brunner Shockwave Rider, written by John Brunner

Researchers John Shock and Jon Hupp of Researchers John Shock and Jon Hupp of Xerox PARC, chose the name for one of Xerox PARC, chose the name for one of their papers, which was published in 1982, their papers, which was published in 1982, titled titled The Worm ProgramsThe Worm Programs

Since then it has become globally adoptedSince then it has become globally adopted

WormsWorms

A computer worm is actually a self-A computer worm is actually a self-replicating computer program replicating computer program

It exploits networks to send copies of itself It exploits networks to send copies of itself to other hosts, most of the times without to other hosts, most of the times without the user’s awareness the user’s awareness

Unlike a virus, a worm Unlike a virus, a worm doesn’t need to be doesn’t need to be attached to an existing program attached to an existing program

WormsWorms

Worms most of the times harm networks, Worms most of the times harm networks, like consuming bandwidth instead of like consuming bandwidth instead of viruses which harm personal computers, viruses which harm personal computers, corrupting or modifying files.corrupting or modifying files.

Worms often result in Distributed Denial of Worms often result in Distributed Denial of Service for the hosts of a networkService for the hosts of a network

Requirements for an effective Requirements for an effective solution against wormssolution against worms

Robustness and resilience in performing Robustness and resilience in performing security functions in the internet security functions in the internet

Trust integration and alert-correlation Trust integration and alert-correlation methodologies to achieve mutual cooperation methodologies to achieve mutual cooperation among many sitesamong many sites

Fast anomaly detection and distributed denial-Fast anomaly detection and distributed denial-of-service (DDos) defense to achieve of-service (DDos) defense to achieve awareness to unexpected worm or flooding awareness to unexpected worm or flooding attacks attacks

Requirements for an effective Requirements for an effective solution against wormssolution against worms

Fast worm-signature detection and Fast worm-signature detection and dissemination, to achieve efficiency and dissemination, to achieve efficiency and scalabilityscalability

Proper traffic monitoring to track DDos attack-Proper traffic monitoring to track DDos attack-transit routerstransit routers

Defending against wormsDefending against worms

Recent research indicates that automatic Recent research indicates that automatic worm signatures generation using payload worm signatures generation using payload (code written to do more than spreading (code written to do more than spreading the worm) and address dispersion can the worm) and address dispersion can provide satisfactory resultsprovide satisfactory results

Defending against wormsDefending against worms

But most scanning worms are first dispersed But most scanning worms are first dispersed over the internet and then start spreadingover the internet and then start spreading

It becomes a difficult task to observe important It becomes a difficult task to observe important anomalies and gather enough payload contents anomalies and gather enough payload contents at various individual edge networksat various individual edge networks

Information must be synthesized by multiple Information must be synthesized by multiple edge networks for fast and accurate detection of edge networks for fast and accurate detection of worm signaturesworm signatures

NetShield defense systemNetShield defense system

NetShield defense system aims: NetShield defense system aims:

Restrain the spread of worms Restrain the spread of worms

Provide effective defense against Provide effective defense against Distributed Denial-Of-Service (DDos) Distributed Denial-Of-Service (DDos) attacksattacks

NetShield defense systemNetShield defense system

System employs two component sub-System employs two component sub-systems:systems:

a system specialized in worm signatures a system specialized in worm signatures detection and dissemination, the detection and dissemination, the WormShield system WormShield system

a traffic-monitoring scheme to detect DDos a traffic-monitoring scheme to detect DDos attacks.attacks.

NetShield defense systemNetShield defense system

The system uses distributed peer-to-peer The system uses distributed peer-to-peer networks with Distributed Hash Tablesnetworks with Distributed Hash Tables

Purpose of this design quick and resilient Purpose of this design quick and resilient look-up serviceslook-up services

The NetShield system architecture

The WormShield subsystemThe WormShield subsystem

Designed to identify and restrain unknown Designed to identify and restrain unknown worms before they infect more vulnerable hostsworms before they infect more vulnerable hosts Uses a set of geographically distributed monitors Uses a set of geographically distributed monitors located in various administrative domainslocated in various administrative domains Monitors are organized in into a structured peer-Monitors are organized in into a structured peer-to-peer overlay network which is based on the to-peer overlay network which is based on the Chord algorithmChord algorithm Each of the monitors is positioned on the Each of the monitors is positioned on the demilitarized zone (DMZ) of the edge network demilitarized zone (DMZ) of the edge network and it analyzes all packets that pass through itand it analyzes all packets that pass through it

The WormShield subsystemThe WormShield subsystem

Each monitor uses the Rabin footprint algorithm Each monitor uses the Rabin footprint algorithm to compute the packet payloads from the to compute the packet payloads from the content blocks content blocks

Local prevalence tables which track number of Local prevalence tables which track number of occurrences in a content block and are updated occurrences in a content block and are updated constantly by information provided from the constantly by information provided from the monitor at the specific block monitor at the specific block

A monitor also keeps the set of source A monitor also keeps the set of source addresses and destination addresses for the addresses and destination addresses for the content block is observescontent block is observes

The WormShield ArchitectureThe WormShield Architecture

Other worm defense systemsOther worm defense systems

EarlybirdEarlybird and and AutographAutograph

Incoming packet analysis Incoming packet analysis

Payload-content prevalence and address Payload-content prevalence and address dispersiondispersion

Other worm defense systemsOther worm defense systems

Trend DetectionTrend Detection

A worm monitoring system and early A worm monitoring system and early warning system warning system

Based on worm-spreading dynamic Based on worm-spreading dynamic models models

Detects a worm in its early stageDetects a worm in its early stage

Uses a Kalman filter estimation algorithm.Uses a Kalman filter estimation algorithm.

Other worm defense systemsOther worm defense systems

Columbia Worm VaccineColumbia Worm Vaccine

Microsoft Shield SystemMicrosoft Shield System

End-user oriented approach End-user oriented approach

Preventing a host from being infected Preventing a host from being infected

Trojan Horse Attack Strategy on Trojan Horse Attack Strategy on Quantum privative communication Quantum privative communication

In the privative communication systems In the privative communication systems attackers try to break the computer attackers try to break the computer systems for their benefits systems for their benefits

For the protection of those systems For the protection of those systems cryptography has been employed widely cryptography has been employed widely

to privet these attack strategiesto privet these attack strategies

AttacksAttacks

The attacks can be categorized in The attacks can be categorized in

three different types of attack strategies, three different types of attack strategies, the strategy based on fundamentalsthe strategy based on fundamentals

drawbacks (SFD), the strategy based on drawbacks (SFD), the strategy based on obtained information (SOI), and theobtained information (SOI), and the

strategy based on assistant systems strategy based on assistant systems (SAS), one typical example of (SAS) is the (SAS), one typical example of (SAS) is the Trojan horses attacks.Trojan horses attacks.

Attack strategiesAttack strategies

One of those attack strategies is the Trojan One of those attack strategies is the Trojan horse when hidden in the system attacker horse when hidden in the system attacker can break the system and obtain important can break the system and obtain important information, this attack is available in the information, this attack is available in the private quantum communicationprivate quantum communication

Trojan horsesTrojan horses

A Trojan horse is a small program that if A Trojan horse is a small program that if insert by attacker in one computer insert by attacker in one computer program can copy, misuse and destroy program can copy, misuse and destroy data. data.

Trojan horsesTrojan horses

There are two kinds of Trojan horse, the pre-There are two kinds of Trojan horse, the pre-

liked Trojan horse is a robot horse which is praised liked Trojan horse is a robot horse which is praised in the programs of the user, suchin the programs of the user, such

as computer programsas computer programs

And the online Trojan horse that is actually a And the online Trojan horse that is actually a probing signal which may enter to the confidential probing signal which may enter to the confidential system without awareness of legitimate system without awareness of legitimate communications and then back- reflect to the communications and then back- reflect to the attackerattacker

to the attackerto the attacker

Trojan horsesTrojan horses

If a Trojan horse enters in the computer If a Trojan horse enters in the computer system the attacker may break the system the attacker may break the cryptosystemcryptosystem

and obtain important information by means to and obtain important information by means to the feedback information of the robot horse the feedback information of the robot horse

this called THAS.this called THAS.

Protection of the quantum private Protection of the quantum private communication against Trojan horse attackcommunication against Trojan horse attack

For the protection of the quantum private For the protection of the quantum private communication against Trojan horse attack, communication against Trojan horse attack, used a quantum cryptographic key algorithm used a quantum cryptographic key algorithm

with EPR pair(s). with EPR pair(s).

The Quantum cryptography is based on the The Quantum cryptography is based on the laws of quantum physics using photons to laws of quantum physics using photons to transmit informationtransmit information

Protection of the quantum private Protection of the quantum private communication against Trojan horse attackcommunication against Trojan horse attack

With Quantum cryptography we can create a With Quantum cryptography we can create a communication chancel where it is impossible communication chancel where it is impossible

to eavesdrop without disturbing the transmission.to eavesdrop without disturbing the transmission.

• On this idea is based the quantum key algorithm. On this idea is based the quantum key algorithm.

  

Protection of the quantum private Protection of the quantum private communication against Trojan horse attackcommunication against Trojan horse attack

In cryptography, a pre-shared key or PSK In cryptography, a pre-shared key or PSK is a shared secret which was previously is a shared secret which was previously

shared between the two parties using shared between the two parties using some secure channel before it needs to be some secure channel before it needs to be used. used.

Those system always use symmetric key Those system always use symmetric key cryptographic algorithms.cryptographic algorithms.