Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Defense and Detection Strategies Against Internet Worms", Jose Nazario

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKDDSAIW.RVW 20031128 Defense and Detection Strategies Against Internet Worms , Jose Nazario, 2004, 1-58053-537-2, U$85.00/C$131.95 %A Jose Nazario
    Message 1 of 1 , Jan 21, 2004
    • 0 Attachment
      BKDDSAIW.RVW 20031128

      "Defense and Detection Strategies Against Internet Worms", Jose
      Nazario, 2004, 1-58053-537-2, U$85.00/C$131.95
      %A Jose Nazario jose@...
      %C 685 Canton St., Norwood, MA 02062
      %D 2004
      %G 1-58053-537-2
      %I Artech House/Horizon
      %O U$85.00/C$131.95 800-225-9977 artech@...
      %O http://www.amazon.com/exec/obidos/ASIN/1580535372/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1580535372/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1580535372/robsladesin03-20
      %P 287 p.
      %T "Defense and Detection Strategies Against Internet Worms"

      The preface states that the book is intended for security
      professionals, security researchers, and academics in the field of
      computer science. It is obvious that the author has attempted to
      write the material in a scholastic tone, but the necessary rigour and
      structure of thought is missing.

      Chapter one, an introduction of sorts, provides random information of
      questionable utility, such as the table listing the discovery of
      vulnerabilities compared against the time that elapsed before those
      loopholes were first released in active worms: no particular pattern
      seems to be indicated.

      Part one is supposed to be a background and taxonomy. Chapter two
      provides us with a definition. Nazario has obviously taken the
      Cohenesque definition of viruses (as attaching to files) and then
      assumed that a worm is any self-replicating program that does *not* so
      bind. The definition therefore appears to include almost all current
      viruses, and yet the author also attempts to ascribe certain
      characteristics to worms, such as control and construction of a
      network, and communication with other worm nodes. His later examples
      of worms, however, include a number that do not contain any of these
      aspects. He lists a number of components of worms, and yet the
      communications, command, and intelligence elements are not inherently
      part of much of modern malware, usually existing simply as specialized
      payloads. A simplistic growth pattern (and the fact that worms can
      generate network traffic) is presented in chapter three, but the
      actual traffic patterns examined do not fully correspond to the
      projected graph. The history and taxonomy given in chapter four has
      numerous errors: even the fictional representative, the tapeworm from
      Brunner's "The Shockwave Rider," is introduced erroneously, since it
      didn't shut down the network in the book, but rather opened it.
      Workstations affected by the infamous Xerox PARC worm could be
      restarted, and a vaccine was not needed or produced. The Morris Worm
      was an enormous nuisance, but it hardly "crashed the Internet." (And
      Loveletter did the rounds in 2000, not 2001.) There is a quick precis
      of a number of lesser known worms, and this may be helpful as a
      reference, but the analysis is very limited. The construction of a
      worm is described in chapter five, but the outline is often at odds
      with that given in chapter two.

      Part two reviews worm trends. Chapter six reworks some of the
      material from five in a facile listing of infection patterns (and
      presents an artificial "Shockwave Rider" pattern that does not seem to
      have any correspondence to reality). "Targets of attack," in chapter
      seven, simply enumerates network connected devices. Nazario does
      attempt to bring in abstract concepts related to network topologies,
      but these have little practical bearing on worms in reality. The
      possible futures for worms, as expressed in chapter eight, deals
      mostly with existing and already used technologies. There is some
      effort made to model effects, but these are not fully analyzed.

      Part three turns to detection. Chapter nine looks at traffic
      analysis, but only in terms of network based intrusion detection with
      rudimentary appraisal. Honeypots and "dark networks" (ranges of
      unused IP addresses) are said to be ways to detect and trap worms, but
      the explanation and dissection of the topic in chapter ten is very
      narrow. Signature based detection, in chapter eleven, revisits
      network based intrusion detection, and adds a brief mention of file
      scanning.

      Part four looks at defences. Chapter twelve's review of host based
      defence deals primarily with system hardening, antivirus scanners, and
      the concept of throttling. Nazario seems very loath, in his
      discussion of firewalls in chapter thirteen, to admit that this is
      simply another type of signature. The use of scanning within
      application level proxies is examined in chapter fourteen, although
      there seems to be some confusion with circuit level proxies at points.
      Chapter fifteen, entitled "Attacking the Worm Network," outlines a
      number of active measures: except for the idea of "sticky" tarpits
      (after the LaBrea program model) all of them require extensive
      specific knowledge of individual worms. A concluding chapter is
      provided in sixteen.

      Nazario's work does address the often neglected topic of worms, and he
      does break away from the mass of virus books that are locked into the
      traditional "file and boot infectors" model. His examples are drawn
      from more recent events, and he does attempt to analyze network
      effects and complications, rather than simply looking at systems in
      isolation. While he is to be commended for all this, his definition
      is too broad to provide for serious new modelling of the problem, and
      his analysis fails to provide a basis for future work. Still, for
      those who need a more complete picture of the malware threat, this
      work should be considered. It does provide new information, and does
      attempt to address the difference between worms, viruses, and other
      forms of malware. In this regard, it is a significant improvement
      over such lackluster spacefillers as Skoudis "Malware" (cf.
      BKMLWFMC.RVW), the "E-mail Virus Protection Handbook" (cf.
      BKEMLVRS.RVW), Dunham's "Bigelow's Virus Troubleshooting Pocket
      Reference" (cf. BKBVRTPR.RVW), Schmauder's "Virus Proof" (cf.
      BKVRSPRF.RVW), and even Grimes' somewhat better "Malicious Mobile
      Code" (cf. BKMLMBCD.RVW).

      copyright Robert M. Slade, 2003 BKDDSAIW.RVW 20031128


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      After attacking the sacred majesty of kings, I shall scarcely
      excite surprise by adding my firm persuasion that every
      profession, in which great subordination of rank constitutes its
      power, is highly injurious to morality.
      Mary Wollstoncraft (1759-1797), A Vindication of the Rights of Woman
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.