REVIEW: "Defense and Detection Strategies Against Internet Worms", Jose Nazario
- BKDDSAIW.RVW 20031128
"Defense and Detection Strategies Against Internet Worms", Jose
Nazario, 2004, 1-58053-537-2, U$85.00/C$131.95
%A Jose Nazario jose@...
%C 685 Canton St., Norwood, MA 02062
%I Artech House/Horizon
%O U$85.00/C$131.95 800-225-9977 artech@...
%P 287 p.
%T "Defense and Detection Strategies Against Internet Worms"
The preface states that the book is intended for security
professionals, security researchers, and academics in the field of
computer science. It is obvious that the author has attempted to
write the material in a scholastic tone, but the necessary rigour and
structure of thought is missing.
Chapter one, an introduction of sorts, provides random information of
questionable utility, such as the table listing the discovery of
vulnerabilities compared against the time that elapsed before those
loopholes were first released in active worms: no particular pattern
seems to be indicated.
Part one is supposed to be a background and taxonomy. Chapter two
provides us with a definition. Nazario has obviously taken the
Cohenesque definition of viruses (as attaching to files) and then
assumed that a worm is any self-replicating program that does *not* so
bind. The definition therefore appears to include almost all current
viruses, and yet the author also attempts to ascribe certain
characteristics to worms, such as control and construction of a
network, and communication with other worm nodes. His later examples
of worms, however, include a number that do not contain any of these
aspects. He lists a number of components of worms, and yet the
communications, command, and intelligence elements are not inherently
part of much of modern malware, usually existing simply as specialized
payloads. A simplistic growth pattern (and the fact that worms can
generate network traffic) is presented in chapter three, but the
actual traffic patterns examined do not fully correspond to the
projected graph. The history and taxonomy given in chapter four has
numerous errors: even the fictional representative, the tapeworm from
Brunner's "The Shockwave Rider," is introduced erroneously, since it
didn't shut down the network in the book, but rather opened it.
Workstations affected by the infamous Xerox PARC worm could be
restarted, and a vaccine was not needed or produced. The Morris Worm
was an enormous nuisance, but it hardly "crashed the Internet." (And
Loveletter did the rounds in 2000, not 2001.) There is a quick precis
of a number of lesser known worms, and this may be helpful as a
reference, but the analysis is very limited. The construction of a
worm is described in chapter five, but the outline is often at odds
with that given in chapter two.
Part two reviews worm trends. Chapter six reworks some of the
material from five in a facile listing of infection patterns (and
presents an artificial "Shockwave Rider" pattern that does not seem to
have any correspondence to reality). "Targets of attack," in chapter
seven, simply enumerates network connected devices. Nazario does
attempt to bring in abstract concepts related to network topologies,
but these have little practical bearing on worms in reality. The
possible futures for worms, as expressed in chapter eight, deals
mostly with existing and already used technologies. There is some
effort made to model effects, but these are not fully analyzed.
Part three turns to detection. Chapter nine looks at traffic
analysis, but only in terms of network based intrusion detection with
rudimentary appraisal. Honeypots and "dark networks" (ranges of
unused IP addresses) are said to be ways to detect and trap worms, but
the explanation and dissection of the topic in chapter ten is very
narrow. Signature based detection, in chapter eleven, revisits
network based intrusion detection, and adds a brief mention of file
Part four looks at defences. Chapter twelve's review of host based
defence deals primarily with system hardening, antivirus scanners, and
the concept of throttling. Nazario seems very loath, in his
discussion of firewalls in chapter thirteen, to admit that this is
simply another type of signature. The use of scanning within
application level proxies is examined in chapter fourteen, although
there seems to be some confusion with circuit level proxies at points.
Chapter fifteen, entitled "Attacking the Worm Network," outlines a
number of active measures: except for the idea of "sticky" tarpits
(after the LaBrea program model) all of them require extensive
specific knowledge of individual worms. A concluding chapter is
provided in sixteen.
Nazario's work does address the often neglected topic of worms, and he
does break away from the mass of virus books that are locked into the
traditional "file and boot infectors" model. His examples are drawn
from more recent events, and he does attempt to analyze network
effects and complications, rather than simply looking at systems in
isolation. While he is to be commended for all this, his definition
is too broad to provide for serious new modelling of the problem, and
his analysis fails to provide a basis for future work. Still, for
those who need a more complete picture of the malware threat, this
work should be considered. It does provide new information, and does
attempt to address the difference between worms, viruses, and other
forms of malware. In this regard, it is a significant improvement
over such lackluster spacefillers as Skoudis "Malware" (cf.
BKMLWFMC.RVW), the "E-mail Virus Protection Handbook" (cf.
BKEMLVRS.RVW), Dunham's "Bigelow's Virus Troubleshooting Pocket
Reference" (cf. BKBVRTPR.RVW), Schmauder's "Virus Proof" (cf.
BKVRSPRF.RVW), and even Grimes' somewhat better "Malicious Mobile
Code" (cf. BKMLMBCD.RVW).
copyright Robert M. Slade, 2003 BKDDSAIW.RVW 20031128
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
After attacking the sacred majesty of kings, I shall scarcely
excite surprise by adding my firm persuasion that every
profession, in which great subordination of rank constitutes its
power, is highly injurious to morality.
Mary Wollstoncraft (1759-1797), A Vindication of the Rights of Woman
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade