• Microsoft Remote Desktop Protocol (RDP): The Microsoft RDP is a pro-
prietary protocol used to remotely access Windows-based hosts across a network. This vulnerability (CVE-2012-0002) was identified to exist in Microsoft Windows
XP, Vista, 7, Server 2003 and Server 2008. The vulnerability can be exploited by sending a crafted datagram to the TCP or UDP port 3389 on a host running RDP.
The vulnerability potentially allows remote arbitrary code execution. An attacker can then use this to send copies of the malicious datagrams to any vulnerable host,
making the vulnerability wormable.
• ShellShock: Bash (bourne-again shell) is a common UNIX command processor that uses a text-based window for executing user and application commands passed
to it. Bash is used in many versions of Linux, UNIX and Mac OS X, including versions which run web servers employing the Common Gateway Interface (CGI).
Among the commands passed to Bash by applications are those which allow the application to set environment variables. The ShellShock vulnerability (CVE-2014-
6271) affects the way environment variables are set by the applications, i.e., the Bash shell processes the trailing strings after function definitions in the values of
environment variables, which allows an attacker to add malicious code to the en-
vironment variable and arbitrary execution of code when the environment variable is set on a vulnerable host.
2.4
Worm Detection Techniques
Previously reported worm countermeasure systems have used detection techniques at either the host or network perimeter levels (Smith et al., 2009). A brief description of
each technique is set out below.
2.4.1 Host Level Detection System
A host level detection system uses end-host information to detect anomalous behaviour such as buffer overflows, correlating network data to memory errors, and looking for
2.4 Worm Detection Techniques
patterns in system calls (Li and Shad, 2014). This technique requires deployment on
every host to detect a network or malware attack (Chen et al., 2014). Host level worm detection systems reported in literature include COVERS (Liang and Sekar,2005) Vigil-
ante (Costa et al.,2005) and SWEEPER (Tucek et al.,2007). Host level worm detection systems are difficult to manage centrally and they are vulnerable to compromise when
a host is infected (Jamil and Chen, 2006).
2.4.2 Network Level Detection System
Network level detection systems are usually deployed at the network perimeter to protect the entire network of hosts by monitoring inbound and outbound network traffic (Li
et al.,2008). Therefore network level detection systems become more desirable compared to host level system due to a lower installation and management overhead (Li and
Shad, 2014). Network level intrusion detection systems can mainly be categorized into signature-based and anomaly-based detection systems (Jyothsna et al., 2011).
2.4.3 Signature-based Network Detection System
A signature-based detection system maintains a database of signatures for previously
known attacks (Liao et al., 2013). An alarm is raised if a datagram in the network matches a signature in the database (Kim et al., 2012). The signature database is up-
dated frequently in order to efficiently detect new threats (Kumar and Sangwan,2012). A number of signature-based detection systems exist, including Snort (Khamphakdee
et al.,2014) and Bro (Sharma and Sharma, 2015). Snort and Bro use static signatures, which are a set of previously known byte sequences considered to be malicious. Although
Snort has an anomaly detection component that monitors TCP protocol anomalies, such as data on SYN packets and data received outside the TCP window (Khamphakdee et al.,
2014), it does not detect zero-day worm attacks. Thus the drawback of Snort and Bro is the inability to detect new attack whose signature is absent from the database (Beigh
and Peer, 2014). Autograph (Aljawarneh et al., 2016) and EarlyBird (Punithan et al., 2016) were developed to generate signatures dynamically for Snort and Bro by analysing
2.4 Worm Detection Techniques
the content of network traffic to find common byte sequences. These detectors together
with Snort or Bro can detect the presence of zero-day worms, but cannot detect poly- morphic worms (Kaur and Singh,2014). Additionally, these detectors can be misguided
into labelling legitimate traffic as malicious (Chung and Mok, 2006; Newsome et al., 2006;Perdisci et al.,2006). Generally, signature-based systems are effective in detecting
known attacks and are easy to deploy (Liao et al., 2013), but limited in maintaining a large database of previously and newly identified threats (Ahmad and Woodhead,
2015). Additionally, the efficiency of the detection algorithm is affected by the large size of signature database (Li et al.,2008).
2.4.4 Anomaly-based Network Detection System
An anomaly-based detection system examines network traffic in order to build a profile
of the normal behaviour and then raises an alarm for events that deviate from the normal profile (Liao et al., 2013). In contrast to signature-based systems, anomaly-
based systems can detect new attacks (Li et al.,2008). Anomaly-based detection systems look for deviations from a normal profile, based on the datagram header information or
payload information (Cheema et al., 2009). Datagram-header based anomaly detection systems use datagram header information to build a model of normal traffic flow of data
and then attempt to detect any deviation from the normal behaviour of the network traffic observed. Payload-based anomaly detection systems observe the payload content
of network traffic to identify a byte pattern that indicates the presence of a worm.
Significant research efforts in anomaly-based network intrusion detection systems led
to the existence of numerous approaches (Jyothsna et al., 2011; Liao et al., 2013) that identify the presence of worms using datagram header information or payload informa-