Posted by mady | Posted in Billy Goat System | Posted on 12:56 AM
What is Billy Goat System?
Billy Goat is a sensor designed system, built with the specific
purpose of detecting and identifying network service worms. Because of
this specific focus, Billy Goat can take advantage of worm specific
properties that would hinder general-purpose intrusion-detection
systems, toward more efficient and accurate detection.
What are the characteristics of Billy Goat System?
These requirements influence the desired characteristics of such a
system, particularly in the following aspects:
1. Accuracy: The goal of a WDS is the identification of worm-infected
machines. To offer real utility, it must be able to perform this task
with a high level of accuracy, so that its reports can be trusted by
system and network administrators as the basis for contention and
remediation action. A WDS can use highly-specialized techniques to
detect worm-infected machines. This enables increased accuracy, at the
expense of the ability to detect a wider range of attacks.
2. Speed: Given the explosive nature of modern worms, a WDS should be
able to detect an infected machine as quickly as possible, to provide
its users a chance to contain the damage, or even to function as the
basis for an automated response system.
3. Manageability: New worms and worm variants appear almost every day,
so the components of a WDS need to be updated regularly. At a systems
level, this process must be automated as much as possible, to be able
to deal with the monitoring of very large networks. At middleware and
architecture levels, this means the base infrastructure must offer
sufficient flexibility to enable the rapid creation of new detection
capabilities.
4. Interoperability: Many organizations suffer from the proliferation
of security tools, each with their own control, monitoring and
reporting mechanisms. Furthermore, many places already have some form
of monitoring console, virus-response policies and procedures, etc. A
WDS should integrate as much as possible with the existing tools and
processes.
5. Resilience: A WDS must operate under extreme conditions in terms of
network and processing load, particularly during worm outbreaks. These
conditions are more likely to induce failures than other environments.
However, a WDS has a specific advantage that is not enjoyed by most
other IDS's because of the repetitive nature of worm activity; the WDS
can afford to lose some data without reducing its utility. In
practice, this means it is satisfactory to build a system that can
"forcefully" recover from failure (for example, by automatically
rebooting or even reinstalling itself) rather than trying to resist
it.
6. Graceful degradation: While WDS's may benefit from a distributed
architecture, most worm outbreaks have the effect of overloading
network links. It is therefore necessary for all sensors to be able to
operate on their own (for example, reporting only local data). Given
this condition, while the global system may be impeded, its individual
sensors can still be useful during a worm outbreak.
Billy Goat is a sensor designed system, built with the specific
purpose of detecting and identifying network service worms. Because of
this specific focus, Billy Goat can take advantage of worm specific
properties that would hinder general-purpose intrusion-detection
systems, toward more efficient and accurate detection.
What are the characteristics of Billy Goat System?
These requirements influence the desired characteristics of such a
system, particularly in the following aspects:
1. Accuracy: The goal of a WDS is the identification of worm-infected
machines. To offer real utility, it must be able to perform this task
with a high level of accuracy, so that its reports can be trusted by
system and network administrators as the basis for contention and
remediation action. A WDS can use highly-specialized techniques to
detect worm-infected machines. This enables increased accuracy, at the
expense of the ability to detect a wider range of attacks.
2. Speed: Given the explosive nature of modern worms, a WDS should be
able to detect an infected machine as quickly as possible, to provide
its users a chance to contain the damage, or even to function as the
basis for an automated response system.
3. Manageability: New worms and worm variants appear almost every day,
so the components of a WDS need to be updated regularly. At a systems
level, this process must be automated as much as possible, to be able
to deal with the monitoring of very large networks. At middleware and
architecture levels, this means the base infrastructure must offer
sufficient flexibility to enable the rapid creation of new detection
capabilities.
4. Interoperability: Many organizations suffer from the proliferation
of security tools, each with their own control, monitoring and
reporting mechanisms. Furthermore, many places already have some form
of monitoring console, virus-response policies and procedures, etc. A
WDS should integrate as much as possible with the existing tools and
processes.
5. Resilience: A WDS must operate under extreme conditions in terms of
network and processing load, particularly during worm outbreaks. These
conditions are more likely to induce failures than other environments.
However, a WDS has a specific advantage that is not enjoyed by most
other IDS's because of the repetitive nature of worm activity; the WDS
can afford to lose some data without reducing its utility. In
practice, this means it is satisfactory to build a system that can
"forcefully" recover from failure (for example, by automatically
rebooting or even reinstalling itself) rather than trying to resist
it.
6. Graceful degradation: While WDS's may benefit from a distributed
architecture, most worm outbreaks have the effect of overloading
network links. It is therefore necessary for all sensors to be able to
operate on their own (for example, reporting only local data). Given
this condition, while the global system may be impeded, its individual
sensors can still be useful during a worm outbreak.
A Final Word
Billy Goat has been designed to be scalable, to operate gracefully in
a large distributed environment, and to provide extremely accurate
detection of worm-infected machines. This paper describes a number of
interesting or useful techniques and components identified during the
process, of developing "Billy Goat".
Comments (0)
Post a Comment