Detection of Host
Host detection
Program peer-to-peer protocols and sharing of Windows can be used as a medium spread of worms, a result of this mechanism as worm queries generated by the program peerto-peer íbiasaí. This is the process of detection of network-level experience will be difficult unless the implementation of the IDS is done to identify these patterns. In the implementation, IDS will analyze the patterns of traffic based on specific signature database held.
Anti-virus Behavior Blocking
Behavior blocking is a technique used by anti-virus program dalammenghentikan-programjahat in doing aksinya. Although it was considered that the effort is successful, this technique is not widely used because of the usability and false positives.
Wormholes and Honeyfarms
A honeypot is a host that is intended to be managed by intruder in an effort to detect and analyze the behavior intruder. Honeypot is distributed on a network (honeynet) can form an accurate detector except the price (especially admistration and hardware costs) to the barrier diimplementasikannya honeynet.
For example the implementation of the honeypot íhematí is to create a honeypot system on a separate network of workstations or servers and traffic redirection on a certain port-port, which is suspected as the traffic used by the worm to spread, to the honeypot. A honeypot can use technology to create ívirtual machineí image of the many systems that Vulnerable.
Detection in Network
Detection on the LAN or WAN
A machine infected by the worm will generate traffic scanning can detect. The process of detection can be done at the gateway or IDS placed between the gateway and the LAN or WAN.
Detection at an ISP or Backbone
That has been known to spread himself a worm generally make the process of scanning first to find a new target. Increasing network traffic or ISP backbone dramatically indicates that the worm may have been attacked in the network.
Response and Recovery
Response
Malware such as worms and viruses can spread more quickly than the human ability to analyze and meresponinya. A defense strategy that both the worm can be done automatically. An automatic response can be slow and limit the space-worm movement.
Automatic response is usually given the form of blocking the activities of the worm. The weakness of the automatic response is a common response to the occurrence of false positive and false negative. False positive is a situation where the response does not occur, but given the indications of the worm, while false negative is a situation where truly worm attack, but the response is not given.
The decision to respond to the existence of the worm on the network is to be wise. That means that in a decision must be based on technical analysis that involves many aspects such as statistics, usage policy, and security advisory.
Host Response
A process in response to the computer system will involve the personal firewall that is able to read the alerts generated by a host-based IDS. At this level, given that the response can be more effective in the bank's activities worm.
Network Response
The response on this level should be possible to combine the technique when blocking and able to receive alerts memilah classes of traffic that is suspected as being wormyang spread. Network-based IDS such as snort and prelude can be used to identify the presence of worms by analyzing network traffic is passive.
ISP Response
Although the level of difficulty in the automatic response on this level is high enough, but the scale protection system that can be a greater consideration. Implementation of automatic response to the ISP level is to be first teruji well as the occurrence of false positive and false negative can easily occur.
Recovery
The process of recovery be considered as one of the efforts to slow the spread of worms. By restoring the condition of the infected system will at least reduce the spread of a new worm's. Some of the following methods is dalammelakukan recovery efforts against worm attacks.
Anti-worms
Although it is illegal and less practical, an anti-worm or íworm putihí can cover the security holes and limit the space-another type of worm movement. Look very attractive but some restrictions are not making significant practical than legal factors that make anti-worm is not justified by the law. A significant limitation of anti-worm is keterbatasannya to repair damage caused by only one type of worm.
At least there are three (3) types of anti-worm available on the Internet: Cheese worm, which spreads using the backdoor created by 1ion worm, Code Green, who take advantage of holes made by the CodeRed II, and CRClean provide a response to CodeRed II attacks.
Distribution patches and updates
Recovery method to distribute the patch to update the programs Vulnerable on a computer system is considered as an effective method. The process of distribution can be done by software vendors and adminstrator handling a large number of hosts on the LAN or WAN.
One of the lack of this method is when the intruder can use the worm to control a large number of host and host to the DOS that will make the response to the worm attack. The target of the DOS from the vendor is usually the programs Vulnerable and exploited by worms.
Conclusion
As Intrusion Autonomous agents, Internet worms is a threat to the network in large and small scale. Once known how the distribution of common methods, mechanisms, motivation dibuatnya a worm, and the existence of the worm detection on a host or network, they need to be serious in handling menanggulagi outbreaks of Internet worms. How to anticipate the worm attacks at this time in the future and a more diverse work into a new house that is not easy. Need the cooperation of various related services providers such as Internet access service that does not happen a worse impact.