Zurich Research Laboratory
MATH & COMPUTER SCIENCE
Business optimization
Business process transformation
Systems management
Cryptography
Secure systems
Governance & security management
	Governance & compliance
	Intrusion & malware detection
		Billy Goat worm detection system
		Context-sensitive string evaluation
		E/M fraud
		Exorcist

Contact
	Andreas Wespi

Billy Goat worm detection system

Project overview

The Billy Goat is a specialized tool designed to address the problems posed by network service worms. As an intrusion-detection sensor, its most important property is that it is free from the high rate of false alarms produced by many other sensors. It achieves this property through the use of a novel architecture that combines an extensive network view, spoofed service interaction with potential attackers, and a clear focus on detecting automated attacks.

It functions by analyzing and responding to network requests directed toward unbound IP addresses (e.g. addresses to which there is no associated machine). The fact that the requests are directed toward unbound addresses means that they are a priori suspicious. The fact that Billy Goat is a first-person participant in the service requests, rather than merely an observer as with most intrusion-detection sensors, allows interactive, and hence accurate, analysis of the nature of the requests.

A direct result of its design is that it is especially well suited for the detection of wide-scale attacks and service-based worms such as Nimda and Code Red, which attack Microsoft's Internet Information Server (IIS), the MS/SQL Sapphire worm, and the MS/DCOM Blaster worm. By contrast, it is not well suited for the detection of maliciously semi-automated e-mail, such as SoBig, or attacks directed against a specific existing machine or service. The detector is not Microsoft-specific but aims to address the most problematic vulnerabilities.

The fact that the sensor does not produce false positives allows it to form the basis of an automated intrusion response system. While such a response system is necessarily tailored to the environment in which it is deployed, we have focused primarily on response mechanisms that aim to inform users that their machines are misbehaving or misconfigured; additional information concerning corrective action or services can be provided.

Deploying Billy Goat is primarily a matter of configuring the network to route traffic to unbound addresses to the Billy Goat machine rather than merely dropping it. Address ranges can be selected as subnets of address ranges or from standard unroutable address ranges.