Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Slides:



Advertisements
Similar presentations
By Hiranmayi Pai Neeraj Jain
Advertisements

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Ken Birman. Virtualization as a Defense We know that our systems are under attack by all sorts of threats Can we use virtual machines as a defensive tool?
Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.
DIDS part II The Return of dIDS 2/12 CIS GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Mobile Agent Security Presented By Sayuri Yonekawa October 17, 2000.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Understand Malware LESSON Security Fundamentals.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Very Fast containment of Scanning Worms Presented by Vinay Makula.
Some Great Open Source Intrusion Detection Systems (IDSs)
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa Joint work with: Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang,
Network Security Lab Jelena Mirkovic Sig NewGrad presentantion.
MALWARE.
Internet Quarantine: Requirements for Containing Self-Propagating Code
MadeCR: Correlation-based Malware Detection for Cognitive Radio
Techniques, Tools, and Research Issues
Very Fast containment of Scanning Worms
Worm Origin Identification Using Random Moonwalks
Chap 10 Malicious Software.
Detecting Targeted Attacks Using Shadow Honeypots
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Chap 10 Malicious Software.
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
CSE551: Introduction to Information Security
Introduction to Internet Worm
Presentation transcript:

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham SOSP 2005 Presented by Elias P. Papadopoulos 1

Worm Standalone malware that replicates itself in order to spread to other computers Spread too fast for humans to respond - Slammer worm infected 90% of vulnerable hosts in only 10 minutes 2

Worm Containment Analyze network traffic Generate signatures and block matching traffic Block hosts with abnormal behavior Network-level techniques have not information about the vulnerablities exploited 3

Vigilante’s Architecture Host-based detection - Instrument software to analyze infection attempts Cooperative detection without trust - Detectors generate self-certifying alerts (SCA) - Detectors broadcast SCAs Vulnerable hosts generate filters to block infection Contains fast spreading worms: no false positives, deployable today 4

Self Certifying Alerts ●Verifiable proofs of vulnerability - Identify the application and a type of vulnerability - Contain the exact steps to compromise the host - Contain verification information ●Enable hosts to replay the infection ●Verification has no false positives 5

Vigilante’s Architecture 6

Alert Types 1/2 1.Arbitrary Execution Control (AEC) - Identify vulnerabilities that allow worms to redirect execution to arbitrary existing code in a service’s address space 2.Arbitrary Code Execution (ACE) - Code-injection vulnerability - Specifies how to execute an arbitrary piece of code supplied in a message 7

Alert Types 2/2 3. Arbitrary Function Argument (AFA) - Identify data-injection vulnerability - Specifies how to invoke a specific critical function with an argument supplied in a message 8

SCA Example Address of code to execute is contained at this offset within the message 9

Alert Verification Properties:  Fast  Simple and generic  No false positives sandbox 10

Alert Generation Log messages Remove old messages and messages in generated SCAs If the engine detects an infection attempt, search the log and generate candidate SCAs SCAs that get verified are distributed to the vulnerable hosts Two Detection Engines: 1. Non-executable pages 2. Dynamic DataFlow Analysis 11

Non-Executable Pages Use NX protection on stack and heap pages to detect code-injection attacks Search messages for the address or the code that caused the exception Use a message as SCA Keep adding messages until the SCA is verified 12

Dynamic Dataflow Analysis Track the flow of data received in certain newtwork/input operations This data is marked dirty If dirty data is about to be loaded into the program counter, signal an attempt for Arbitrary Execution Control 13

Dynamic Dataflow Analysis If dirty data is about to be executed, signal an attempt for Arbitrary Code Execution If an argument to a critical function is dirty signal an Arbitrary Function Argument alert 14

Alert Distribution Pastry overlay to broadcast SCAs - Detectors flood SCAs over overlay links DoS Protection - Per-link rate limits - Per-hop filtering and verification - Controlled disclosure of overlay membership 15

Automatic Filter Generation Generate filters by analyzing the execution path followed when the messages in the SCA are replayed Apply dynamic data and control flow analysis to determine the execution path that exploits the vulnerability 16

Evaluation Three real worms: - Slammer (SQL server) ~ infected - Blaster (RPC service) ~ infected - CodeRed (IIS server) ~ infected Measurements of prototype implementation - SCA generation and verification - filter generation - filtering overhead Simulations of SCA propagation with attacks 17

SCA Generation Time - The Number of instructions executed in CodeRed is larger and the engine has to dynamically translate a number of libraries loaded during the worm attack - Detectors generate arbitrary execution control alert for Slammer and Blaster and arbitrary code execution alert for CodeRed. - Both detectors generate SCAs fast. - NX detector performs best: Instrumentation is less intrusive and less general. 18

SCA Sizes Size of SCAs is small and mostly determined by the size of the worm probe messages 19

SCA Verification Time Verification time when VM is already running  Is fast The verification VM has low overhead (<1% CPU) 20

Filter Generation Time Filter generation for CodeRed is more expensive, because of the number of instructions analyzed is larger 21

Worm Containment Simulation - Infective epidemic model - Total population of hosts - S of the hosts are vulnerable to the attack - A fraction p of the S hosts are detectors DoS attacks - Infected hosts generate fake SCAs - Verification increases linearly with number of SCAs 22

Worm Containment S = S = S =

Filter Overhead 24

End-to-End Experiment Five Machines ( ) - 1 is the detector - 2,3,4 are intermediate overlay nodes - 5 is the vulnerable host SCA has to reach vulnerable host number 5 Time from worm probe reaching 1 till 5 verifies the SCA -Slamer: 79ms -Blaster: 305ms -CodeRed: 3044ms 25

Conclusion Analyzing network traffic is not fast or accurate enough to contain a worm attack Vigilante can contain worms automatically - Requires no prior knowledge of vulnerabilities - Fast - No false positives - Low False negatives -SCA enables cooperation across hosts that do not trust each other 26