Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.

Slides:

Advertisements

Similar presentations

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.

Advertisements

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Presenter:

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin.

Algorithms for Network Security

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

EDUCAUSE Security 2006 Internet John Brown University.

Network Defenses Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.

Office of Science U.S. Department of Energy The Bro Intrusion Detection Stephen Lau NERSC/LBNL November 20, 2003 SC2003 Phoenix, AZ.

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

Automated Worm Fingerprinting

Content Sifting Stefan Savage Sumeet Singh, Cristian Estan, George Varghese, Justin Ma, Kirill Levchenko.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

 a crime committed on a computer network, esp. the Internet.

Honeypot and Intrusion Detection System

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.

15-744: Computer Networking L-23 Worms. 2 Overview Worm propagation Worm signatures.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Click to add Text Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Department of Computer Science and Engineering.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium.

Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

The Worms Crawl In The Worms Crawl Out David Andersen.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Very Fast containment of Scanning Worms

Automated Worm Fingerprinting

CS4622 Team 4 Worms, DoS, and Smurf Attacks

Information Security Session October 24, 2005

Internet Worm propagation

Brad Karp UCL Computer Science

Automated Worm Fingerprinting

CSE551: Introduction to Information Security

Introduction to Internet Worm

Presentation transcript:

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI

What is a worm? Self-replicating/self-propagating code. Spreads across a network by exploiting flaws in open services. –As opposed to viruses, which require user action to quicken/spread. Not new --- Morris Worm, Nov –6-10% of all Internet hosts infected Many more since, but none on that scale …. until Code Red

Internet Worm History Xerox PARC, Schoch and Hupp, 1982 Morris Worm 1988 Code Red (V1, V2, II), 2001 NIMDA,, 2001 Slammer Worm, 2003 Blaster Worm,, 2003 Sasser Worm,, 2004

Code Red V1 Initial version released July 13, Exploited known bug in Microsoft IIS Web servers. 1 st through 20 th of each month: spread. 20 th through end of each month: attack. Payload: web site defacement. Spread: via random scanning of 32-bit IP address space. But: failure to seed random number generator  linear growth.

Code Red V2 Revision released July 19, Payload: flooding attack on But: this time random number generator correctly seeded. Bingo! Resident in memory, reboot clears the infection Web defacement

Code Red V2 - Spread

Code Red II New worm released August 4, Intelligent Replication Engine Installed backdoors Used more threads

Life Just Before Slammer

Life Just After Slammer

Worm Detection – Current Methods Network telescoping- passive monitors that monitor unused address space (Downfalls – non-random, only provide IP not signature Honeypots – slow manual analysis Host-based behavioral detection – dynamically analyze anomalous activity, no inference of large scale attack IDS, IPS – Snort –Labor-intensive, Human-mediated

Worm Containment Host Quarantine – IP ACL, router, firewall (blacklist) String-matching containment Connection throttling – Slow the spread

Earlybird – Content Sifting Content in existing worms is invariant Dynamics for worm to spread are atypical The Earlybird system can extract signatures from traffic to detect worms and automatically react

05:45: > :. 0:1460(1460) ack 1 win 8760 (DF) 0x dc 84af f ac4 0x0010 d14e eb80 06b e86 fe57 440b 7c3b.N.....P^..WD.|; 0x c8f f P."8l...GET./def 0x c74 2e f ault.ida?XXXXXXX 0x XXXXXXXXXXXXXXXX x00e XXXXXXXXXXXXXXXX 0x00f XXXXXXXXXXXXXXXX 0x XXXXXXXXXXXXXXXX 0x XXXXXXXXX%u9090% 0x01a0 303d f31 2e30 0d0a 436f0=a.HTTP/1.0..Co. Signatures Worm Signature Content-based blocking [Moore et al., 2003] Signature for CodeRed II Signature : A Payload Content String Specific To A Worm

Worm Behavior - Earlybird Content Invariance Content Prevalence Address Dispersion

Earlybird Implementation Each network packet is scanned for invariant content Maintain a count of unique source and destination IPs Sort based on substring count and size of address list will determine worm traffic Use substrings to automatically create signatures to filter the worm

Earlybird Cont.

System consists of sensors and aggregrator Aggregator – pulls data from sensors, activates network or host level blocking, reporting and control

Earlybird – Memory & CPU Memory and CPU cycle constraints Index content table by using a fixed size hash of the packet payload Scaled bitmaps are used to reduce memory consumption on address dispersion counts

Earlybird Cont. Sensor – 1.6Ghz AMD Opteron 242, Linux 2.6 kernel Captures using libpcap Can sift 1TB of traffic per day and is able to sift 200Mbps of continuous traffic Cisco router configured for mirroring

Thresholds Content Prevalence = 3 97 percent of signatures repeat two or fewer times

Thresholds Address Dispersion = 30 src and 30 dst Lower dispersion threshold will produce more false positives Garbage collection – several hours

Earlybird False Positives 99% percent of FPs are from SMTP header strings and HTTP user agents - whitelist SPAM s – distributed mailers and relays BitTorrent file striping creates many-to- many download profile

Earlybird – Issues of Concern SSH, SSL, IPSEC, VPNs Polymorphism IP spoofing source address Packet injection

Earlybird – Current State UCSD  NetSift  Cisco

Internet Quarantine – Requirements for containing self propagated code Prevention – Managing vulnerabilities Treatment – Disinfection tools, patches Containment – Firewalls, content filters, blacklists. How to completely automate?

Modeling Containment Reaction time – time necessary for detection Containment strategy – blacklisting, content filtering Deployment scenario – how many nodes are participating

Blacklisting vs. Content Filtering

Blacklisting vs. Content Filtering - Aggresiveness

Deployment Scenarios

References The Threat of Internet Worms, Vern Paxson - The Threat of Internet Worms, Vern Paxson -Cooperative Association for Internet Data Analysis (CAIDA) -Autograph, Toward Automated, Distributed Worm Signature Detection- Usenix Security Wikipedia, computer worms, hashing. -Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute

Thank You! Discussion…..