Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &

Slides:



Advertisements
Similar presentations
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Advertisements

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.
Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.
 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin.
Analysis of Anomalous Payload-based Worm Detection and Signature Generation by Ke Wang, Gabriela Cretu, Salvatore J.Stolfo Columbia University.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Network Defenses Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Introduction to Honeypot, Botnet, and Security Measurement
TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Automated Worm Fingerprinting
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Honeypot and Intrusion Detection System
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Click to add Text Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Department of Computer Science and Engineering.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.
DoS/DDoS attack and defense
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:
Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Internet Quarantine: Requirements for Containing Self-Propagating Code
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
Memento: Making Sliding Windows Efficient for Heavy Hitters
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Introduction to Internet Worm
Presentation transcript:

Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research & Carnegie Mellon University

Usenix Security Internet Worm Quarantine Internet Worm Quarantine Techniques  Destination port blocking  Infected source host IP blocking  Content-based blocking Worm Signature Content-based blocking [Moore et al., 2003] 05:45: > :. 0:1460(1460) ack 1 win 8760 (DF) 0x dc 84af f ac4 0x0010 d14e eb80 06b e86 fe57 440b 7c3b.N.....P^..WD.|; 0x c8f f P."8l...GET./def 0x c74 2e f ault.ida?XXXXXXX 0x XXXXXXXXXXXXXXXX x00e XXXXXXXXXXXXXXXX 0x00f XXXXXXXXXXXXXXXX 0x XXXXXXXXXXXXXXXX 0x XXXXXXXXX%u9090% 0x01a0 303d f31 2e30 0d0a 436f0=a.HTTP/1.0..Co. Signature for CodeRed II Signature : A Payload Content String Specific To A Worm

Usenix Security Content-based Blocking Our network X Traffic Filtering Internet Signature for CodeRed II  Can be used by Bro, Snort, Cisco’s NBAR,...

Usenix Security Signature derivation is too slow Current Signature Derivation Process  New worm outbreak  Report of anomalies from people via phone/ /newsgroup  Worm trace is captured  Manual analysis by security experts  Signature generation  Labor-intensive, Human-mediated

Usenix Security Goal Automatically generate signatures of previously unknown Internet worms  as accurately as possible  as quickly as possible  Content-Based Analysis  Automation, Distributed Monitoring

Usenix Security Assumptions We focus on TCP worms that propagate via scanning Actually, any transport  in which spoofed sources cannot communicate successfully  in which transport framing is known to monitor Worm’s payloads share a common substring  Vulnerability exploit part is not easily mutable Not polymorphic

Usenix Security Outline Problem and Motivation Automated Signature Detection  Desiderata  Technique  Evaluation Distributed Signature Detection  Tattler  Evaluation Related Work Conclusion

Usenix Security Desiderata Automation: Minimal manual intervention Signature quality: Sensitive & specific  Sensitive: match all worms  low false negative rate  Specific: match only worms  low false positive rate Timeliness: Early detection Application neutrality  Broad applicability

Usenix Security Automated Signature Generation Step 1: Select suspicious flows using heuristics Step 2: Generate signature using content- prevalence analysis Our network Traffic Filtering Internet Autograph Monitor Signature X

Usenix Security Heuristic: Flows from scanners are suspicious  Focus on the successful flows from IPs who made unsuccessful connections to more than s destinations for last 24hours  Suitable heuristic for TCP worm that scans network Suspicious Flow Pool  Holds reassembled, suspicious flows captured during the last time period t  Triggers signature generation if there are more than  flows S1: Suspicious Flow Selection Reduce the work by filtering out vast amount of innocuous flows Autograph (s = 2) Non-existent  This flow will be selected

Usenix Security S1: Suspicious Flow Selection Heuristic: Flows from scanners are suspicious  Focus on the successful flows from IPs who made unsuccessful connections to more than s destinations for last 24hours  Suitable heuristic for TCP worm that scans network Suspicious Flow Pool  Holds reassembled, suspicious flows captured during the last time period t  Triggers signature generation if there are more than  flows Reduce the work by filtering out vast amount of innocuous flows

Usenix Security S2: Signature Generation All instances of a worm have a common byte pattern specific to the worm Rationale  Worms propagate by duplicating themselves  Worms propagate using vulnerability of a service Use the most frequent byte sequences across suspicious flows as signatures How to find the most frequent byte sequences?

Usenix Security Worm-specific Pattern Detection Use the entire payload  Brittle to byte insertion, deletion, reordering GARBAGEEABCDEFGHIJKABCDXXXX Flow 1 Flow 2 GARBAGEABCDEFGHIJKABCDXXXXX

Usenix Security Worm-specific Pattern Detection Partition flows into non-overlapping small blocks and count the number of occurrences Fixed-length Partition  Still brittle to byte insertion, deletion, reordering GARBAGEEABCDEFGHIJKABCDXXXX Flow 1 Flow 2 GARBAGEABCDEFGHIJKABCDXXXXX

Usenix Security Worm-specific Pattern Detection Content-based Payload Partitioning (COPP)  Partition if Rabin fingerprint of a sliding window matches Breakmark  Configurable parameters: content block size (minimum, average, maximum), breakmark, sliding window  Content Blocks Breakmark = last 8 bits of fingerprint ( ABCD ) GARBAGEEABCDEFGHIJKABCDXXXX Flow 1 Flow 2 GARBAGEABCDEFGHIJKABCDXXXXX

Usenix Security Why Prevalence? Worm flows dominate in the suspicious flow pool Content-blocks from worms are highly ranked Nimda CodeRed2 Nimda (16 different payloads) WebDAV exploit Innocuous, misclassified Prevalence Distribution in Suspicious Flow Pool - From 24-hr http traffic trace

Usenix Security Select Most Frequent Content Block ABD ABE ACE AD CF CDG B f0 f1 f2 f3 f4 f5 HIJ f6 IHJ f7 GIJ f8

Usenix Security A A A E E A F C C C D D DB B B H H G G I I I J J J Select Most Frequent Content Block D C E E A A A A D F C C DG B B B H H G I I I J J J f0 f1 f2 f3 f4 f5 f6 f7 f8 f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J

Usenix Security Select Most Frequent Content Block A B D A BE A C E A D C F C D G B H I J I H J GI J f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J P≥3P≥3 W ≥ 90% Signature: W: target coverage in suspicious flow pool P: minimum occurrence to be selected

Usenix Security Signature: A Select Most Frequent Content Block A B D A BE A C E A D C F C D G B H I J I H J GI J f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J P≥3P≥3 W ≥ 90% W: target coverage in suspicious flow pool P: minimum occurrence to be selected

Usenix Security Select Most Frequent Content Block B DB A A A C E E A D F C C D G B H I J I H J GI J P≥3P≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J W: target coverage in suspicious flow pool P: minimum occurrence to be selected

Usenix Security Select Most Frequent Content Block F C C D G H I J I H J GI J P≥3P≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J I W: target coverage in suspicious flow pool P: minimum occurrence to be selected

Usenix Security Select Most Frequent Content Block F C C DG P≥3P≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J I Signature: W: target coverage in suspicious flow pool P: minimum occurrence to be selected

Usenix Security Outline Problem and Motivation Automated Signature Detection  Desiderata  Technique  Evaluation Distributed Signature Detection  Tattler  Evaluation Related Work Conclusion

Usenix Security Behavior of Signature Generation Objectives  Effect of COPP parameters on signature quality Metrics  Sensitivity = # of true alarms / total # of worm flows  false negatives  Efficiency = # of true alarms / # of alarms  false positives Trace  Contains 24-hour http traffic  Includes 17 different types of worm payloads

Usenix Security Signature Quality Larger block sizes generate more specific signatures A range of w (90-95%, workload dependent) produces a good signature

Usenix Security Outline Problem and Motivation Automated Signature Detection  Desiderata  Technique  Evaluation Distributed Signature Detection  Tattler  Evaluation Related Work Conclusion

Usenix Security Signature Generation Speed Bounded by worm payload accumulation speed  Aggressiveness of scanner detection heuristic s: # of failed connection peers to detect a scanner  # of payloads enough for content analysis  : suspicious flow pool size to trigger signature generation Single Autograph  Worm payload accumulation is slow Internet AAAAAAA tattler Distributed Autograph  Share scanner IP list  Tattler: limit bandwidth consumption within a predefined cap

Usenix Security Benefit from tattler Worm payload accumulation (time to catch 5 worms) Signature generation  More aggressive scanner detection (s) and signature generation trigger (  )  faster signature generation, more false positives  With s=2 and  =15, Autograph generates the good worm signature before < 2% hosts get infected Info Sharing Autograph Monitor Fraction of Infected Hosts Aggressive (s = 1) Conservative (s = 4) None Luckiest2%60% Median25% -- TattlerAll<1%15% Many innocuous misclassified flows

Usenix Security Related Work Automated Worm Signature Detection Distributed Monitoring  Honeyd [Provos2003], DOMINO [Yegneswaran et al. 2004]  Corroborate faster accumulation of worm payloads/scanner IPs EarlyBird [Singh et al. 2003] HoneyComb [Kreibich et al. 2003] Autograph Signature Generation Content prevalence  Address Dispersion Honeypot + Pairwise LCS Suspicious flow selection  Content prevalence DeploymentNetworkHostNetwork Flow Reassembly NoYes Distributed Monitoring No Yes

Usenix Security Future Work Attacks  Overload Autograph  Abuse Autograph for DoS attacks Online evaluation with diverse traces & deployment on distributed sites Broader set of suspicious flow selection heuristics  Non-scanning worms (ex. hit-list worms, topological worms, worms)  UDP worms Egress detection Distributed agreement for signature quality testing  Trusted aggregation

Usenix Security Conclusion Stopping spread of novel worms requires early generation of signatures Autograph: automated signature detection system  Automated suspicious flow selection → Automated content prevalence analysis  COPP: robustness against payload variability  Distributed monitoring: faster signature generation Autograph finds sensitive & specific signatures early in real network traces

Usenix Security 2004 For more information, visit

Usenix Security Attacks Overload due to flow reassembly Solutions  Multiple instances of Autograph on separate HW (port-disjoint)  Suspicious flow sampling under heavy load Abuse Autograph for DoS: pollute suspicious flow pool  Port scan and then send innocuous traffic Solution  Distributed verification of signatures at many monitors  Source-address-spoofed port scan Solution  Reply with SYN/ACK on behalf of non-existent hosts/services

Usenix Security Number of Signatures Smaller block sizes generate small # of signatures

Usenix Security tattler A modified RTCP (RTP Control Protocol) Limit the total bandwidth of announcements sent to the group within a predetermined cap

Usenix Security Simulation Setup About 340,000 vulnerable hosts from about 6400 ASes Took small size edge networks (/16s) based on BGP table of 19 th of July, Service deployment  50% of address space within the vulnerable ASes is reachable  25% of reachable hosts run web server  340,000 vulnerable hosts are randomly placed. Scanning  10probes per second  Scanning the entire non-class-D IP address space Network/processing delays  Randomly chosen in [0.5, 1.5] seconds

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.