1 Large Scale Malicious Code: A Research Agenda N. Weaver, V. Paxson, S. Staniford, R. Cunningham.

Slides:



Advertisements
Similar presentations
Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.
Advertisements

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Technology Drivers Traditional HPC application drivers – OS noise, resource monitoring and management, memory footprint – Complexity of resources to be.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
By Hiranmayi Pai Neeraj Jain
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.
4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
The State of Security Management By Jim Reavis January 2003.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Lecture 11 Intrusion Detection (cont)
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
SEC835 Database and Web application security Information Security Architecture.
“Assuring Reliable and Secure IT Services”. IT Redundancy: Its Value How much reliability to buy? Customer Service impacted as a result of 15 minutes.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Module 14: Configuring Server Security Compliance
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
Chapter 6 of the Executive Guide manual Technology.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Determina DARPA PI meeting Page 2Confidential © Determina, Inc. Agenda LiveShield –Product and Technology –Current Status Applications to Application.
1 Large Scale Malicious Code: A Research Agenda N. Weaver, V. Paxson, S. Staniford, R. Cunningham Presented by Stefan Birrer.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Advanced Anti-Virus Techniques
Role Of Network IDS in Network Perimeter Defense.
MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
Risk-Aware Mitigation for MANET Routing Attacks Submitted by Sk. Khajavali.
IS3220 Information Technology Infrastructure Security
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Critical Security Controls
Rootkit Detection and Mitigation
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Introduction to Internet Worm
Using Software Restriction Policies
Presentation transcript:

1 Large Scale Malicious Code: A Research Agenda N. Weaver, V. Paxson, S. Staniford, R. Cunningham

2 Contents ● Overview ● Worms: Type, Attackers, Enabling Factors ● Existing Practices and Models ● Cyber CDC ● Vulnerability Prevention Defenses ● Automatic Detection of Malicious Code ● Automated Response to Malicious Code ● Aid to Manual Analysis of Malicious Code ● Aid to Recovery ● Policy Considerations ● Validation and Challenging Problems ● Conclusion

3 Motivation and Goal ● Networking infrastructure is essential to many activities – Address the “worm threat” ● Establish taxonomy for worms ● Motivate Cyber “CDC” ● Establish a road map for research efforts

4 Challenges ● Prevention – i.e. Non-executable stacks ● Avoidance – i.e. Filter ports ● Detection – i.e. Network telescopes ● Recovery – i.e. Fix vulnerability

5 Challenges ● Spread speed is faster than human reaction time ● Further generations of worms address previous counter measurements – Smart guys behind the scene ● Monocultures in today Internet ● People are not sensitive to security

6 Contents ● Overview ● Worms: Type, Attackers, Enabling Factors ● Existing Practices and Models ● Cyber CDC ● Vulnerability Prevention Defenses ● Automatic Detection of Malicious Code ● Automated Response to Malicious Code ● Aid to Manual Analysis of Malicious Code ● Aid to Recovery ● Policy Considerations ● Validation and Challenging Problems ● Conclusion

7 Taxonomy ● Activation techniques – Human – Scheduled process – Self ● Propagation strategies – Scanning – Pre-generated Target Lists – Externally Generated Target Lists – Internal Target Lists – Passive ● Propagation carriers – Self, Embedded

8 Taxonomy Motivation and Attackers – Pride and Power – Commercial Advantage – Extortion, – Random Protest – Political Protest – Terrorism – Cyber Warfare Payloads – None – Opening Backdoors – Remote DOS – Receive Updates – Espionage – Data Harvesting – Data Damage – Hardware Damage – Coercion

9 Ecology of Worms ● Application Design ● Buffer Overflows ● Privileges – Mail worms ● Application Deployment ● Economic Factors ● Monocultures

10 Contents ● Overview ● Worms: Type, Attackers, Enabling Factors ● Existing Practices and Models ● Cyber CDC ● Vulnerability Prevention Defenses ● Automatic Detection of Malicious Code ● Automated Response to Malicious Code ● Aid to Manual Analysis of Malicious Code ● Aid to Recovery ● Policy Considerations ● Validation and Challenging Problems ● Conclusion

11 Cooperative Information Technology Org. ● CERT/CC – Human analysis and aggregation ● IIAP – Human-time analysis ● ISAC – Practices and background ● FIRST ● Public Mailing Lists

12 Commercial Entities ● Anti-virus Companies – Computer Anti-Virus Researchers Organization (CARO) ● Network based IDS Vendors ● Centralized Security Monitoring ● Training Organizations ● Limited Scope of Commercial Response – Worm has yet to cause significant damage – No clear way to generate additional revenue

13 Contents ● Overview ● Worms: Type, Attackers, Enabling Factors ● Existing Practices and Models ● Cyber CDC ● Vulnerability Prevention Defenses ● Automatic Detection of Malicious Code ● Automated Response to Malicious Code ● Aid to Manual Analysis of Malicious Code ● Aid to Recovery ● Policy Considerations ● Validation and Challenging Problems ● Conclusion

14 Cyber CDC ● Identify outbreaks – Develop mechanism for gathering information – Sponsor research in automated detection ● Rapidly analyzing pathogens – Develop analysis tools – Understand the harm and spread of pathogens ● Fighting Infections – Deploy agent that detect, terminate or isolate worms

15 Cyber CDC ● Anticipating new vectors – Analyze the threat potential of new applications ● Proactively devising detectors for new vectors – Develop analysis modules for IDS ● Resisting future threats – Foster research into resilient application design paradigms ● How open?

16 Contents ● Overview ● Worms: Type, Attackers, Enabling Factors ● Existing Practices and Models ● Cyber CDC ● Vulnerability Prevention Defenses ● Automatic Detection of Malicious Code ● Automated Response to Malicious Code ● Aid to Manual Analysis of Malicious Code ● Aid to Recovery ● Policy Considerations ● Validation and Challenging Problems ● Conclusion

17 Vulnerability Prevention Defenses ● Grading potentials – A: high potential, lower cost – B: medium potential or significant cost – C: low potential but high risk

18 Vulnerability Prevention Defenses ● Programming Languages and Compilers – Safe C Dialects (C, active area) ● Enforcing type and memory safety ● Ccured / Cyclone ● [future] extending to C++ – Software Fault Isolation (C, active area) ● Memory safe sandboxes ● Lack of availability of SFI-based systems – StackGuard (C, active area) ● Compiler calling-convention ● Works well against conventional stack attacks

19 Vulnerability ● Programming Languages and Compilers – Nonexecutable Stacks and Heaps w/ Randomized Layouts (B, mostly engineering) ● Randomizing layout ● Guard pages, exception when accessed ● No attempt to build such a complete system – Monitoring for Policy- and Semantics-Enforcement (B, opportunities for worm specific monitoring) ● System call patterns (“mimicry” attack) ● Static analysis ● [future] increase performance and precision

20 Vulnerability ● Automatic vulnerability analysis (B, highly difficult, active area) – Discover buffer overflow in C – Sanitized integers from untrusted source – User-supplied pointers for kernel – [future] assemply level – [future] specific patterns of system calls

21 Vulnerability Prevention Defenses ● Privilege Issues – Fine-grained Access Control (C, active area) ● [future] integrating into commodity OS – Code Signing (C, active area) ● Publi-key authentication – Privilege Isolation (C, some active research, difficult) ● Mach kernel

22 Vulnerability ● Protocol Design – Design Principles (A, difficult, low cost, high reward) ● Open problem – Proving Proto Properties (A, difficult, high reward) ● Worm resistant properties -> verify ● [future] interpreter detects violation of protocol – Distributed Minable Topology (A, hard but critical) ● Match subset, not the entire list – Network Layout (C, costly) ● Never co-occur (i.e. strictly client / server)

23 Vulnerability ● Network Provider Practices – Machine Removal (C, already under development) ● No standard protocol ● Implementation Diversity – Monoculture is a dangerous phenomena

24 Vulnerability ● Synthetic Polycultures – Synthetic polycultures (C, difficult, may add unpredictability) ● [future] techniques to develop synthetic polycultures ● [future] Code obfuscation ● Economic and Social – Why is Security Hard (B, active area of research) ● [future] understanding of why practices remain so poor

25 Contents ● Overview ● Worms: Type, Attackers, Enabling Factors ● Existing Practices and Models ● Cyber CDC ● Vulnerability Prevention Defenses ● Automatic Detection of Malicious Code ● Automated Response to Malicious Code ● Aid to Manual Analysis of Malicious Code ● Aid to Recovery ● Policy Considerations ● Validation and Challenging Problems ● Conclusion

26 Automatic Detection of Malicous Code ● Host-based detectors – Host-based Worm Detection (A, Critical) ● Contagion worms ● IDS – Existing Anti-virus Behavior Blocking (A, Critical) ● Behavior blocking (usability and false positives) – Wormholes / honeyfarms (A, Low Hanging Fruit) ● Excellent detector / machine cost ● Must target the cultured honepots...

27 Detection ● Network-level detectors – Edge Network Detection (A, critical, powerfull) ● Large number of scans – Backbone Level Detection (B, hard, difficult to deplay) ● Routing is highly asymmetric ● Correlation of Results – Centralized (B, Some commercial work) – Distributed (A, powerful, flexible) – Worm Traceback (A, high risk, high payoff) ● No attention to date in research community ● [future] Network telescopes

28 Automated Response to Malicious Code ● Host-Based (B, overlaps with personal firewall) – Open question ● Edge Network (A, poweful, flexible) – [future] Filter traffic (side effects...) ● Backbone/ISP Level (B, difficult, deployment issues) – [future] Limitation of outbound scanning ● National Boundaries (C, too coarse grained) ● Graceful Degradation and Containment (B, mostly engineering) – [future] Quarantine sections

29 Aids to Manual Analysis of Malicious Code ● Collaborative Code Analysis Tool (A, scaling is important, some ongoing research) ● Higher Level Analysis (B, important, Halting problem imposes limitations ● Hybrid Static-Dynamic Analysis (A, hard but valuable) ● Visualization (B, mostly educational value) – [future] Real-time analysis – [future] what information might be gathered

30 Aids to Recovery ● Anti-worms (C, impractical, illegal) ● Patch distribution in a hostile environment (C, already evolving commercially) ● Updating in a hostile environment (C, hard engineering, already evolving) – Metamorphic code to insert a small bootstrap program

31 Policy considerations ● Privacy and Data Analysis ● Obscurity ● Internet Sanitation – Scan limiters ● The “Closed” Alternative – Apply topological restrictions

32 Contents ● Overview ● Worms: Type, Attackers, Enabling Factors ● Existing Practices and Models ● Cyber CDC ● Vulnerability Prevention Defenses ● Automatic Detection of Malicious Code ● Automated Response to Malicious Code ● Aid to Manual Analysis of Malicious Code ● Aid to Recovery ● Policy Considerations ● Validation and Challenging Problems ● Conclusion

33 Challenging Problems ● Common evaluation framework – DARPA IDS evaluation – Finding proper level of abstraction for analysis – Limit resource available to attacker ● Milestones for detection – Sensitivity to presence – False positive – Distortion resistant

34 Challenging Problems ● Milestones for analysis – Strategize vs. Understanding – State of practice: Identifying vs. Reverse engineering – Metrics: accuracy, completeness, speed, usability – Milestone: progressively bigger variety of worms ● Detecting targeted worms ● Tools for validating defenses – Worm Simulation Environment – Internet Wide Worm Testbed (A, essential) – Testing in the Wild (A, essential)

35 Contents ● Overview ● Worms: Type, Attackers, Enabling Factors ● Existing Practices and Models ● Cyber CDC ● Vulnerability Prevention Defenses ● Automatic Detection of Malicious Code ● Automated Response to Malicious Code ● Aid to Manual Analysis of Malicious Code ● Aid to Recovery ● Policy Considerations ● Validation and Challenging Problems ● Conclusion

36 Conclusions ● Worms are a significant thread ● Limited number of strategies ● Inadequate defensive infrastructure ● Cyber CDC – Prevention role ● Huge potential damage

37 Problems ● Build tomorrows security system based on todays worm technologies – Will always be one step behind – Reactive ● Need to address root cause instead of patching things – Prevention

38 ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.