Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.
By Hiranmayi Pai Neeraj Jain
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Report on statistical Intrusion Detection systems By Ganesh Godavari.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Intrusion Detection Systems Austen Hayes Cameron Hinkel.
Honeypot and Intrusion Detection System
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
--Harish Reddy Vemula Distributed Denial of Service.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
A System for Denial-of- Service Attack Detection Based on Multivariate Correlation Analysis.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
SPYCE/May’04 coverage: A Cooperative Immunization System for an Untrusting Internet Kostas Anagnostakis University of Pennsylvania Joint work with: Michael.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
DoS/DDoS attack and defense
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Defending against Hitlist Worms using NASR Khanh Nguyen.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Internet Quarantine: Requirements for Containing Self-Propagating Code
DNS-based Detection of Computer Worms in an Enterprise Environment
CS4622 Team 4 Worms, DoS, and Smurf Attacks
Brad Karp UCL Computer Science
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Data Mining & Machine Learning Lab
CSE551: Introduction to Information Security
Introduction to Internet Worm
Presentation transcript:

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos Kranakis

Carleton University School of Computer Science Outline ● Internet Environment ● Scanning Worm Propagation Characteristics ● Address Resolution (ARP) Approach ● Results ● Limitations ● Conclusions

Carleton University School of Computer Science Dsheild Report –- December 6, 2005 Top Attacker: Most Attacked Port: 445

Carleton University School of Computer Science Worm Outbreaks ● Sapphire/Slammer worm – Jan 25, 2003 – Fastest spreading worm yet ● 90% compromised in first 10 minutes ● August 2003 the “Month of Worms” – SoBig.F: #1 “mass mailing” virus of all time – Blaster/LovSan/Welchia/Nachi ● Witty worm – March 2004 – Buffer overflow in a suite of security products ● Use of a hit-list?

Carleton University School of Computer Science Countermeasure Challenges ● Propagation speed renders human-based defensive strategies non-effective ● Security patches – frequent, large and sometimes broken – Slammer fix SQL Server 2000 SP2: three parts 26MB to 506MB – sql2kdeskfullsp2.exe 390 MB

Carleton University School of Computer Science Countermeasure Challenges ● Active response (i.e. containment and suppression) – risky (self imposed DoS) ● The IDS that cried “Worm!!”… – (Snort) alert UDP any any -> any 1434 (msg:"SQL Slammer Worm"; rev:1; content:"|726e51686f 756e b |";) – (Dragon) NAME=SMB:DCOM-OVERFLOW SIGNATURE=T D A B SMB:DCOM- OVERFLOW /5c/00/43/00/24/00/5c/00*/00*/00*/00*/00*/00*/00 */00*/00*/00*/00*/00*/00*/00*/00, /01/10/08/00/cc/c c/cc/cc

Carleton University School of Computer Science Solution/Problem ● Automated countermeasures are required for worm containment and suppression ● Worm propagation detection methods need to: – Detect propagation quickly – Detect propagation accurately – Detect propagation of varying rates – Detect zero-day worms

Carleton University School of Computer Science Scanning Worm Characteristics ● Scanning worms can employ a variety of strategies to infect systems – Topological scanning – Slow scanning – Fast scanning ● Topological scanning – Use of local information to find victims – Potential to be very fast

Carleton University School of Computer Science Enterprise Network

Carleton University School of Computer Science ARP-based Scanning Worm Detection Approach ● Focus on protecting the internal network – Network 'hard crunchy' exterior 'soft gooey' middle – Limit damage within network cell ● Behavioral '“”signature' – Based on anomalous behavior – ARP request is a 'scan' – Premise: measurable changes in amount/pattern ARP activity ● 3-factor anomaly score

Carleton University School of Computer Science 3-Factor Anomaly Score ● Peer-list: previous connection activity ● ARP activity: 'expected' amount of ARP activity vs. observed ARP activity (mean + sd) ● Internal network dark space: ARP requests to non-existent systems ● Factor weighting is configurable ● When aggregate score from three factors exceeds threshold in specified time window: ALERT!!

Carleton University School of Computer Science Set-up and Training Period ● Divide network into cells (broadcast domains) ● Training period – Gather ARP broadcast requests – Construct peer-list – Calculate expected ARP activity for each system – Identify internal network address darkspace

Carleton University School of Computer Science Software Developed Prototype uses Perl modules and libpcap High-level design –Packet Processing Engine (PPE) Extract features from ARP broadcast traffic –ARP Correlation Engine (ACE) Create individual system ARP statistics Create peer-list Observe ARP request activity to generate 3-factor anomaly score Generate alerts

Carleton University School of Computer Science Testing Environment Two-week training period Two-week test run Lab/production network –One quarter Class C network –DNS/mail/web –Small user population –Linux OS –Closed network

Carleton University School of Computer Science ARP Statistics (Training Period)

Carleton University School of Computer Science Alert Thresholds ● Common threshold ● Function-specific threshold – Server/workstation ● Threshold as well as anomaly factor weighting is configurable ● Prototype can give default threshold based on training period – (r=3): 3 scans within a 3 minute window

Carleton University School of Computer Science Testing Results (Alerts) 2-week Period

Carleton University School of Computer Science False Positive Analysis ● Increasing scan threshold reduces false positives (our network r = 3 only 5 false positives in a two week period) ● Function-specific vs. common threshold approach reduced false positive rate ● All false positives were caused by a“ 'burst' in server activity

Carleton University School of Computer Science Worm Simulation Results ● Not practical to infect network ● Nmap scanning – Sequential scanning – Random scanning ● Detected all scan activity scenarios within 3 scans – Internal network darkspace a factor

Carleton University School of Computer Science Limitations ● Test network size ● Simulation vs. actual infection ● Exclusive observation of broadcast traffic may lead to underestimation of dark space ● DHCP ● P2P, highly distributed network: 'your mileage may vary'

Carleton University School of Computer Science Conclusions ● An approach to protect the internal network (topological worms) ● Analysis provides evidence that the approach has merit ● Full prototype developed ● Anomaly-based – ability to detect emerging worms

Carleton University School of Computer Science Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.