Design of a System for Real- Time Worm Detection Bharath Madhusudan, John Lockwood Department of Computer Science and Engineering Washington University,

Slides:

Advertisements

Similar presentations

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

Advertisements

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

Fine-Grained Latency and Loss Measurements in the Presence of Reordering Myungjin Lee, Sharon Goldberg, Ramana Rao Kompella, George Varghese.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Payload Attribution via Hierarchical Bloom Filters

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

EDUCAUSE Security 2006 Internet John Brown University.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.

Department of Computer Science and Engineering Applied Research Laboratory 1 A Hardware Based TCP/IP Processing Engine David V. Schuehler

Sarang Dharmapurikar With contributions from : Praveen Krishnamurthy,

ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Fast and deterministic hash table lookup using discriminative bloom filters  Author: Kun Huang, Gaogang Xie,  Publisher: 2013 ELSEVIER Journal of Network.

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

Department of Computer Science and Engineering Applied Research Laboratory A TCP/IP Based Multi-Device Programming Circuit David V. Schuehler – Harvey.

Physical Database Design & Performance. Optimizing for Query Performance For DBs with high retrieval traffic as compared to maintenance traffic, optimizing.

Approximate Frequency Counts over Data Streams Loo Kin Kong 4 th Oct., 2002.

Approximate Frequency Counts over Data Streams Gurmeet Singh Manku, Rajeev Motwani Standford University VLDB2002.

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

StrideBV: Single chip 400G+ packet classification Author: Thilan Ganegedara, Viktor K. Prasanna Publisher: HPSR 2012 Presenter: Chun-Sheng Hsueh Date:

4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.

Vladimír Smotlacha CESNET High-speed Programmable Monitoring Adapter.

Chapter 4 MARIE: An Introduction to a Simple Computer.

Hot Interconnects TCP-Splitter: A Reconfigurable Hardware Based TCP/IP Flow Monitor David V. Schuehler

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection Sailesh Kumar Sarang Dharmapurikar Fang Yu Patrick Crowley Jonathan.

Author : Sarang Dharmapurikar, John Lockwood Publisher : IEEE Journal on Selected Areas in Communications, 2006 Presenter : Jo-Ning Yu Date : 2010/12/29.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Biosequence Similarity Search on the Mercury System Praveen Krishnamurthy, Jeremy Buhler, Roger Chamberlain, Mark Franklin, Kwame Gyang, and Joseph Lancaster.

Tracking Millions of Flows In High Speed Networks for Application Identification Tian Pan, Xiaoyu Guo, Chenhui Zhang, Junchen Jiang, Hao Wu and Bin Liut.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Cache Miss-Aware Dynamic Stack Allocation Authors: S. Jang. et al. Conference: International Symposium on Circuits and Systems (ISCAS), 2007 Presenter:

Accelerating Multi-Pattern Matching on Compressed HTTP Traffic Dr. Anat Bremler-Barr (IDC) Joint work with Yaron Koral (IDC), Infocom[2009]

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

Chapter 11 System Performance Enhancement. Basic Operation of a Computer l Program is loaded into memory l Instruction is fetched from memory l Operands.

Buffering Techniques Greg Stitt ECE Department University of Florida.

SketchVisor: Robust Network Measurement for Software Packet Processing

Hiba Tariq School of Engineering

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Data Streaming in Computer Networking

Pyramid Sketch: a Sketch Framework

Optimal Elephant Flow Detection Presented by: Gil Einziger,

Yan Chen Department of Electrical Engineering and Computer Science

Washington University in St. Louis

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Memento: Making Sliding Windows Efficient for Heavy Hitters

A flow aware packet sampling mechanism for high speed links

Lu Tang , Qun Huang, Patrick P. C. Lee

High Performance Pattern Matching using Bloom–Bloomier Filter

Presentation transcript:

Design of a System for Real- Time Worm Detection Bharath Madhusudan, John Lockwood Department of Computer Science and Engineering Washington University, St. Louis ©2004 IEEE Presented by Stephen Karg November 14, 2005

Contributions The Problems: 1.Many IDS’s have limited effectiveness due to the fact that they can filter known worms. 2.Dark-space scan detection can’t defend against hit-list worms. Proposed Solutions: 1.Monitor network traffic to automatically detect new worms in real-time. 2.Analyze packet content, not header. Gets a new worm signature.

Their Goals Low reaction time High throughput Low Cost Low False-Positive Rate Robust to simple countermeasures.

System Properties Designed to work in tandem with signature- based IDS. Frequently occurring content = new signature. Hardware-based system to keep pace with high volume traffic (Gigabit Ethernet). Centralized monitoring. Computationally intensive, hence the need for H/W-based system.

General Algorithm 1.Hash over sliding 10-byte window of packet- content data stream (header data stripped). So multiple hashes over each payload (gets around basic metamorphism, shuffling blocks, etc.) 2.On-chip vector of counters* for each hash value. 3 stage pipeline: 1 read/inc./write per clock cycle. 3.If threshold count exceeded, offending signature hashed to off-chip SRAM. 4.Iff a 2 nd signature is hashed to same SRAM bucket (that matches the first), alert thrown. This last step reduces false-positives. * 8-bit, periodically reduced by avg. count (called timeouts)

Design Considerations 1.Throughput: –Steps 1 & 2 implemented in parallel using multiple windows  vector pairs. Counters aggregated. 2.Benign Strings: –False-positive potential w/regularly occurring strings (e.g. 1 st several bytes of HTTP request) –Sys. Admin can reconfigure to ignore.

Design Considerations (cont.) 3.False-Positives: Potential Counter-Attack: Flood IDS with packet(s) repeating the same string. Solution: Count any given signature only once per window of size T (not same window as before, larger). Bloom Filter used (prior research). 1.False-positives can be kept low using proven formula. 2.Signatures over window stored compactly and efficiently queried with dual-ported on-chip memory. 4.Threshold vs. timeout relationship Reduces to well-studied problem in hashing - can again calculate & minimize false-positive rate.

Performance Evaluation “Normal” packet stream uses 2-day trace of UC Berkeley FTP server traffic. –What about other types of traffic? Notably SMTP. Worm-like data inserted in above stream. –Does stream reflect epidemic behavior? Worms are detected, but are they detected in time? –Perhaps reaction/containment out of scope here. Would have liked to see performance on sandboxed subnet with real traffic and real worms.

Evaluation Results Detecting larger worms more difficult. Signature Length Concentration (in Bytes) in Trace Data 5001% 10002% 50003% % % –If worm size exceeds number of buckets/counters, all of them will be incremented as it passes, no stand-out. –Prototype has 64x512 counters (each w/10B window, ~276KB)

Evaluation Results (cont.) Memory collisions decrease with use of more dual-ported memory blocks. –Not surprising, but tests show hardware requirements (and diminishing returns). 64 blocks, 0.02 collision rate. –Also shows empirical collision rate to be consistently below the theoretical calculations.

Functional prototype –64 Block RAMs –Calculates 4 hash values per clock cycle. –Targeted to run on FPX platform w/FPGA hardware. –Circuit implementation runs at 91.5 Mhz –Introduces pipeline delay of 70ns into datapath. –Allows processing at OC-48 line speeds. –Conclusion: real-time performance.

Conclusions A move towards more automated NIDS. –Yes, remove the slow humans from equation. –Performance is impressive considering speed-of-light adversary. Exploit parallelism afforded by hardware to scan much larger amount of traffic than traditional software implementations of similar algorithm. –But do we need to add the H/W requirement & cost? –Does every packet need to seen to spot a trend? –Could software use sampling to produce the same results? Or will it fall too far behind growth in bandwidth?

Conclusions (cont.) Argue much easier to deploy and maintain centralized NIDS than host-based system. –Sure, but as effective? (Wu’s presentation) System robust to “simple” counter-measures. –Perhaps paper’s greatest weakness. Only the most simple metamorphism defended against. (block reordering, some nop insertion) –Instruction replacement: UNDETECTED –Instruction reordering: UNDETECTED –Polymorphic decryptor engines: UNDETECTED –Or just pad w/garbage until 277KB long!

Questions? Thanks.