Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

Slides:

Advertisements

Similar presentations

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

Advertisements

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.

Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.

Lab for Internet & Security Technology (LIST) Northwestern University

1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Manan Sanghi, Yan Chen, Ming- Yang Kao Northwestern Lab.

Towards Scalable Critical Alert Mining Bo Zong 1 with Yinghui Wu 1, Jie Song 2, Ambuj K. Singh 1, Hasan Cam 3, Jiawei Han 4, and Xifeng Yan 1 1 UCSB, 2.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.

Towards a High speed Router based Anomaly/Intrusion detection System Yan Gao & Zhichun Li.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.

1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

CS An Overlay Routing Scheme For Moving Large Files Su Zhang Kai Xu.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley,

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

1 Limits of Learning-based Signature Generation with Adversaries Shobha Venkataraman, Carnegie Mellon University Avrim Blum, Carnegie Mellon University.

1 Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Qiang Xu†, Yong Liao‡, Stanislav Miskovic‡, Z. Morley Mao†, Mario Baldi‡, Antonio Nucci‡, Thomas Andrews† †University of Michigan, ‡Symantec, Inc.

1 NetShield: Massive Semantics-Based Vulnerability Signature Matching for High-Speed Networks Zhichun Li, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu,

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Yan Chen Dept. of Electrical Engineering and Computer Science Northwestern University Spring Review 2008 Award # : FA Intrusion Detection.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:

A Fully Polynomial Time Approximation Scheme for Timing Driven Minimum Cost Buffer Insertion Shiyan Hu*, Zhuo Li**, Charles Alpert** *Dept of Electrical.

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

Internet Quarantine: Requirements for Containing Self-Propagating Code

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Worm Origin Identification Using Random Moonwalks

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.

Xutong Chen and Yan Chen

Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu

Polygraph: Automatically Generating Signatures for Polymorphic Worms

Yan Chen Department of Electrical Engineering and Computer Science

Introduction to Internet Worm

Presentation transcript:

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian Chavez Lab for Internet & Security Technology (LIST) Northwestern University

2 The Spread of Sapphire/Slammer Worms

3 Desired Requirements for Polymorphic Worm Signature Generation Network-based signature generation –Worms spread in exponential speed, to detect them in their early stage is very crucial… However »At their early stage there are limited worm samples. –The high speed network router may see more worm samples… But »Need to keep up with the network speed ! »Only can use network level information

4 Desired Requirements for Polymorphic Worm Signature Generation No existing work satisfies these requirements ! Noise tolerant –Most network flow classifiers suffer false positives. –Even host based approaches can be injected with noise. Attack resilience –Attackers always try to evade the detection systems Efficient signature matching for high-speed links

5 Outline Motivation Hamsa Design Model-based Signature Generation Evaluation Related Work Conclusion

6 Choice of Signatures Two classes of signatures –Content based »Token: a substring with reasonable coverage to the suspicious traffic »Signatures: conjunction of tokens –Behavior based Our choice: content based –Fast signature matching. ASIC based approach can archive 6 ~ 8Gb/s –Generic, independent of any protocol or server

7 Unique Invariants of Worms Protocol Frame –The code path to the vulnerability part, usually infrequently used –Code-Red II: ‘.ida?’ or ‘.idq?’ Control Data: leading to control flow hijacking –Hard coded value to overwrite a jump target or a function call Worm Executable Payload –CLET polymorphic engine: ‘0\x8b’, ‘\xff\xff\xff’ and ‘t\x07\xeb’ Possible to have worms with no such invariants, but very hard Invariants

8 Hamsa Architecture

9 Hamsa Design Key idea: model the uniqueness of worm invariants –Greedy algorithm for finding token conjunction signatures Highly accurate while much faster –Both analytically and experimentally –Compared with the latest work, polygraph –Suffix array based token extraction Provable attack resilience guarantee Noise tolerant

10 Hamsa Signature Generator Core part: Model-based Greedy Signature Generation Iterative approach for multiple worms

11 Outline Motivation Hamsa Design Model-based Signature Generation Evaluation Related Work Conclusion

12 Problem Formulation Signature Generator Signature false positive bound  Maximize the coverage in the suspicious pool False positive in the normal pool is bounded by  Suspicious pool Normal pool With noise NP-Hard!

13 Model Uniqueness of Invariants FP 21% 9% 17% 5% t1t1 Joint FP with t 1 2% 0.5% 1% t2t2 The total number of tokens bounded by k* U(1)=upper bound of FP( t 1 ) U(2)=upper bound of FP( t 1,t 2 )

14 Signature Generation Algorithm (82%, 50%) (COV, FP) (70%, 11%) (67%, 30%) (62%, 15%) (50%, 25%) (41%, 55%) (36%, 41%) (12%, 9%) u(1)=15% Suspicious pool tokens token extraction Order by coverage t1t1

15 (82%, 50%) (COV, FP) (70%, 11%) (67%, 30%) (62%, 15%) (50%, 25%) (41%, 55%) (36%, 41%) (12%, 9%) t1t1 Order by joint coverage with t 1 (69%, 9.8%) (COV, FP) (68%, 8.5%) (67%, 1%) (40%, 2.5%) (35%, 12%) (31%, 9%) (10%, 0.5%) u(2)=7.5% t2t2 Signature Signature Generation Algorithm

16 Algorithm Analysis Runtime analysis O(T*(|M|+|N|)) Provable Attack Resilience Guarantee –Analytically bound the worst attackers can do! –Example: K*=5, u(1)=0.2, u(2)=0.08, u(3)=0.04, u(4)=0.02, u(5)=0.01 and  =0.01 –The better the flow classifier, the lower are the false negatives Noise ratioFP upper boundFN upper bound 5%1%1.84% 10%1%3.89% 20%1%8.75%

17 Attack Resilience Assumptions Two Common assumptions for any sig generation sys Two Unique assumptions for token-based schemes Attacks to the flow classifier –Our approach does not depend on perfect flow classifiers –With 99% noise, no approach can work! –High noise injection makes the worm propagate less efficiently. Enhance flow classifiers

18 Improvements to the Basic Approach Generalizing Signature Generation –use scoring function to evaluate the goodness of signature Iteratively use single worm detector to detect multiple worms –At the first iteration, the algorithm find the signature for the most popular worms in the suspicious pool. –All other worms and normal traffic treat as noise.

19 Outline Motivation Hamsa Design Model-based Signature Generation Evaluation Related Work Conclusion

20 Experiment Methodology Experiential setup: –Suspicious pool: »Three pseudo polymorphic worms based on real exploits (Code-Red II, Apache-Knacker and ATPhttpd), »Two polymorphic engines from Internet (CLET and TAPiON). –Normal pool: 2 hour departmental http trace (326MB) Signature evaluation: –False negative: 5000 generated worm samples per worm –False positive: »4-day departmental http trace (12.6 GB) »3.7GB web crawling including.mp3,.rm,.ppt,.pdf,.swf etc. »/usr/bin of Linux Fedora Core 4

21 Results on Signature Quality Single worm with noise –Suspicious pool size: 100 and 200 samples –Noise ratio: 0%, 10%, 30%, 50%, 70% –Noise samples randomly picked from the normal pool –Always get above signatures and accuracy. Multiple worms with noises give similar results Worms Training FN Training FP Evaluation FN Evaluation FP Binary evaluation FP Signature Code-Red II {'.ida?': 1, '%u780': 1, ' HTTP/1.0\r\n': 1, 'GET /': 1, '%u': 2} CLET00.109% %0.268% {'0\x8b': 1, '\xff\xff\xff': 1,'t\x07\xeb': 1}

22 Speed Results Implementation with C++/Python –500 samples with 20% noise, 100MB normal traffic pool, 15 seconds on an XEON 2.8Ghz, 112MB memory consumption Speed comparison with Polygraph –Asymptotic runtime: O(T) vs. O(|M| 2 ), when |M| increase, T won’t increase as fast as |M|! –Experimental: 64 to 361 times faster (polygraph vs. ours, both in python)

23 Outline Motivation Hamsa Design Model-based Signature Generation Evaluation Related Work Conclusion

24 Related works HamsaPolygraphCFGPADSNemeanCOVERSMalware Detection Network or host based Network Host Content or behavior based Content based Behavior based Content based Behavior based Noise tolerance YesYes (slow) YesNo Yes Multi worms in one protocol YesYes (slow) YesNoYes On-line sig matching Fast SlowFast Slow GeneralityGeneral purpose Protocol specific Server specific General purpose Provable atk resilience YesNo Information exploited   

25 Conclusion Network based signature generation and matching are important and challenging Hamsa: automated signature generation –Fast –Noise tolerant –Provable attack resilience –Capable of detecting multiple worms in a single application protocol Proposed a model to describe the worm invariants

Questions ?