Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage.

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Presenter:
Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.
 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
Incremental Network Programming for Wireless Sensors NEST Retreat June 3 rd, 2004 Jaein Jeong UC Berkeley, EECS Introduction Background – Mechanisms of.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
Algorithms for Network Security
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
George Varghese (based on Cristi Estan’s work) University of California, San Diego May 2011 Internet traffic measurement: from packets to insight.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Automated Worm Fingerprinting
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Content Sifting Stefan Savage Sumeet Singh, Cristian Estan, George Varghese, Justin Ma, Kirill Levchenko.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
15-744: Computer Networking L-23 Worms. 2 Overview Worm propagation Worm signatures.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Click to add Text Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Department of Computer Science and Engineering.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
1 Lecture 14 High-speed TCP connections Wraparound Keeping the pipeline full Estimating RTT Fairness of TCP congestion control Internet resource allocation.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
D 陳怡安 R 解巽評 R 高榮泰 IEEE/ACM TRANSACTIONS ON NETWORKING OCTOBER 2006 Cristian Estan, George Varghese, Member, IEEE, and Michael Fisk.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Role Of Network IDS in Network Perimeter Defense.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:
Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
The Worms Crawl In The Worms Crawl Out David Andersen.
Internet Quarantine: Requirements for Containing Self-Propagating Code
TMG Client Protection 6NPS – Session 7.
Automated Worm Fingerprinting
Chap 10 Malicious Software.
Local Worm Detection using Honeypots Justin Miller Jan 25, 2007
Chap 10 Malicious Software.
Automated Worm Fingerprinting
Introduction to Internet Worm
Presentation transcript:

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage

Introduction Problem: how to react quickly to worms? CodeRed 2001  Infected ~360,000 hosts within 11 hours Sapphire/Slammer (376 bytes) 2002  Infected ~75,000 hosts within 10 minutes

Existing Approaches Detection  Ad hoc intrusion detection Characterization  Manual signature extraction Isolates and decompiles a new worm Look for and test unique signatures Can take hours or days

Existing Approaches Containment  Updates to anti-virus and network filtering products

Earlybird Automatically detect and contain new worms Two observations  Some portion of the content in existing worms is invariant  Rare to see the same string recurring from many sources to many destinations

Earlybird Automatically extract the signature of all known worms  Also Blaster, MyDoom, and Kibuv.B hours or days before any public signatures were distributed Few false positives

Background and Related Work Almost all IPs were scanned by Slammer < 10 minutes  Limited only by bandwidth constraints

The SQL Slammer Worm: 30 Minutes After “Release” - Infections doubled every 8.5 seconds - Spread 100X faster than Code Red - At peak, scanned 55 million hosts per second.

Network Effects Of The SQL Slammer Worm At the height of infections  Several ISPs noted significant bandwidth consumption at peering points  Average packet loss approached 20%  South Korea lost almost all Internet service for period of time  Financial ATMs were affected  Some airline ticketing systems overwhelmed

Signature-Based Methods Pretty effective if signatures can be generated quickly  For CodeRed, 60 minutes  For Slammer, 1 – 5 minutes

Worm Detection Three classes of methods  Scan detection  Honeypots  Behavioral techniques

Scan Detection Look for unusual frequency and distribution of address scanning Limitations  Not suited to worms that spread in a non- random fashion (i.e. s, IM, P2P apps) Based on a target list Spread topologically

Scan Detection More limitations  Detects infected sites  Does not produce a signature

Honeypots Monitored idle hosts with untreated vulnerabilities  Used to isolate worms Limitations  Manual extraction of signatures  Depend on quick infections

Behavioral Detection Looks for unusual system call patterns  Sending a packet from the same buffer containing a received packet  Can detect slow moving worms Limitations  Needs application-specific knowledge  Cannot infer a large-scale outbreak

Characterization Process of analyzing and identifying a new worm Current approaches  Use a priori vulnerability signatures  Automated signature extraction

Vulnerability Signatures Example  Slammer Worm UDP traffic on port 1434 that is longer than 100 bytes (buffer overflow) Can be deployed before the outbreak  Can only be applied to well-known vulnerabilities

Some Automated Signature Extraction Techniques Allows viruses to infect decoy programs  Extracts the modified regions of the decoy  Uses heuristics to identify invariant code strings across infected instances

Some Automated Signature Extraction Techniques Limitation  Assumes the presence of a virus in a controlled environment

Some Automated Signature Extraction Techniques Honeycomb  Find longest common subsequences among sets of strings found in messages Autograph  Uses network-level data to infer worm signatures Limitations  Scale and full distributed deployments

Containment Mechanism used to deter the spread of an active worm  Host quarantine Via IP ACLs on routers or firewalls  String-matching  Connection throttling On all outgoing connections

Host Quarantine Preventing an infected host from talking to other hosts  Via IP ACLs on routers or firewalls

Defining Worm Behavior Content invariance  Portions of a worm are invariant (e.g. the decryption routine) Content prevalence  Appears frequently on the network Address dispersion  Distribution of destination addresses more uniform to spread fast

Finding Worm Signatures Traffic pattern is sufficient for detecting worms  Relatively straightforward  Extract all possible substrings  Raise an alarm when FrequencyCounter[substring] > threshold1 SourceCounter[substring] > threshold2 DestCounter[substring] > threshold3

Practical Content Sifting Characteristics  Small processing requirements  Small memory requirements  Allows arbitrary deployment strategies

Estimating Content Prevalence Finding the packet payloads that appear at least x times among the N packets sent  During a given interval

Estimating Content Prevalence Table[payload]  1 GB table filled in 10 seconds Table[hash[payload]]  1 GB table filled in 4 minutes  Tracking millions of ants to track a few elephants  Collisions...false positives

[Singh et al. 2002] stream memory Array of counters Hash(Pink) Multistage Filters

packet memory Array of counters Hash(Green) Multistage Filters

packet memory Array of counters Hash(Green) Multistage Filters

packet memory Multistage Filters

packet memory Collisions are OK Multistage Filters

packet memory packet1 1 Insert Reached threshold Multistage Filters

packet memory packet1 1 Multistage Filters

packet memory packet1 1 packet2 1 Multistage Filters

Stage 2 packet memory packet1 1 Stage 1 Multistage Filters No false negatives! (guaranteed detection)

Gray = all prior packets Conservative Updates

Redundant Conservative Updates

Detecting Common Strings Cannot afford to detect all substrings Maybe can afford to detect all strings with a small fixed length

Detecting Common Strings Cannot afford to detect all substrings Maybe can afford to detect all strings with a small fixed length A horse is a horse, of course, of course F 1 = (c 1 p 4 + c 2 p 3 + c 3 p 2 + c 4 p 1 + c 5 ) mod M

Detecting Common Strings Cannot afford to detect all substrings Maybe can afford to detect all strings with a small fixed length A horse is a horse, of course, of course F 1 = (c 1 p 4 + c 2 p 3 + c 3 p 2 + c 4 p 1 + c 5 ) mod M F 2 = (c 2 p 4 + c 3 p 3 + c 4 p 2 + c 5 p 1 + c 6 ) mod M

Detecting Common Strings Cannot afford to detect all substrings Maybe can afford to detect all strings with a small fixed length A horse is a horse, of course, of course F 1 = (c 1 p 4 + c 2 p 3 + c 3 p 2 + c 4 p 1 + c 5 ) mod M F 2 = (c 2 p 4 + c 3 p 3 + c 4 p 2 + c 5 p 1 + c 6 ) mod M = (c 1 p 5 + c 2 p 4 + c 3 p 3 + c 4 p 2 + c 5 p 1 + c 6 - c 1 p 5 ) mod M = (pF 1 + c 6 - c 1 p 5 ) mod M

Detecting Common Strings Cannot afford to detect all substrings Maybe can afford to detect all strings with a small fixed length  Still too expensive…

Estimating Address Dispersion Not sufficient to count the number of source and destination pairs  e.g. send a mail to a mailing list Two sources—mail server and the sender Many destinations Need to count the unique source and destination traffic flows  For each substring

[Estan et al. 2003] Bitmap counting – direct bitmap HASH(green)= Set bits in the bitmap using hash of the flow ID of incoming packets

Bitmap counting – direct bitmap HASH(blue)= Different flows have different hash values

Bitmap counting – direct bitmap HASH(green)= Packets from the same flow always hash to the same bit

Bitmap counting – direct bitmap HASH(violet)= Collisions OK, estimates compensate for them

Bitmap counting – direct bitmap HASH(orange)=

HASH(pink)=

HASH(yellow)= As the bitmap fills up, estimates get inaccurate

Bitmap counting – direct bitmap Solution: use more bits HASH(green)=

Bitmap counting – direct bitmap Solution: use more bits Problem: memory scales with the number of flows HASH(blue)=

Bitmap counting – virtual bitmap Solution: a) store only a portion of the bitmap b) multiply estimate by scaling factor

Bitmap counting – virtual bitmap HASH(pink)=

HASH(yellow)= Problem: estimate inaccurate when few flows active

Bitmap counting – multiple bmps Solution: use many bitmaps, each accurate for a different range

Bitmap counting – multiple bmps HASH(pink)=

HASH(yellow)=

Use this bitmap to estimate number of flows

Bitmap counting – multiple bmps Use this bitmap to estimate number of flows

Bitmap counting – multires. bmp Problem: must update up to three bitmaps per packet Solution: combine bitmaps into one OR

HASH(pink)= Bitmap counting – multires. bmp

HASH(yellow)=

Multiresolution Bitmaps Still too expensive to scale Scaled bitmap  Recycles the hash space with too many bits set  Adjusts the scaling factor according E.g., 1 bit represents 2 flows as opposed to a single flow

Too CPU-Intensive A packet with 1,000 bytes of payload  Needs 960 fingerprints for string length of 40 Prone to Denial-of-Service attacks

CPU Scaling Obvious approach: sampling - Random sampling may miss many substrings Solution: value sampling  Track only certain substrings e.g. last 6 bits of fingerprint are 0  P(not tracking a worm) = P(not tracking any of its substrings)

CPU Scaling Example  Track only substrings with last 6 bits = 0s  String length = 40  1,000 char string 960 substrings  960 fingerprints ‘11100…101010’…‘10110…000000’…  Use only ‘xxxxx… ’ as signatures Probably 960 / 2 6 = 15 signatures

CPU Scaling P(finding a 100-byte signature) = 55% P(finding a 200-byte signature) = 92% P(finding a 400-byte signature) = 99.64%

Putting It Together headerpayload substring fingerprints keysrc cntdest cnt AD entry exist? update counters keycnt else update counter cnt > prevalence threshold? create AD entry Content Prevalence Table Address Dispersion Table counters > dispersion threshold? report key as suspicious worm

Putting It Together Sample frequency: 1/64 String length: 40 Use 4 hash functions to update prevalence table  Multistage filter reset every 60 seconds

System Design Two major components  Sensors Sift through traffic for a given address space Report signatures  An aggregator Coordinates real-time updates Distributes signatures

Implementation and Environment Written in C and MySQL (5,000 lines) rrd-tools library for graphical reporting PHP scripting for administrative control Prototype executes on a 1.6Ghz AMD Opteron 242 1U Server  Linux 2.6 kernel

EarlyBird Processes 1TB of traffic per day Can keep up with 200Mbps of continuous traffic

Parameter Tuning Prevalence threshold: 3  Very few signatures repeat Address dispersion threshold  30 sources and 30 destinations  Reset every few hours  Reduces the number of reported signatures down to ~25,000

Parameter Tuning Tradeoff between and speed and accuracy  Can detect Slammer in 1 second as opposed to 5 seconds With 100x more reported signatures

Performance 200Mbps Can be pipelined and parallelized for achieve 40Gbps

Memory Consumption Prevalence table  4 stages Each with ~500,000 bins (8 bits/bin)  2MB total Address dispersion table  25K entries (28 bytes each)  < 1 MB Total: < 4MB

Trace-Based Verification Two main sources of false positives  2,000 common protocol headers e.g. HTTP, SMTP Whitelisted  SPAM s  BitTorrent Many-to-many download

False Negatives So far none Detected every worm outbreak

Inter-Packet Signatures An attacker might evade detection by splitting an invariant string across packets With 7MB extra, EarlyBird can keep per flow states and fingerprint across packets

Live Experience with EarlyBird Detected precise signatures  CodeRed variants  MyDoom mail worm  Sasser  Kibvu.B

Variant Content Polymorphic viruses  Semantically equivalent but textually distinct code  Invariant decoding routine

Extensions Self configuration Slow worms

Containment How to handle false positives?  If too aggressive, EarlyBird becomes a target for DoS attacks  An attacker can fool the system to block a target message

Coordination Trust of deployed servers Validation Policy

Conclusions EarlyBird is a promising approach  To detect unknown worms real-time  To extract signatures automatically  To detect SPAMs with minor changes Wire-speed signature learning is viable