Profiling Self-Propagating Worms via Behavioral Footprinting Xuxian Jiang, Dongyan Xu ACM WORM’06 November 3, 2006.

Slides:

Advertisements

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Advertisements

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Decision Making: An Introduction 1. 2 Decision Making Decision Making is a process of choosing among two or more alternative courses of action for the.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

Handling Security Incidents

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Software Design by Dr. Eitan Hadar Web:

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Authors: Thomas Ristenpart, et at.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 3 Performance Measurement of TCP/IP Networks.

Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Introduction to Honeypot, Botnet, and Security Measurement

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.

Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Roberto Paleari,Università degli Studi di Milano Lorenzo Martignoni,Università degli Studi di Udine Emanuele Passerini,Università degli Studi di Milano.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Test Management Provides a rich and configurable global web platform for implementing a software development life cycle process with collaboration.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

I can be You: Questioning the use of Keystroke Dynamics as Biometrics —Paper by Tey Chee Meng, Payas Gupta, Debin Gao Presented by: Kai Li Department of.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.

Chapter 19 – Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War,

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

MiddleMan: A Video Caching Proxy Server NOSSDAV 2000 Brian Smith Department of Computer Science Cornell University Ithaca, NY Soam Acharya Inktomi Corporation.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Defending against Hitlist Worms using NASR Khanh Nguyen.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

Network Security Laboratory Graduate School of Soongsil University Graduate School of Soongsil University Jeon Youngho

Towards an integrated multimedia service hosting overlay Dongyan Xu Xuxian Jiang Proceedings of the 12th annual ACM international conference on Multimedia.

Botnets A collection of compromised machines

Internet Quarantine: Requirements for Containing Self-Propagating Code

A lustrum of malware network communication: Evolution & insights

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Architecture Concept Documents

Pytheas: Enabling Data-Driven Quality of Experience Optimization Using Group-Based Exploration-Exploitation Junchen Jiang (CMU) Shijie Sun (Tsinghua Univ.)

How Seculert Discovered the Shamoon Malware

Botnets A collection of compromised machines

Xutong Chen and Yan Chen

Internet Worm propagation

Forensics Week 12.

Internet Worms, SYN DOS attack

Authors: Helen J. Wang, Chuanxiong Guo, Daniel R

Security Overview: Honeypots

Data Mining & Machine Learning Lab

Introduction to Internet Worm

Modeling IDS using hybrid intelligent systems

Detecting Attacks Against Robotic Vehicles:

Presentation transcript:

Profiling Self-Propagating Worms via Behavioral Footprinting Xuxian Jiang, Dongyan Xu ACM WORM’06 November 3, 2006

2 Characteristic of a Worm’s Attack A worm’s successful infection session usually contains sequences of steps. –e.g., target selection and probing, exploitation, and replication The logic in a worm’s implementation is different from that of the service or software being exploited by the worm. In a worm’s infection, each worm has its specific attack procedures trying to compromise the victim. –The worm’s payload often has invariant bytes –Each worm exhibits its “personalities” in terms of the target vulnerability, exploitation means, replication scheme, and payload features.

3 Problem To effectively defend against self-propagating worms, a critical task is to create a complete, multi-facet profile for each worm, that can be used to identify worms. A well established dimension of worm profiling is content-based fingerprinting which characterizes a worm by extracting the most representative content sequences. But this approach does not capture a worm’s temporal infection behavior

4 Behavioral Footprint Extraction: Given two infection traces F 1 = x 1 x 2 · · · x n and F2 = y 1 y 2 · · · y m, our algorithm is to find an optimal alignment (i.e., max substring) between them.

5 Evaluations Behavioral footprinting characterizes worm infection steps and their order in every worm infection session.