Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

Slides:

Advertisements

Similar presentations

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Advertisements

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.

Lecture 14 Firewalls modified from slides of Lawrie Brown.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

School of Computer Science and Information Systems

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Lecture 11 Intrusion Detection (cont)

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

Speaker ： Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Cryptography and Network Security (CS435) Part One (Introduction)

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.

1 HoneyNets, Intrusion Detection Systems, and Network Forensics.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,

Cryptography and Network Security Sixth Edition by William Stallings.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Message Authentication Code

Internet Quarantine: Requirements for Containing Self-Propagating Code

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Chap 10 Malicious Software.

Chap 10 Malicious Software.

Introduction to Internet Worm

Presentation transcript:

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares

What is an Internet Worm Self-propagated program that automaticlly replicates itself to a vulnerable systems and spreads across the internet

Current ways to detect Worms Address blacklisting content filtering Anomaly-based Signature Based

Drawbacks of these systems Need of wide spread deployment over the internet to be effective with address blacklisting and content filtering High false positives with anomaly-based systems Signature based able to find only know worms and process is not automated

Solution Double HoneyPot System for automatic detection New type of signature to help detect polymorphic worms (PADS)

Double HoneyPot Two independent HoneyPot arrays with two address translator Inbound HoneyPot used to attract attackers Outbound HoneyPot to capture attack traffic

Double HoneyPot

Inbound HoneyPot All invalid services requests forwarded to inbound HoneyPot by gate translator High-interaction HoneyPot used to allow for full compromised of hosts Infected host’s traffic forwarded to Outbound HoneyPot by internal translator

Invalid services requests

Outbound HoneyPot Collect attack information sent by infected Inbound HoneyPot This information used by Position-Aware Distribution System (PADS) to make signatures to detect polymorphic worms

Polymorphic Techniques Single Encryption with random keys Random Encryption routine Garbage code insertion Instruction substitution Code transposition Register reassignment

PADS Contains aspects of both signature and anomaly based systems Uses byte frequency distribution instead of a fixed value Focuses on generic patterns which allows for some variations

PADS Uses variations of worm attacks captured from HoneyPots to make a signature Uses two algorithms to compare bits of variants to each other to generate signature

PADS

Testing Created 200 variants of MS Blaster Worm Used 100 variants to make signature from PADS system Remaining 100 used to test for

Conclusion Able to detect 100% of the MS Blaster worms created Had no false positives in legitimate network traffic Needed more testing in live environment

Contributions Design of Double HoneyPot which can detect and block attack traffic Developed position-aware distribution signature which take the best features of signature and anomaly-based systems

Weaknesses Incorrect Data on Honeypots not able to block Local Traffic One of Algorithm used in PADS contained a serious bug All Testing done on variations of the same worm Not in live testing environment