1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Slides:

Advertisements

Similar presentations

IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.

Advertisements

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

5-Network Defenses Dr. John P. Abraham Professor UTPA.

Guanjong High School Group 2. Physical Network Access Security Getting into a network closet could easily allow someone to disable computers and connect.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Introduction to Security Computer Networks Computer Networks Term B10.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

By:Tanvi lotliker TE COMPUTER

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Propagation and Containment Presented by Jing Yang, Leonid Bolotnyy, and Anthony Wood.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Internet Security facilities for secure communication.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

CIS 450 – Network Security Chapter 3 – Information Gathering.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Firewall Security.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Security fundamentals Topic 10 Securing the network perimeter.

SPYCE/May’04 coverage: A Cooperative Immunization System for an Untrusting Internet Kostas Anagnostakis University of Pennsylvania Joint work with: Michael.

Cryptography and Network Security Sixth Edition by William Stallings.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Role Of Network IDS in Network Perimeter Defense.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)

Very Fast Containment of Scanning Worms Written By: Nicholas Weaver, Stuart Staniford, Vern Paxson Presentation By: Nathan Johnson A.K.A Space Monkey and.

Information Systems Design and Development Security Precautions Computing Science.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Very Fast containment of Scanning Worms Presented by Vinay Makula.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Very Fast containment of Scanning Worms

Very Fast Containment of Scanning Worms

Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson

Introduction to Internet Worm

Presentation transcript:

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI

2 Abstract Worms – malicious, self-propagating programs. Represent threat to large networks. Containment – one form of defense; limit a worm’s spread by isolating it in a small subsection of the network.

3 Scanning Worms Operate by picking “random” address and attempt to infect the machine. Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses Worms will find small holes in firewall and routers. Complete infection of local network from single original source.

4 Scanning Worms Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection attempts. Containment looks for a class of behavior rather than specific worm signature. Able to stop new worms.

5 Worm Containment (virus throttling) Must to be Automated. Worms propagate more rapidly than human response. Works by detecting that a worm is operating in the network and then block the infected machines from contacting further hosts. “Defense in depth”. Used in addition to other network protection mechanisms.

6 Mechanism Requirements Break the network into many cells Within each cell a worm can spread unimpeded. Between cells, containment limits infections by blocking outgoing connections from infected cells. Works best with small cells. Must have very low false positive rate. Blocking suspicious machines or ports can cause a DoS if false positive rate is high.

7 Epidemic Threshold Worm-suppression device must necessarily allow some scanning before it triggers a response. Worm may find a victim during that time. Epidemic occurs if each infection results in a single child. Exponential epidemic occurs if each infection results in more than one child.

8 Epidemic Threshold The epidemic threshold depends on: The sensitivity of the containment response devices The density of vulnerable machines on the network The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.

9 Sustained Scanning Threshold If worm scans slower than sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained scanning threshold as possible. For this implementation threshold set to 1 scan per minute. Other methods often no better than 1 per second.

10 Scan Suppression Portscans have two basic types: Horizontal – search for identical service on large number of machines. Vertical – examine an individual machine to discover running services. Scan Suppression – responding to detected portscans by blocking future scanning attempts.

11 Implementation Scan detection and suppression algorithm derived from Threshold Random Walk (TRW) scan detection. TRW operates by using an oracle to determine if a connection will fail or succeed. Walk down for a good connection. Walk up for a failed connection. Threshold set on deviation.

12 Implementation Implementation easier than TRW. Suitable for both hardware and software implementation. Simplified algorithm caused increased false negative rate. No changes in the false positive rate.

13 Hardware Implementation Constraints: Must be very fast to keep up with high packet rates. Memory access speed. During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations. (4 accesses for full duplex). SRAM can be used to solve the problem, but more expensive.

14 Hardware Implementation Approximate cache: a cache for which collisions cause imperfections. Indexing into cache is done with a 32- bit block cipher and a secret key. Helps protect against collision attack. Collisions will only result in false- negatives.

15 Connection Cache IP’s hashed with port to create index. Aliasing result in combination. Age is incremented each minute. Age is zeroed each time a packet is seen. Old entries are removed. (10 min)

16 Address Cache Lookup External IP encrypted to create index and tag. Each index may reference four entries. Counter tracks differences between misses and hits. When necessary, most negative entries are evicted.

17 Address Cache Lookup Assumption is that legitimate traffic succeeds more often than scanning traffic. Threshold is used to block traffic. 10 internal 5 internal Hard limit on negative counts. (-20) Positive counts are decayed over time. (1 min)

18 Results Attacks are detected after only 10 scans. Blocking: New connections are blocked. Current established connections are allowed. System accurately detected real attacks. False-positives on DNS and SMTP servers due to fan-out. Need to be white-listed. Tighter thresholds had more false-positives, but only for odd traffic.

19 Attacking the Containment Malicious False Negative: The worm slips by even thought containment is active. Scan at a rate slower than sustained scanning threshold. With the threshold set to 1 per minute, growth will be very slow. Scans to white-listed can be used for liveness testing before attack begins. Offset misses by making valid connections.

20 Attacking the Containment Malicious false positive: False positive create a DoS target. Forged packets can be a problem and must be prevented in the network. Web page or html formatted could initiate multiple connections to non- existent addresses.

21 Cooperation Containment systems can cooperate to reduce thresholds during an attack. Communication between systems must be efficient to stay ahead of spread. Must be done carefully to avoid cooperative collapse – a cascade in sensitivity increase.