Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

Detecting MAC Layer Back-off Timer Violations in Mobile Ad Hoc Networks Venkata Nishanth Lolla, Lap Kong Law, Srikanth V. Krishnamurthy, Chinya Ravishankar,

Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Intrusion Detection Systems and Practices

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.

Lab for Internet & Security Technology (LIST) Northwestern University

Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.

1 A Comparison of Mechanisms for Improving TCP Performance over Wireless Links Course : CS898T Instructor : Dr.Chang - Swapna Sunkara.

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Wired LANs: Ethernet In Chapter 1, we learned that a local area network (LAN) is a computer network that is designed for a limited geographic area such.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Paper presented by: Anthony Robinson Matt Van Gundy, Davide Balzarotti and Giovanni Vigna.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.

Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Authors: Fang Yu, Zhifeng Chen, Yanlei Diao, T. V. Lakshman, Randy H.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 14.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

1 Limits of Learning-based Signature Generation with Adversaries Shobha Venkataraman, Carnegie Mellon University Avrim Blum, Carnegie Mellon University.

1 Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Towards Understanding Network Traffic through Whole Packet Analysis Abdulrahman Hijazi Hajime Inoue Ashraf Matrawy P.C. van Oorschot Anil Somayaji.

Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Decision Trees Binary output – easily extendible to multiple output classes. Takes a set of attributes for a given situation or object and outputs a yes/no.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Cryptography and Network Security Sixth Edition by William Stallings.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Role Of Network IDS in Network Perimeter Defense.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Publisher : ANCS’ 06 Author : Fang Yu, Zhifeng Chen, Yanlei Diao, T.V.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:

CRMA: Collision Resistant Multiple Access Lili Qiu University of Texas at Austin Joint work with Tianji Li, Mi Kyung Han, Apurv Bhartia, Eric Rozner, Yin.

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

Counting bloom filters for pattern matching and anti-evasion at the wire speed Author: Gianni Antichi, Domenico Ficara, Stefano Giordano, Gregorio Procissi,

Chapter 13 Wired LANs: Ethernet

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Polygraph: Automatically Generating Signatures for Polymorphic Worms

Automatic Discovery of Network Applications: A Hybrid Approach

Transport Layer Identification of P2P Traffic

Presentation transcript:

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan Gates

Overview Goal Composition of a worm Invariant bytes and Tokens Types of signatures ◦ Conjunction ◦ Token Subsequence ◦ Bayes Polygraph Signature Generator Metrics Results Evaluation

Goal Automate the generation of worm signatures ◦ Specifically polymorphic worms Prevent polymorphic worms from going undetected ◦ Including perfectly polymorphic instances

Decomposition of a worm Figure 1. Polymorphed ApacheKnacker Invariant bytes Wild card bytes Code bytes

Invariant Bytes Invariant framing ◦ Reserved key words or well known binary constants that are part of the wire protocol ◦ For example "HTTP" or "GET" Invariant overwrite values ◦ High order bytes of the overwritten address ◦ For example in BIND-TSIG "\xFF\xBF" Many invariant substrings are not sufficiently long to not prevent false positives. The solution is to let each set of invariant bytes be represented by a token

Tokens Tokens must not be a substring of another token ◦ For example HTTP not TTP Conjunction Signature Token Sub-sequence Signature Bayes Signature ◦ Each token value represents the probability of that token being present in an actual worm flow.

Conjunction Signatures Every token in the conjunction signature must be found in the payload for there to be a match All tokens are required to match Reduce false positives For example in the Apache-Knacker signature, ‘GET’, ‘HTTP/1.1\r\n’,’:’ are tokens in a conjunction signature

Token Subsequence Signatures Similar to the conjunction signature, but more restrictive. All tokens must be present in the correct order to reduce false positives Typically modeled using Regular Expressions For example in the BIND-TSIG signature, “GET.*HTTP/1.1\r\n.*…”

Bayes Signature Set of tokens, and each with a score If the sum the tokens exceeds a threshold then it is considered a match. A sample signature would include ‘\x00\x00\xFA’: Benefits ◦ Less rigid, which helps prevent false positives for common tokens. ◦ Higher quality signatures with a more diverse suspicious pool.

Limitations of Signature Types Bayes signature is unaffected by noise, until it grows beyond 80%. At this point there will be 100% false negatives. ◦ Flow classifier did a very poor job of classifying the flows. Conjunction and Token Subsequence cannot handle multiple types of worms ◦ The solution is to use clustering to separate the worms into manageable clusters

Clustering Clustering helps the conjunction and token subsequence signatures deal with variety Used to divide the suspicious flows into a number of different pools. Divide the suspicious pool into several clusters which contain types of flows ◦ Clusters should not be too general ◦ Clusters should not be too specific

Polygraph Signature Generator The polygraph monitor must have access to the network's packet flow. An imperfect flow classifier sorts packet flows into either the suspicious or innocuous pool.

Polygraph Signature Generator It will not distinguish between different worms, but merely suspicious flows and innocuous flows. Flow classifier is reliable, but imperfect. The result is noise.

Polygraph Signature Generator Uses samples to determine appropriate signatures for worms present in the suspicious flow pool. Resilient to noise in the system

Metrics Quality ◦ Low percentage of false positives and false negatives Efficiency in generation ◦ Lower computational cost Efficiency in matching ◦ Should not inhibit the network traffic Generate small signature sets ◦ Limit the number of signatures Robustness ◦ Yield high quality signature even with noise and a variety of worms ◦ Resistance to clever evasion by worms

Results | ApacheKnacker Table 1. ApacheKnacker signatures. These signatures were successfully generated for innocuous pools containing at least 3 worm samples. Best performer was Token Subsequence The ordering used in the Token Subsequence signature helps reduce the number of false positives.

Results | BIND-TSIG Table 2. BINDTSIG signatures. These signatures were successfully generated for innocuous pools containing at least 3 worm samples. The best performers were Conjunction and Token Subsequence. Bayes signature quality is degraded when the tokens are common in other innocuous flows.

Results | Coincidental Pattern Coincidental Patter attack injects invariant bytes in wildcard bytes to confuse the signature generater.

Contribution Polygraph helps to automate signature generation Examined the effects that implementing polymorphism on worms could have on worm signature generation and matching. Introduced imperfections in the classifying of network flows

Limitations Worms that lack invariant code Requires a flow classifier and at least 3 worm samples If the innocuous pool is too diverse, there will be too many false positives.

Improvements and Future Work Take advantage of multiple cores. Incorporate the design of an efficient flow classifier Determine how feasible it is to inspect network traffic Determine an algorithm to choose best signature to use

References J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Security and Privacy Symposium, 2005.