2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Slides:

Advertisements

Similar presentations

By Hiranmayi Pai Neeraj Jain

Advertisements

Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

1 Polymorphic Blending Attacks By Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov and Wenke Lee Presented by Jelena Mirkovic Topic 1.

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Automated malware classification based on network behavior

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

APT29 HAMMERTOSS Jayakrishnan M.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen.

Paper presented by: Anthony Robinson Matt Van Gundy, Davide Balzarotti and Giovanni Vigna.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.

Packet Vaccine: Black-box Exploit Detection and Signature Generation

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA An Enhanced Buffer Separation Scheme to Protect Security Sensitive Data against.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:

Hiding Intrusions : From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop,

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,

PEER TO PEER BOTNET DETECTION FOR CYBER- SECURITY (DEFENSIVE OPERATION): A DATA MINING APPROACH Masud, M. M. 1, Gao, J. 2, Khan, L. 1, Han, J. 2, Thuraisingham,

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

TEMPLATE DESIGN © Crawling is the process of automatically exploring a web application to discover the states of the application.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Shellcode COSC 480 Presentation Alison Buben.

TriggerScope: Towards Detecting Logic Bombs in Android Applications

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Techniques, Tools, and Research Issues

Worm Origin Identification Using Random Moonwalks

Polygraph: Automatically Generating Signatures for Polymorphic Worms

Artificial Immune System against Viral Attack

CSC-682 Advanced Computer Security

Introduction to Internet Worm

Presentation transcript:

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech 2 nd Joint Workshop between Security Research Labs in Korea and Japan

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 2/13 Contents  Introduction  Background Polymorphic Worm  Related Works Polygraph Using a Control Flow Graph  Problem Definition  Proposal Idea  Conclusions and Future Works

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 3/13 Introduction  Toward defending against Internet worms, NIDSs have been proposed by the security community. IDS searches inbound traffic for known patterns, or “signature”.  Unfortunately, the worms became more sophisticated! Substantially changes its payload.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 4/13 Polymorphic Worm (1/2)  IDSs search for similar byte sequence Author of worm have to prevent this:  ciphering techniques  obfuscating the decryption routine  Can’t find a sufficiently specific sequence. Background Typical polymorphic worm structure

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 5/13 Polymorphic Worm (2/2) Background Polymorphic worm cycle

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 6/13 Polygraph  The system that proposed to defense the polymorphic worms Idea : use the combination of “short invariant contents” Assumption : combination of many general contents is sufficiently specific. Problems :  Even though combine all of them, an outcome can be remain too general.  Decision time is too late.  Token of the signature can be located after a long garbage sequence. Related Works

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 7/13 Using a Control Flow Graph  A complementary approach to reach the same goal with Polygraph Idea : using structural information of executables Assumption : at least some parts of a worm contain executable machine code.  Decryptor part of polymorphic worm Problems :  Because of huge performance overhead, it cannot operate on-line.  generating a graph, coloring the graph  Manufacturing the control flow is not difficult technique. Related Works

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 8/13 Problem Definition  Scope of problem: The worm of which propagation mechanism is using a vulnerability of a server application.  Assumption : At least some parts of a worm contain executable machine code. Linear disassemble has a little overhead so that can operate on- line.  Problem definition Make a decision whether the inbound packet has an executable code or not. Make a decision whether the executable code is a polymorphic exploit code or a legitimate code.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 9/13 Motivated Experiment  If disassemble the packet, Case 1 : executable code tend to  Kinds of instruction :   Number of each instruction :  Case 2 : non-executable code tent to  Kinds of instruction :   Number of each instruction :   Decoding error (invalid instruction) :  number of each instruction ( sorted by decreasing order)

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 10/13 Find Executable Code  Let K = “kinds of instruction”, T = “total number of instructions”, E = “the number of decoding error”.  Calculate the expression : Non-executable code : tend to very small value. Executable code : tend to relatively large value. Threshold Distinguish between executable code and non-executable code Proposal Idea

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 11/13 Distinguish Legitimate Code (1/2)  Use the “verifying instruction” For example, “call”, “ret”, “int”, etc.  Typically, normal executable code has a lot of “call” instructions.  One “call” instruction per 10~15 instructions.  NOP sled cannot include any “call” instruction.  Decryptor is a very simple routine so that it rarely has a “call” instruction.  Moreover, decryptor can’t know the address of the function of dynamic linking library. Proposal Idea

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 12/13 Distinguish Legitimate Code (2/2)  Let V = “the number of verifying instruction”  Calculate the expression : Polymorphic exploit code : is relatively small value. Legitimate code : is relatively large value. Threshold Distinguish between exploit code and legitimate code Proposal Idea

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 13/13 Conclusions and Future Works  Conclusions Proposed idea can identify and isolate the polymorphic worm. It is based on static analysis; so it can runs in real- time. It can discover the worm traffic by not flow level but packet level examination.  Future Works Refine the idea. Investigate more samples to get a generality. How to extract a signature?

nd Joint Workshop between Security Research Labs in JAPAN and KOREA 14/13 References  J. Newsome, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In IEEE Symposium on Security and Privacy,  C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic Worm Detection Using Structural Information of Executables. In RAID  O. Kolesnikov, and W. Lee. Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. In 12th ACM conference on Computer and communications security.  P. Akritidis, E.P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis. 12th ACM conference on Computer and communications security.  T. DeTristan, T. Ulenspiegel, Y. Malcom, and M. von Underduk. Polymorphic Shellcode Engine Using Spectrum Analysis.  Etc.