Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.
Lab for Internet & Security Technology (LIST) Northwestern University
Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin.
On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
Network Defenses Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.
By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.
Click to add Text Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Department of Computer Science and Engineering.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
FiG: Automatic Fingerprint Generation Shobha Venkataraman Joint work with Juan Caballero, Pongsin Poosankam, Min Gyung Kang, Dawn Song & Avrim Blum Carnegie.
Packet Vaccine: Black-box Exploit Detection and Signature Generation
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni,Universit`a degli Studi di Udine Emanuele Passerini,Universit`a degli Studi di Milano.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
1 Limits of Learning-based Signature Generation with Adversaries Shobha Venkataraman, Carnegie Mellon University Avrim Blum, Carnegie Mellon University.
1 Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Profiling Self-Propagating Worms via Behavioral Footprinting Xuxian Jiang, Dongyan Xu ACM WORM’06 November 3, 2006.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,
Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM, Presented.
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,
Cryptography and Network Security Sixth Edition by William Stallings.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:
Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,
Final Project: Advanced Security Blade IPS and DLP blades.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Polygraph: Automatically Generating Signatures for Polymorphic Worms
Introduction to Internet Worm
Presentation transcript:

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song

Introduction Why automated signature generation technique ? Learning from previous worm detection implementations Polymorphic worm ?

Polymorphic Worm design Characteristic of a Polymorphic worm  Invariant bytes  Wildcard bytes  Code bytes Creating a Polymorphic worm  Assumptions Perfectly obfuscated code Code obfuscation

Polymorphic Worm design The two chief sources of invariant content  Exploit framing (reserved key words)  Exploit payload (alter control flow)

Invariant content in polymorphic worm Apache multiple-host-header vulnerability  Apache-Knacker exploit Unshaded area=wildcard bytes Lightly shaded =code bytes Heavily shaded=invariant content byte

Invariant content in polymorphic worm (contd.) BIND TSIG vulnerability  Exploited by the Lion worm. Unshaded area=wildcard bytes Lightly shaded =code bytes Heavily shaded=invariant content byte

Invariant content in polymorphic worm (contd.) CodeRed AdmWorm Slapper Clet polymorphic engine  Boxed bytes are found in at least 20% of Clet’s outputs; shaded bytes are found in all of Clet’s outputs.

Polymorphic Signatures Substring Signatures Insufficient ?  A single invariant substring exists across payload instances for the same worm; that is, the substring is sensitive, in that it will match all worm instances.  The invariant substring is sufficiently long to be specific; that is, the substring does not occur in any nonworm payloads destined for the same IP protocol and port. Signature Classes for Polymorphic Worms  Conjunction signatures  Token-subsequence signatures  Bayes signatures

Polygraph Polygraph monitor incorporates the Polygraph signature generator.

Polygraph (contd.) Polygraph Signature Generator  Signature quality  Efficient signature generation  Efficient signature matching  Generation of small signature sets.  Robustness against noise and multiple worms.  Robustness against evasion and subversion.

Algorithm for signature generation Preprocessing: Token Extraction  All of the distinct substrings of a minimum length are extracted. e.g.. If there are ‘K’ occurrences of “http”, “ttp” will not be considered distinct unless if it appears in another ‘K’ occurrences and not as a substring of “http”  This is the first step of the algorithm which filters out irrelevant tokens of a suspicious flow.

Algorithm for signature generation (contd.) Generating single signatures  Generating Conjunction Signatures Unordered token list  Generating Token-Subsequence Signatures Ordered token list (regular expression) E.g.. “.*one.*two.*”. “.*o.*n.*e.*z.*”  Generating Bayes Signatures Pr[L(x) = worm|x] and Pr[L(x) = worm|x]. (Pr[L(x) = worm|x] / Pr[L(x) = worm|x]) = Pr[L(x) = worm] Õ1in Pr[xi = 1|L(x) = worm] / Pr[L(x) = worm] Õ1in Pr[xi = 1|L(x) = worm]

Practical signatures generation Generating multiple signatures  the suspicious flow pool could contain more than one type of worm, and could contain innocuous flows  Bayes algorithm implementation  Conjunction algorithms require clustering Each cluster contains similar flow Hierarchical clustering

Practical signatures generation Hierarchical Clustering  Cluster are merged iteratively. Two clusters are merged based on what the merged signature would be for each of the O(s2) pairs of clusters.  The two clusters that result in a signature with the lowest false positive rate are merged. S1S2S3S4S5S6 S1S2-S3S4S5-S6

Performance of each Polygraph signature generation algorithm Experimental Setup:  Token-extraction threshold k = 3, the minimum token length a = 2, and the minimum cluster size to be 3.  All experiments were run on desktop machines with 1.4 GHz Intel R Pentium R III processors, running Linux kernel Signatures for polymorphic versions of three real-world exploits are generated.  the Apache-Knacker exploit  the ATPhttpd exploit  the BIND-TSIG exploit Network traces.  several network traces as input for and to evaluate Polygraph signature generation, HTTP and DNS.

Results Single polymorphic worm  ApacheKnacker signatures. For each algorithm, the correct signature is generated 100% of the time for all experiments where the suspicious pool size is greater than 2,and 0% of the time where the suspicious pool size is only 2.

Results (contd.) Single polymorphic worm  BINDTSIG signatures. These signatures were successfully generated for innocuous pools containing at least 3 worm samples.

Results (contd.) Single Polymorphic Worm Plus Noise  False Negatives: Clusters produce 0% false negatives while Bayes algorithm, beyond 80%, at which point the signatures cause 100%false negatives.  Figures (a) and (b) show the additional false positives that result from the addition of noise.

Results (contd.) Multiple Polymorphic Worms Plus Noise  False Negatives is similar to single polymorphic worms plus noise  False Positives is very similar to single polymorphic worms plus noise when there is only one type of worm in the suspicious pool.

Potential attacks on Polygraph Overtraining Attacks  The conjunction and token subsequence algorithms are designed to extract the most specific signature possible from a worm. An attacker may attempt to exploit this property to prevent the generated signature from being sufficiently general. Innocuous Pool Poisoning  An attacker could determine what signatures Polygraph would generate for it. He could then create otherwise innocuous flows that match these signatures, and try to get them into Polygraph’s innocuous flow pool. Long-tail Attack : An exploit could have already occurred by the time we see a full signature match.

Strengths The paper introduces preventive measure, should there be a polymorphic worm. Signature generation technique is automated Since the algorithms work efficiently for polymorphic worm as well as in situation where there maybe more than one worm present in the data flow, it is practical too.

Weaknesses Any of the signature generation algorithm when applied individually can be evaded. In the time it comes up with a signature, the vulnerable host might be already infected.

Improvisation All of the three mentioned algorithms can be implemented simultaneously and use the signature which has the fewest false positives and false negatives