Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Slides:

Advertisements

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Advertisements

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Presenter:

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Algorithms for Network Security

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Automated Worm Fingerprinting

Global Intrusion Detection Using Distribute Hash Table Jason Skicewicz, Laurence Berland, Yan Chen Northwestern University 6/2004.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Click to add Text Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Department of Computer Science and Engineering.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

Profiling Self-Propagating Worms via Behavioral Footprinting Xuxian Jiang, Dongyan Xu ACM WORM’06 November 3, 2006.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

DoS/DDoS attack and defense

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Advanced Anti-Virus Techniques

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

Defending against Hitlist Worms using NASR Khanh Nguyen.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.

Role Of Network IDS in Network Perimeter Defense.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.

Internet Quarantine: Requirements for Containing Self-Propagating Code

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Automated Worm Fingerprinting

Chap 10 Malicious Software.

DDoS Attack Detection under SDN Context

Authors: Helen J. Wang, Chuanxiong Guo, Daniel R

Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System

Chap 10 Malicious Software.

Automated Worm Fingerprinting

Introduction to Internet Worm

Presentation transcript:

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang

Introduction  Recent large scale internet worm post profound threat.  Traditional detection methods are usually expensive and slow.  This paper investigate “Early bird” method that automatically detect and contain new worms on the network using precise signature.

Existing Detecting Techniques  Scan detection Example: code red. Network telescope: passive network monitors that observe large ranges of unused, yet routable, address space. Assumption: worms select target victims at random Limitations: not suited to non-random spreading worms

Existing Detecting Techniques  Honeypots Monitoring idel hosts with untreated vulnerabilities Limitations: requires significant amount of slow manual analysis, depend on the honeypot being quickly infected

Existing Detecting Techniques  Behavioral techniques at end hosts Dynamically analyze the patterns of system calls for anomalous activity. Limitations: expensive, only detect attack against a single host.

Characterization  Priori vulnerability signatures: match known exploitable vulnerabilities in deployed software.  Automation for signature extraction: extracts the infected decoy programs in a controlled environment and identify invariant code strings.  Autograph: (early bird)

Containment  To slow or stop the spread of an active worm Host quarantine: preventing an infect host from communicating with other hosts String matching: matches network traffic against particular strings, or signatures Connection throttling: limit rate of all outgoing connection made by a machine, slow but not stop

Worm Behavior  Content invariance Program is identical across every host it infects, though some has limited polymorphism Content prevalence: content not prevalent is not useful for constructing signatures Address dispersion: the no. of infected hosts will grow over time

Finding Worm Signature: Content Sifting  For each network: Extract content and process substring Index each substring into a prevalence table Each table entry includes IP addresses Sort the table

Finding Worm Signature: Content Sifting  Huge memory consumption: Multi- stage filters

Finding Worm Signature: Content Sifting  Address dispersion: trade precision for dramatic reductions in memory requirements Example: For example, to count up to 64 sources using 32 bits, one might hash sources into a space from 0 to 63 yet only set bits for values that hash between 0 and 31. thus ignoring half of the sources.

Finding Worm Signature: Content Sifting  Payload string requires significant processing: value sampling select only those substrings for which the fingerprint matches a certain pattern. Example: if f is the fraction of the tracked substrings (e.g. f = 1=64 if we track the substrings whose Rabin fingerprint ends on 6 0s), then the probability of detecting a worm with a signature of length x is

Finding Worm Signature: Content Sifting  If = 1=64 and = 40, the probability of tracking a worm with a signature of 100 bytes is 55%, but for a worm with a signature of 200 bytes it increases to 92%, and for 400 bytes to 99.64%.

Practical Content Sifting: Early Bird packet granularity

Early Bird  As each packet arrives, its content (or substrings of its content) is hashed and appended with the protocol identifier and destination port to produce a content hash code. 32 bit cyclic redundancy check (CRC) 40 byte rabin fingerprints for substring hashses

Early Bird  If the content hash is not found in the dispersion table, it is indexed into the content prevalence table. 4 independent hash functions creat indexes into 4 counter arrays.

Early Bird

Practical Content Sifting: Early Bird

Prototype System : Early Bird  Sensor: sifts through traffic on configurable address space “zones” of responsibility and reports anomalous signature.  Aggregator: coordinated real-time updates from the sensors, coalesces related signatures, activates any network- level or host level blosing services and is responsible for administrative reporting and control.  Single threaded, excute at user-level, and captures packets using libpcap library.

Prototype System

Early Bird

What ’ s the paper ’ s contribution?  A combination of existing and novel algorithms for content sifting  Low memory and CPU requirements

What ’ s the paper ’ s weakness?  Depend on invariant content Attackers can design variant content for worms  Attackers can evade by creating metamorphic worms and traditional IDS evasion techniques  Assume max growing time  Automated containment can be used trigger a worm defense by attackers.

How to improve the paper?  Hybrid pattern matching: separate non code string from potential exploits  Investigate traffic normalization  Maintain triggering date across multiple time scale  Develop efficient mechanisms for comparing signature with existing traffic corpus