Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research & Carnegie Mellon University
Usenix Security Internet Worm Large costs due to lost productivity Code Red: $2.6 billion, Slammer: $1 billion Vulnerabilities still plentiful Smarter, faster, and more malicious worms easily possible [Staniford et al., 2002] Internet Worm Quarantine Techniques Destination port blocking Infected source host IP blocking Content-based blocking Content-based blocking [Moore et al., 2003]
Usenix Security Content-based Blocking 05:45: > :. 0:1460(1460) ack 1 win 8760 (DF) 0x dc 84af f ac4 0x0010 d14e eb80 06b e86 fe57 440b 7c3b.N.....P^..WD.|; 0x c8f f P."8l...GET./def 0x c74 2e f ault.ida?XXXXXXX 0x XXXXXXXXXXXXXXXX x00e XXXXXXXXXXXXXXXX 0x00f XXXXXXXXXXXXXXXX 0x XXXXXXXXXXXXXXXX 0x XXXXXXXXX%u9090% 0x u6858%ucbd3%u780 0x %u9090%u6858%uc 0x bd3%u7801%u9090% 0x u6858%ucbd3%u780 0x %u9090%u9090%u8 0x %u00c3%u0003% 0x u8b00%u531b%u53f 0x f%u0078%u0000%u0 0x01a0 303d f31 2e30 0d0a 436f0=a.HTTP/1.0..Co..... Signature : A Payload Content String Specific To A Worm Signature for CodeRed II
Usenix Security Content-based Blocking Our network X Traffic Filtering Internet Signature for CodeRed II Can be used by Bro, Snort, Cisco’s NBAR,...
Usenix Security Signature derivation is too slow Current Signature Derivation Process New worm outbreak Report of anomalies from people via phone/ /newsgroup Worm trace is captured Manual analysis by security experts Signature generation Labor-intensive, Human-mediated
Usenix Security Goal Automatically generate signatures of previously unknown Internet worms as quickly as possible as accurately as possible
Usenix Security Our Work We focus on TCP worms that propagate via scanning Actually, any transport in which spoofed sources cannot communicate successfully in which transport framing is known to monitor Worm’s payloads share a common substring Vulnerability exploit part is not easily mutable
Usenix Security Outline Problem and Motivation Automated Signature Detection Desiderata Technique Evaluation Distributed Signature Detection Tattler Evaluation Related Work Conclusion
Usenix Security Desiderata Automation: Minimal manual intervention Signature quality: Sensitive & specific Sensitive: match all worms low false negative rate Specific: match only worms low false positive rate Timeliness: Early detection Application neutrality Broad applicability
Usenix Security Automated Signature Generation Step 1: Select suspicious flows using heuristics Step 2: Generate signature using content- prevalence analysis Our network Traffic Filtering Internet Autograph Monitor Signature X
Usenix Security Heuristic: Flows from scanners are suspicious Focus on the successful flows from IPs who made unsuccessful connections to more than s destinations for last 24hours Suitable heuristic for TCP worm that scans network Suspicious Flow Pool Holds reassembled, suspicious flows captured during the last time period t Triggers signature generation if there are more than flows S1: Suspicious Flow Selection Reduce the work by filtering out vast amount of innocuous flows Autograph (s=2) Non-existent This flow will be selected
Usenix Security S1: Suspicious Flow Selection Heuristic: Flows from scanners are suspicious Focus on the successful flows from IPs who made unsuccessful connections to more than s destinations for last 24hours Suitable heuristic for TCP worm that scans network Suspicious Flow Pool Holds reassembled, suspicious flows captured during the last time period t Triggers signature generation if there are more than flows Reduce the work by filtering out vast amount of innocuous flows
Usenix Security S2: Signature Generation All instances of a worm have a common byte pattern specific to the worm Rationales Worms propagate by duplicating themselves Worms propagate using vulnerability of a service Use the most frequent byte sequences across suspicious flows as signatures How to find the most frequent byte sequences?
Usenix Security Worm-specific Pattern Detection Use the entire payloads Brittle to byte insertion, deletion, reordering XXXXXXXX YYYY Flow 1 Flow 2 XXXXXXX YYYYY
Usenix Security Worm-specific Pattern Detection Partition flows into non-overlapping small blocks and count the number of occurrences Fixed-length Partition Still brittle to byte insertion, deletion, reordering XXXXXXXX YYYY Flow 1 Flow 2 XXXXXXX YYYYY
Usenix Security Worm-specific Pattern Detection Content-based Payload Partitioning (COPP) Determine boundaries of block using LBFS style Partition if Rabin fingerprint of a sliding window matches Breakmark Configurable parameters: content block size (minimum, average, maximum), breakmark, sliding window Content Blocks Breakmark = last 8bits of fingerprint ( 9025 ) XXXXXXXX YYYY Flow 1 Flow 2 XXXXXXX YYYYY
Usenix Security Why Prevalence? Worm flows dominate in the suspicious flow pool Content-blocks from worms are highly ranked Nimda CodeRed2 Nimda (16 different payloads) WebDAV exploit Innocuous, misclassified
Usenix Security Select Most Frequent Content Block ABD ABE ACE AD CF CDG B f0 f1 f2 f3 f4 f5 HIJ f6 IHJ f7 GIJ f8
Usenix Security A A A E E A F C C C D D DB B B H H G G I I I J J J Select Most Frequent Content Block D C E E A A A A D F C C DG B B B H H G I I I J J J f0 f1 f2 f3 f4 f5 f6 f7 f8 f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J
Usenix Security Select Most Frequent Content Block A B D A BE A C E A D C F C D G B H I J I H J GI J f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J p≥3p≥3 W ≥ 90% Signature:
Usenix Security Signature: A Select Most Frequent Content Block A B D A BE A C E A D C F C D G B H I J I H J GI J f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J p≥3p≥3 W ≥ 90%
Usenix Security Select Most Frequent Content Block B DB A A A C E E A D F C C D G B H I J I H J GI J p≥3p≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J
Usenix Security Select Most Frequent Content Block F C C D G H I J I H J GI J p≥3p≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J I
Usenix Security Select Most Frequent Content Block F C C DG p≥3p≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J I U Signature:
Usenix Security Outline Problem and Motivation Automated Signature Detection Desiderata Technique Evaluation Distributed Signature Detection Tattler Evaluation Related Work Conclusion
Usenix Security Behavior of Signature Generation Objectives Effect of COPP parameters on signature quality Metrics Sensitivity = # of true alarms / total # of worm flows false negatives Efficiency = # of true alarms / # of alarms false positives Trace Contains 24-hour http traffic Includes 17 different types of worm payloads
Usenix Security Signature Quality Larger block sizes generate more specific signatures A range of w (90-95%, workload dependent) produces a good signature
Usenix Security Outline Problem and Motivation Automated Signature Detection Desiderata Technique Evaluation Distributed Signature Detection Tattler Evaluation Related Work Conclusion
Usenix Security Problem: Slow Payload Accumulation Before signature generation, Detect scanners (possibly infected hosts) Aggressiveness (s ) of flow selection heuristics Accumulate payloads enough for content analysis Earliness ( ) of signature generation trigger Infected vulnerable hosts ( =5, 63 monitors) Info Sharing Autograph Monitor Aggressiveness of flow selection s = 1s = 4 None Luckiest2%60% Average25% -- Scanners, Signatures Average<1%15%
Usenix Security Faster Signature Detection Share the scanner information with others Our network Traffic Filtering Internet Autograph Monitor Network A Network C Network B tattler
Usenix Security Benefit from tattler Objective Measure the detection speed and the signature quality Methodology Trace generation Background noise flows from the real 24hr trace Captured worm flows from simulation (63 monitors) Signature generation with COPP varying suspect flow pool size Metrics Percentage of infected hosts Number of unspecific signatures (that causes false positives)
Usenix Security Tradeoff: Speed vs. Quality Decreasing s and parameters faster signature generation more false positives x x = 15, s = 2, < 2% infected
Usenix Security Attacks Overload due to flow reassembly Multiple instances of Autograph on separate HW (port-disjoint) Suspicious flow sampling under heavy load Abuse Autograph for DoS: pollute suspicious flow pool Port scan and then send innocuous traffic Distributed verification of signatures at many monitors Source-address-spoofed port scan Reply with SYN/ACK on behalf of non-existent hosts/services
Usenix Security Related Work EarlyBird [Singh et al. 2003] Pure content-based approach first, then address dispersion heuristic Targets a single high speed link; no flow reassembly HoneyComb [Kreibich et al. 2003] Signature detection by Honeypot & LCS algorithm Targets host-based deployment; small number of flows Honeyd [Provos 2003] Use distributed honeypots to gather worm payloads & infected IP addresses quickly Focus on harvesting malicious traffic DOMINO [Yegneswaran et al. 2004] Scanner IP information sharing among distributed nodes Distributed monitoring assures earlier & more accurate detection
Usenix Security Future Work Online evaluation with diverse traces Deployment on distributed sites Broader set of suspicious flow selection heuristics Non-scanning worms (ex. hit-list worms, topological worms, worms) UDP worms Distributed agreement for signature quality testing
Usenix Security Conclusion Stopping spread of novel worms requires early generation of signatures Autograph: automated signature detection system Suspicious flow selection → Content prevalence analysis COPP: robustness against payload variability Distributed monitoring: faster signature generation Autograph finds sensitive & specific signatures early in real network traces