Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI."— Presentation transcript:

1 Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI 297 6.28.2005

2 What is a worm? Self-replicating/self-propagating code. Spreads across a network by exploiting flaws in open services. –As opposed to viruses, which require user action to quicken/spread. Not new --- Morris Worm, Nov. 1988 –6-10% of all Internet hosts infected Many more since, but none on that scale …. until Code Red

3 Internet Worm History Xerox PARC, Schoch and Hupp, 1982 Morris Worm 1988 Code Red (V1, V2, II), 2001 NIMDA,, 2001 Slammer Worm, 2003 Blaster Worm,, 2003 Sasser Worm,, 2004

4 Code Red V1 Initial version released July 13, 2001. Exploited known bug in Microsoft IIS Web servers. 1 st through 20 th of each month: spread. 20 th through end of each month: attack. Payload: web site defacement. Spread: via random scanning of 32-bit IP address space. But: failure to seed random number generator  linear growth.

5 Code Red V2 Revision released July 19, 2001. Payload: flooding attack on www.whitehouse.gov. But: this time random number generator correctly seeded. Bingo! Resident in memory, reboot clears the infection Web defacement

6 Code Red V2 - Spread

7 Code Red II New worm released August 4, 2001. Intelligent Replication Engine Installed backdoors Used more threads

8 Life Just Before Slammer

9 Life Just After Slammer

10 Worm Detection – Current Methods Network telescoping- passive monitors that monitor unused address space (Downfalls – non-random, only provide IP not signature Honeypots – slow manual analysis Host-based behavioral detection – dynamically analyze anomalous activity, no inference of large scale attack IDS, IPS – Snort –Labor-intensive, Human-mediated

11 Worm Containment Host Quarantine – IP ACL, router, firewall (blacklist) String-matching containment Connection throttling – Slow the spread

12 Earlybird – Content Sifting Content in existing worms is invariant Dynamics for worm to spread are atypical The Earlybird system can extract signatures from traffic to detect worms and automatically react

13 05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.80:. 0:1460(1460) ack 1 win 8760 (DF) 0x0000 4500 05dc 84af 4000 6f06 5315 5ac4 16c4E.....@.o.S.Z... 0x0010 d14e eb80 06b4 0050 5e86 fe57 440b 7c3b.N.....P^..WD.|; 0x0020 5010 2238 6c8f 0000 4745 5420 2f64 6566P."8l...GET./def 0x0030 6175 6c74 2e69 6461 3f58 5858 5858 5858ault.ida?XXXXXXX 0x0040 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX..... 0x00e0 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX 0x00f0 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX 0x0100 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX 0x0110 5858 5858 5858 5858 5825 7539 3039 3025XXXXXXXXX%u9090% 0x01a0 303d 6120 4854 5450 2f31 2e30 0d0a 436f0=a.HTTP/1.0..Co. Signatures Worm Signature Content-based blocking [Moore et al., 2003] Signature for CodeRed II Signature : A Payload Content String Specific To A Worm

14 Worm Behavior - Earlybird Content Invariance Content Prevalence Address Dispersion

15 Earlybird Implementation Each network packet is scanned for invariant content Maintain a count of unique source and destination IPs Sort based on substring count and size of address list will determine worm traffic Use substrings to automatically create signatures to filter the worm

16 Earlybird Cont.

17 System consists of sensors and aggregrator Aggregator – pulls data from sensors, activates network or host level blocking, reporting and control

18 Earlybird – Memory & CPU Memory and CPU cycle constraints Index content table by using a fixed size hash of the packet payload Scaled bitmaps are used to reduce memory consumption on address dispersion counts

19 Earlybird Cont. Sensor – 1.6Ghz AMD Opteron 242, Linux 2.6 kernel Captures using libpcap Can sift 1TB of traffic per day and is able to sift 200Mbps of continuous traffic Cisco router configured for mirroring

20 Thresholds Content Prevalence = 3 97 percent of signatures repeat two or fewer times

21 Thresholds Address Dispersion = 30 src and 30 dst Lower dispersion threshold will produce more false positives Garbage collection – several hours

22 Earlybird False Positives 99% percent of FPs are from SMTP header strings and HTTP user agents - whitelist SPAM e-mails – distributed mailers and relays BitTorrent file striping creates many-to- many download profile

23 Earlybird – Issues of Concern SSH, SSL, IPSEC, VPNs Polymorphism IP spoofing source address Packet injection

24 Earlybird – Current State UCSD  NetSift  Cisco

25 Internet Quarantine – Requirements for containing self propagated code Prevention – Managing vulnerabilities Treatment – Disinfection tools, patches Containment – Firewalls, content filters, blacklists. How to completely automate?

26 Modeling Containment Reaction time – time necessary for detection Containment strategy – blacklisting, content filtering Deployment scenario – how many nodes are participating

27 Blacklisting vs. Content Filtering

28 Blacklisting vs. Content Filtering - Aggresiveness

29 Deployment Scenarios

30 References The Threat of Internet Worms, Vern Paxson - The Threat of Internet Worms, Vern Paxson http://www.icir.org/vern/talks/vp-worms-ucla-Feb05.pdfhttp://www.icir.org/vern/talks/vp-worms-ucla-Feb05.pdf -Cooperative Association for Internet Data Analysis (CAIDA) http://www.caida.org http://www.caida.org -Autograph, Toward Automated, Distributed Worm Signature Detection- Usenix Security 2004 -Wikipedia, computer worms, hashing. -Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute

31 Thank You! Discussion…..

32

Download ppt "Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI."

Similar presentations

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Presenter:

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Presenter:
 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &

Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin.

Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin.
Algorithms for Network Security

Algorithms for Network Security
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
EDUCAUSE Security 2006 Internet John Brown University.

EDUCAUSE Security 2006 Internet John Brown University.

Similar presentations

Ads by Google