Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saturday, May 17, 2008 Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach.

Published byHector Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "Saturday, May 17, 2008 Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach."— Presentation transcript:

1 Saturday, May 17, 2008 Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach

2 Saturday, May 17, 2008 Pascal Gamper 2 Outline  Motivation  Problem Statement  Automated Signature Generation – Overview  The NoAH approach  Attack Detection  Attack Analysis  Signature Generation

3 Saturday, May 17, 2008 Pascal Gamper 3 Motivation: The dynamics of (In)security Source: “The Dynamics of (In)Security“, Stefan Frei, ETH Zurich, BlackHat 2006 90 % probability for available 0-day exploits

4 Saturday, May 17, 2008 Pascal Gamper 4 Problem Statement  Defending against 0-day attacks: Intrusion Detection System (IDS)  Separate benign and malicious network traffic  Host- or Network-based signatures  Most signatures for IDS are hand-craftet by professionals  Zero-day exploits make manual signature generation useless  Problem: Manual signature generation is too slow! Options?

5 Saturday, May 17, 2008 Pascal Gamper 5 Techniques for automated signature generation Overview

6 Saturday, May 17, 2008 Pascal Gamper 6 Building Blocks of an ASG System Attack Detector Analysis Engine Correlator Attack Detector Analysis Engine Site 1 Site N raw data Signature Generator refined attack vector information attack vector information transformed attack vector information

7 Saturday, May 17, 2008 Pascal Gamper 7 The NoAH Approach EU Project NoAH (Network of Affined Honeypots)

8 Saturday, May 17, 2008 Pascal Gamper 8 Goals  NoAH aims at automated  detection of unknown attacks  generation of signatures to counter 0-day attacks  Generate signatures for common IDS  Install full-scale infrastructure across Europe  Target audience: ISP‘s, NREN‘s, researchers

9 Saturday, May 17, 2008 Pascal Gamper 9 Attack Detection

10 Saturday, May 17, 2008 Pascal Gamper 10 NoAH Architecture: Attack Detector Argos  Detection technique (Argos):  OS independent memory tainting (x86 emulator) > Scope of NoAH: Remote attacks that do not require a human in the loop Host OS Emulated Hardware Guest OS RAM 0xAAA NIC CPU Network Exec

11 Saturday, May 17, 2008 Pascal Gamper 11 Attack Analysis

12 Saturday, May 17, 2008 Pascal Gamper 12 Combining Analysis Engines  Different analysis engines (Extractors) which  Analyse attack information from different sources  Extractors can depend on each other  Meta-signature describes entire set of available attack information  Quality estimation of meta-signature based on  Which extractors succeeded  Value and amount of extracted information

13 Saturday, May 17, 2008 Pascal Gamper 13 Combining host- and network-based analysis  Extractor #1: Host-based information from Argos  Identifies memory content relevant for the attack  Identifies OS and attacked process  Identifies network traffic bytes involved  Extractor #2: Network-based information from Protocol State Tracker  Protocol field(s) containing network bytes involved  Communication/Protocol state history

14 Saturday, May 17, 2008 Pascal Gamper 14 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Argos.netlog Argos.csi.x Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Argos Extractor Tracker Extractor

15 Saturday, May 17, 2008 Pascal Gamper 15 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Argos.netlog Argos.csi.x Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Argos Extractor Tracker Extractor

16 Saturday, May 17, 2008 Pascal Gamper 16 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Argos.netlog Argos.csi.x Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Argos Extractor Tracker Extractor

17 Saturday, May 17, 2008 Pascal Gamper 17 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Argos.netlog Argos.csi.x Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Argos Extractor Tracker Extractor

18 Saturday, May 17, 2008 Pascal Gamper 18 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Tracker Extractor Argos.netlog Argos.csi.x Argos Extractor

19 Saturday, May 17, 2008 Pascal Gamper 19 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker Database Signature Generator Main process Snitch Thread Network Socket IPC File I/O Network Snitch Perl Script Argos Control Socket Extractor Thread Argos.netlog Argos.csi.x Argos Extractor Meta-signature TrackerOutput.dat TrackerDump.dat Tracker Extractor

20 Saturday, May 17, 2008 Pascal Gamper 20 Network Protocol State Tracker  Tracks the network connections towards one or more honeypot systems  Logs protocol states for each packet  User-defined packet and connection analysis possible  Is highly configurable by relying on various libraries  State machine configurations currently available for IP, TCP/UDP, FTP

21 Saturday, May 17, 2008 Pascal Gamper 21 Libraries  NetBee library  Developed by NetGroup at Politecnico di Torino  Components for different types of packet processing  We integrated Packet Decoding functionality into Tracker  Netprotofsm  Finite state machine library for describing network protocols  Our approach is based on work by J. van Gurp and J. Bosch  Features: -Protocol state machines defined by XML files -Resource-gentle -Flexible timer mechanism (schedule events, define timeouts) -Implement custom actions

22 Saturday, May 17, 2008 Pascal Gamper 22 Architecture State Machine (libnetprotofsm) Network LogActionReplayAction Connection State Log File EventData LogReader PacketDecoder Connection State Log File Replayer Capturing Protocol Specification File Network Pcap library NetBee library netprotofsm library Replayer State Tracker

23 Saturday, May 17, 2008 Pascal Gamper 23 Example: Attack information extracted Information Memory Dump Argos INetwork PacketExtractor #2 Protocol Connection State: TCP: Connection established FTP: Login, User identification 04 F2 A6 00 Tainted data which is about to be used in instruction execution Snitch perl script Argos II -Operating system: Win2000 -Attacked service / program: WAR-FTPD Information Extractor #1 IP TCP FTP 04 F2 A6 00 Position in network packet Packet Field Decoding: FTP: bytes in USER field Dest Address Src Address Dest PortSrc Port USER Payload data

24 Saturday, May 17, 2008 Pascal Gamper 24 Signature Generation

25 Saturday, May 17, 2008 Pascal Gamper 25 Signature Generation Flow  1. Generate meta-signature  2. Determine signature quality  4. Save to database  5. Use Adapters to create specific signatures  6. Store, (correlate and/or distribute) adapted signatures

26 Saturday, May 17, 2008 Pascal Gamper 26 Snort as Signature Format  SNORT for Proof-of-Concept  SNORT is open source and well-known  Simple signature format  Implications  Only a part of extracted attack information can be used, for example -We cannot include information about attacked program

27 Saturday, May 17, 2008 Pascal Gamper 27 Generated signature (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;)

28 Saturday, May 17, 2008 Pascal Gamper 28 Signature Properties (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) Connection state information

29 Saturday, May 17, 2008 Pascal Gamper 29 Signature Properties (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) State transition trigger

30 Saturday, May 17, 2008 Pascal Gamper 30 Signature Properties (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) Vulnerable field(s)

31 Saturday, May 17, 2008 Pascal Gamper 31 Conclusion  Our ASG system generates signatures with almost zero false positives  For remote code injection attacks  If full amount of attack information is extracted  Signature describes the vulnerability of the application  Protect server applications from buffer overflows in arbitrary protocols and fields > Our signatures can compete with other approaches including manually created reference signatures

32 Saturday, May 17, 2008 Pascal Gamper 32 Questions?

33 Saturday, May 17, 2008 Pascal Gamper 33 Evaluation  Prototype implementation  IP, TCP, UDP, FTP protocol state machines  Examplary signature generation tests  Protocol context aware signatures:  Average total generation time: 1,64 s  Few false positives  LCS signatures (fallback strategy):  Average total generation time: 3,46 s  High rate of false positives depending on strings

Download ppt "Saturday, May 17, 2008 Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach."

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Similar presentations

Ads by Google