Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &

Similar presentations


Presentation on theme: "Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &"— Presentation transcript:

1 Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research & Carnegie Mellon University

2 Usenix Security 20042 Internet Worm  Large costs due to lost productivity Code Red: $2.6 billion, Slammer: $1 billion  Vulnerabilities still plentiful  Smarter, faster, and more malicious worms easily possible [Staniford et al., 2002] Internet Worm Quarantine Techniques  Destination port blocking  Infected source host IP blocking  Content-based blocking Content-based blocking [Moore et al., 2003]

3 Usenix Security 20043 Content-based Blocking 05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.80:. 0:1460(1460) ack 1 win 8760 (DF) 0x0000 4500 05dc 84af 4000 6f06 5315 5ac4 16c4E.....@.o.S.Z... 0x0010 d14e eb80 06b4 0050 5e86 fe57 440b 7c3b.N.....P^..WD.|; 0x0020 5010 2238 6c8f 0000 4745 5420 2f64 6566P."8l...GET./def 0x0030 6175 6c74 2e69 6461 3f58 5858 5858 5858ault.ida?XXXXXXX 0x0040 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX..... 0x00e0 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX 0x00f0 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX 0x0100 5858 5858 5858 5858 5858 5858 5858 5858XXXXXXXXXXXXXXXX 0x0110 5858 5858 5858 5858 5825 7539 3039 3025XXXXXXXXX%u9090% 0x0120 7536 3835 3825 7563 6264 3325 7537 3830u6858%ucbd3%u780 0x0130 3125 7539 3039 3025 7536 3835 3825 75631%u9090%u6858%uc 0x0140 6264 3325 7537 3830 3125 7539 3039 3025bd3%u7801%u9090% 0x0150 7536 3835 3825 7563 6264 3325 7537 3830u6858%ucbd3%u780 0x0160 3125 7539 3039 3025 7539 3039 3025 75381%u9090%u9090%u8 0x0170 3139 3025 7530 3063 3325 7530 3030 3325190%u00c3%u0003% 0x0180 7538 6230 3025 7535 3331 6225 7535 3366u8b00%u531b%u53f 0x0190 6625 7530 3037 3825 7530 3030 3025 7530f%u0078%u0000%u0 0x01a0 303d 6120 4854 5450 2f31 2e30 0d0a 436f0=a.HTTP/1.0..Co..... Signature : A Payload Content String Specific To A Worm Signature for CodeRed II

4 Usenix Security 20044 Content-based Blocking Our network X Traffic Filtering Internet Signature for CodeRed II  Can be used by Bro, Snort, Cisco’s NBAR,...

5 Usenix Security 20045 Signature derivation is too slow Current Signature Derivation Process  New worm outbreak  Report of anomalies from people via phone/email/newsgroup  Worm trace is captured  Manual analysis by security experts  Signature generation  Labor-intensive, Human-mediated

6 Usenix Security 20046 Goal Automatically generate signatures of previously unknown Internet worms  as quickly as possible  as accurately as possible

7 Usenix Security 20047 Our Work We focus on TCP worms that propagate via scanning Actually, any transport  in which spoofed sources cannot communicate successfully  in which transport framing is known to monitor Worm’s payloads share a common substring  Vulnerability exploit part is not easily mutable

8 Usenix Security 20048 Outline Problem and Motivation Automated Signature Detection  Desiderata  Technique  Evaluation Distributed Signature Detection  Tattler  Evaluation Related Work Conclusion

9 Usenix Security 20049 Desiderata Automation: Minimal manual intervention Signature quality: Sensitive & specific  Sensitive: match all worms  low false negative rate  Specific: match only worms  low false positive rate Timeliness: Early detection Application neutrality  Broad applicability

10 Usenix Security 200410 Automated Signature Generation Step 1: Select suspicious flows using heuristics Step 2: Generate signature using content- prevalence analysis Our network Traffic Filtering Internet Autograph Monitor Signature X

11 Usenix Security 200411 Heuristic: Flows from scanners are suspicious  Focus on the successful flows from IPs who made unsuccessful connections to more than s destinations for last 24hours  Suitable heuristic for TCP worm that scans network Suspicious Flow Pool  Holds reassembled, suspicious flows captured during the last time period t  Triggers signature generation if there are more than  flows S1: Suspicious Flow Selection Reduce the work by filtering out vast amount of innocuous flows Autograph (s=2) Non-existent  This flow will be selected

12 Usenix Security 200412 S1: Suspicious Flow Selection Heuristic: Flows from scanners are suspicious  Focus on the successful flows from IPs who made unsuccessful connections to more than s destinations for last 24hours  Suitable heuristic for TCP worm that scans network Suspicious Flow Pool  Holds reassembled, suspicious flows captured during the last time period t  Triggers signature generation if there are more than  flows Reduce the work by filtering out vast amount of innocuous flows

13 Usenix Security 200413 S2: Signature Generation All instances of a worm have a common byte pattern specific to the worm Rationales  Worms propagate by duplicating themselves  Worms propagate using vulnerability of a service Use the most frequent byte sequences across suspicious flows as signatures How to find the most frequent byte sequences?

14 Usenix Security 200414 Worm-specific Pattern Detection Use the entire payloads  Brittle to byte insertion, deletion, reordering XXXXXXXX9025753930399025YYYY Flow 1 Flow 2 XXXXXXX9025753930399025YYYYY

15 Usenix Security 200415 Worm-specific Pattern Detection Partition flows into non-overlapping small blocks and count the number of occurrences Fixed-length Partition  Still brittle to byte insertion, deletion, reordering XXXXXXXX9025753930399025YYYY Flow 1 Flow 2 XXXXXXX9025753930399025YYYYY

16 Usenix Security 200416 Worm-specific Pattern Detection Content-based Payload Partitioning (COPP)  Determine boundaries of block using LBFS style  Partition if Rabin fingerprint of a sliding window matches Breakmark  Configurable parameters: content block size (minimum, average, maximum), breakmark, sliding window  Content Blocks Breakmark = last 8bits of fingerprint ( 9025 ) XXXXXXXX9025753930399025YYYY Flow 1 Flow 2 XXXXXXX9025753930399025YYYYY

17 Usenix Security 200417 Why Prevalence? Worm flows dominate in the suspicious flow pool Content-blocks from worms are highly ranked Nimda CodeRed2 Nimda (16 different payloads) WebDAV exploit Innocuous, misclassified

18 Usenix Security 200418 Select Most Frequent Content Block ABD ABE ACE AD CF CDG B f0 f1 f2 f3 f4 f5 HIJ f6 IHJ f7 GIJ f8

19 Usenix Security 200419 A A A E E A F C C C D D DB B B H H G G I I I J J J Select Most Frequent Content Block D C E E A A A A D F C C DG B B B H H G I I I J J J f0 f1 f2 f3 f4 f5 f6 f7 f8 f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J

20 Usenix Security 200420 Select Most Frequent Content Block A B D A BE A C E A D C F C D G B H I J I H J GI J f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J p≥3p≥3 W ≥ 90% Signature:

21 Usenix Security 200421 Signature: A Select Most Frequent Content Block A B D A BE A C E A D C F C D G B H I J I H J GI J f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J p≥3p≥3 W ≥ 90%

22 Usenix Security 200422 Select Most Frequent Content Block B DB A A A C E E A D F C C D G B H I J I H J GI J p≥3p≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J

23 Usenix Security 200423 Select Most Frequent Content Block F C C D G H I J I H J GI J p≥3p≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J I

24 Usenix Security 200424 Select Most Frequent Content Block F C C DG p≥3p≥3 W ≥ 90% Signature: A f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J I U Signature:

25 Usenix Security 200425 Outline Problem and Motivation Automated Signature Detection  Desiderata  Technique  Evaluation Distributed Signature Detection  Tattler  Evaluation Related Work Conclusion

26 Usenix Security 200426 Behavior of Signature Generation Objectives  Effect of COPP parameters on signature quality Metrics  Sensitivity = # of true alarms / total # of worm flows  false negatives  Efficiency = # of true alarms / # of alarms  false positives Trace  Contains 24-hour http traffic  Includes 17 different types of worm payloads

27 Usenix Security 200427 Signature Quality Larger block sizes generate more specific signatures A range of w (90-95%, workload dependent) produces a good signature

28 Usenix Security 200428 Outline Problem and Motivation Automated Signature Detection  Desiderata  Technique  Evaluation Distributed Signature Detection  Tattler  Evaluation Related Work Conclusion

29 Usenix Security 200429 Problem: Slow Payload Accumulation Before signature generation,  Detect scanners (possibly infected hosts)  Aggressiveness (s ) of flow selection heuristics  Accumulate payloads enough for content analysis  Earliness (  ) of signature generation trigger Infected vulnerable hosts (  =5, 63 monitors) Info Sharing Autograph Monitor Aggressiveness of flow selection s = 1s = 4 None Luckiest2%60% Average25% -- Scanners, Signatures Average<1%15%

30 Usenix Security 200430 Faster Signature Detection Share the scanner information with others Our network Traffic Filtering Internet Autograph Monitor Network A Network C Network B tattler

31 Usenix Security 200431 Benefit from tattler Objective  Measure the detection speed and the signature quality Methodology  Trace generation Background noise flows from the real 24hr trace Captured worm flows from simulation (63 monitors)  Signature generation with COPP varying suspect flow pool size Metrics  Percentage of infected hosts  Number of unspecific signatures (that causes false positives)

32 Usenix Security 200432 Tradeoff: Speed vs. Quality Decreasing s and  parameters  faster signature generation  more false positives x x  = 15, s = 2, < 2% infected

33 Usenix Security 200433 Attacks Overload due to flow reassembly  Multiple instances of Autograph on separate HW (port-disjoint)  Suspicious flow sampling under heavy load Abuse Autograph for DoS: pollute suspicious flow pool  Port scan and then send innocuous traffic  Distributed verification of signatures at many monitors  Source-address-spoofed port scan  Reply with SYN/ACK on behalf of non-existent hosts/services

34 Usenix Security 200434 Related Work EarlyBird [Singh et al. 2003]  Pure content-based approach first, then address dispersion heuristic  Targets a single high speed link; no flow reassembly HoneyComb [Kreibich et al. 2003]  Signature detection by Honeypot & LCS algorithm  Targets host-based deployment; small number of flows Honeyd [Provos 2003]  Use distributed honeypots to gather worm payloads & infected IP addresses quickly  Focus on harvesting malicious traffic DOMINO [Yegneswaran et al. 2004]  Scanner IP information sharing among distributed nodes  Distributed monitoring assures earlier & more accurate detection

35 Usenix Security 200435 Future Work Online evaluation with diverse traces Deployment on distributed sites Broader set of suspicious flow selection heuristics  Non-scanning worms (ex. hit-list worms, topological worms, email worms)  UDP worms Distributed agreement for signature quality testing

36 Usenix Security 200436 Conclusion Stopping spread of novel worms requires early generation of signatures Autograph: automated signature detection system  Suspicious flow selection → Content prevalence analysis  COPP: robustness against payload variability  Distributed monitoring: faster signature generation Autograph finds sensitive & specific signatures early in real network traces


Download ppt "Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &"

Similar presentations


Ads by Google