Presentation is loading. Please wait.

Presentation is loading. Please wait.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

Published byJoella Wade Modified over 8 years ago

Similar presentations

Presentation on theme: "Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos."— Presentation transcript:

1 Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos Kranakis

2 Carleton University School of Computer Science Outline ● Internet Environment ● Scanning Worm Propagation Characteristics ● Address Resolution (ARP) Approach ● Results ● Limitations ● Conclusions

3 Carleton University School of Computer Science Dsheild Report –- December 6, 2005 Top Attacker: 216.81.35.172 Most Attacked Port: 445

4 Carleton University School of Computer Science Worm Outbreaks ● Sapphire/Slammer worm – Jan 25, 2003 – Fastest spreading worm yet ● 90% compromised in first 10 minutes ● August 2003 the “Month of Worms” – SoBig.F: #1 “mass mailing” virus of all time – Blaster/LovSan/Welchia/Nachi ● Witty worm – March 2004 – Buffer overflow in a suite of security products ● Use of a hit-list?

5 Carleton University School of Computer Science Countermeasure Challenges ● Propagation speed renders human-based defensive strategies non-effective ● Security patches – frequent, large and sometimes broken – Slammer fix SQL Server 2000 SP2: three parts 26MB to 506MB – sql2kdeskfullsp2.exe 390 MB

6 Carleton University School of Computer Science Countermeasure Challenges ● Active response (i.e. containment and suppression) – risky (self imposed DoS) ● The IDS that cried “Worm!!”… – (Snort) alert UDP any any -> any 1434 (msg:"SQL Slammer Worm"; rev:1; content:"|726e51686f 756e746869636b43684765|";) – (Dragon) NAME=SMB:DCOM-OVERFLOW SIGNATURE=T D A B 2 0 135 SMB:DCOM- OVERFLOW /5c/00/43/00/24/00/5c/00*/00*/00*/00*/00*/00*/00 */00*/00*/00*/00*/00*/00*/00*/00, /01/10/08/00/cc/c c/cc/cc

7 Carleton University School of Computer Science Solution/Problem ● Automated countermeasures are required for worm containment and suppression ● Worm propagation detection methods need to: – Detect propagation quickly – Detect propagation accurately – Detect propagation of varying rates – Detect zero-day worms

8 Carleton University School of Computer Science Scanning Worm Characteristics ● Scanning worms can employ a variety of strategies to infect systems – Topological scanning – Slow scanning – Fast scanning ● Topological scanning – Use of local information to find victims – Potential to be very fast

9 Carleton University School of Computer Science Enterprise Network

10 Carleton University School of Computer Science ARP-based Scanning Worm Detection Approach ● Focus on protecting the internal network – Network 'hard crunchy' exterior 'soft gooey' middle – Limit damage within network cell ● Behavioral '“”signature' – Based on anomalous behavior – ARP request is a 'scan' – Premise: measurable changes in amount/pattern ARP activity ● 3-factor anomaly score

11 Carleton University School of Computer Science 3-Factor Anomaly Score ● Peer-list: previous connection activity ● ARP activity: 'expected' amount of ARP activity vs. observed ARP activity (mean + sd) ● Internal network dark space: ARP requests to non-existent systems ● Factor weighting is configurable ● When aggregate score from three factors exceeds threshold in specified time window: ALERT!!

12 Carleton University School of Computer Science Set-up and Training Period ● Divide network into cells (broadcast domains) ● Training period – Gather ARP broadcast requests – Construct peer-list – Calculate expected ARP activity for each system – Identify internal network address darkspace

13 Carleton University School of Computer Science Software Developed Prototype uses Perl modules and libpcap High-level design –Packet Processing Engine (PPE) Extract features from ARP broadcast traffic –ARP Correlation Engine (ACE) Create individual system ARP statistics Create peer-list Observe ARP request activity to generate 3-factor anomaly score Generate alerts

14 Carleton University School of Computer Science Testing Environment Two-week training period Two-week test run Lab/production network –One quarter Class C network –DNS/mail/web –Small user population –Linux OS –Closed network

15 Carleton University School of Computer Science ARP Statistics (Training Period)

16 Carleton University School of Computer Science Alert Thresholds ● Common threshold ● Function-specific threshold – Server/workstation ● Threshold as well as anomaly factor weighting is configurable ● Prototype can give default threshold based on training period – (r=3): 3 scans within a 3 minute window

17 Carleton University School of Computer Science Testing Results (Alerts) 2-week Period

18 Carleton University School of Computer Science False Positive Analysis ● Increasing scan threshold reduces false positives (our network r = 3 only 5 false positives in a two week period) ● Function-specific vs. common threshold approach reduced false positive rate ● All false positives were caused by a“ 'burst' in server activity

19 Carleton University School of Computer Science Worm Simulation Results ● Not practical to infect network ● Nmap scanning – Sequential scanning – Random scanning ● Detected all scan activity scenarios within 3 scans – Internal network darkspace a factor

20 Carleton University School of Computer Science Limitations ● Test network size ● Simulation vs. actual infection ● Exclusive observation of broadcast traffic may lead to underestimation of dark space ● DHCP ● P2P, highly distributed network: 'your mileage may vary'

21 Carleton University School of Computer Science Conclusions ● An approach to protect the internal network (topological worms) ● Analysis provides evidence that the approach has merit ● Full prototype developed ● Anomaly-based – ability to detect emerging worms

22 Carleton University School of Computer Science Questions? dlwhyte@scs.carleton.ca

Download ppt "Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.

Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.

SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.

1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Similar presentations

Ads by Google