Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.

Slides:



Advertisements
Similar presentations
Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Advertisements

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute
NanoHUB.org online simulations and more Network for Computational Nanotechnology 1 Autonomic Live Adaptation of Virtual Computational Environments in a.
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Intrusion Detection Systems and Practices
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.
VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.
INTRODUCING: KASPERSKY Security FOR VIRTUALIZATION | LIGHT AGENT FOR MICROSOFT AND CITRIX VIRTUAL ENVIRONMENTS.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Lecture 11 Intrusion Detection (cont)
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Enhancing the Experience in Network Incident Investigations.
Introduction to Honeypot, Botnet, and Security Measurement
Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.
HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.
Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System
Module 14: Configuring Server Security Compliance
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
Models of Models: Digital Forensics and Domain-Specific Languages Daniel A. Ray and Phillip G. Bradford The University of Alabama Tuscaloosa, AL
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
KFSensor Vs Honeyd Honeypot System Sunil Gurung
Application of Content Computing in Honeyfarm Introduction Overview of CDN (content delivery network) Overview of honeypot and honeyfarm New redirection.
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
An Analysis of Location-Hiding Using Overlay Networks Ju Wang and Andrew A. Chien Department of Computer Science and Engineering, University of California.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
Attack signatures derived from Metasploit Final Presentation E. Ramirez A. Zoghbi
Network security Product Group 2 McAfee Network Security Platform.
Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Full and Para Virtualization
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
Advanced Anti-Virus Techniques
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
IS3220 Information Technology Infrastructure Security
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System
Security Overview: Honeypots
Intrusion Detection system
Introduction to Internet Worm
Presentation transcript:

Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer Science Purdue University

The Team  Lab FRIENDS  Xuxian Jiang (Ph.D. student)  Paul Ruth (Ph.D. student)  Dongyan Xu (faculty)  CERIAS  Eugene H. Spafford  External Collaboration  Microsoft Research

Our Goal In-depth understanding of increasingly sophisticated worm/malware behavior

Outline  Motivation  An integrated approach  Front-end : Collapsar (Part I)  Back-end : vGround (Part II)  Bringing them together  On-going work

The Big Picture Proxy ARP Domain A Domain B GRE Worm Analysis Worm Capture

Front-End: Collapsar Enabling Worm/Malware Capture * X. Jiang, D. Xu, “Collapsar: a VM-Based Architecture for Network Attack Detention Center”, 13 th USENIX Security Symposium (Security’04), Part I

General Approach  Promise of honeypots  Providing insights into intruders’ motivations, tactics, and tools  Highly concentrated datasets w/ low noise  Low false-positive and false negative rate  Discovering unknown vulnerabilities/exploitations  Example: CERT advisory CA (solaris CDE subprocess control daemon – dtspcd)

Current Honeypot Operation  Individual honeypots  Limited local view of attacks  Federation of distributed honeypots  Deploying honeypots in different networks  Exchanging logs and alerts  Problems  Difficulties in distributed management  Lack of honeypot expertise  Inconsistency in security and management policies  Example: log format, sharing policy, exchange frequency

Our Approach: Collapsar  Based on the HoneyFarm idea of Lance Spitzner  Achieving two (seemingly) conflicting goals  Distributed honeypot presence  Centralized honeypot operation  Key ideas  Leveraging unused IP addresses in each network  Diverting corresponding traffic to a “detention” center (transparently)  Creating VM-based honeypots in the center

VM-based Honeypot Collapsar Architecture Redirector Correlation Engine Management Station Production Network Collapsar Center Attacker Front-End

Comparison with Current Approaches  Overlay-based approach (e.g., NetBait, Domino overlay)  Honeypots deployed in different sites  Logs aggregated from distributed honeypots  Data mining performed on aggregated log information  Key difference: where the attacks take place (on-site vs. off-site)

Comparison with Current Approaches  Sinkhole networking approach (e.g., iSink )  “Dark” space to monitor Internet abnormality and commotion (e.g. msblaster worms)  Limited interaction for better scalability  Key difference: contiguous large address blocks (vs. scattered addresses)

Comparison with Current Approaches  Low-interaction approach (e.g., honeyd, iSink )  Highly scalable deployment  Low security risks  Key difference: emulated services (vs. real things)  Less effective to reveal unknown vulnerabilities  Less effective to capture 0-day worms

Collapsar Design  Functional components  Redirector  Collapsar Front-End  Virtual honeypots  Assurance modules  Logging module  Tarpitting module  Correlation module

Collapsar Deployment  Deployed in a local environment for a two-month period in 2003  Traffic redirected from five networks  Three wired LANs  One wireless LAN  One DSL network  ~ 50 honeypots analyzed so far  Internet worms (MSBlaster, Enbiei, Nachi )  Interactive intrusions (Apache, Samba)  OS: Windows, Linux, Solaris, FreeBSD

Incident: Apache Honeypot/VMware  Vulnerabilities  Vul 1: Apache (CERT® CA )  Vul 2: Ptrace (CERT® VU )  Time-line  Deployed: 23:44:03pm, 11/24/03  Compromised: 09:33:55am, 11/25/03  Attack monitoring  Detailed log 

Incident: Windows XP Honeypot/VMware  Vulnerability  RPC DCOM Vul. (Microsoft Security Bulletin MS03-026)  Time-line  Deployed: 22:10:00pm, 11/26/03  MSBlaster: 00:36:47am, 11/27/03  Enbiei: 01:48:57am, 11/27/03  Nachi: 07:03:55am, 11/27/03

Summary (Front-End)  A novel front-end for worm/malware capture  Distributed presence and centralized operation of honeypots  Good potential in attack correlation and log mining  Unique features  Aggregation of Scattered unused (dark) IP addresses  Off-site (relative to participating networks) attack occurrences and monitoring  Real services for unknown vulnerability revelation

Back-End: vGround Enabling Worm/Malware Analysis Part II * X. Jiang, D. Xu, H. J. Wang, E. H. Spafford, “Virtual Playgrounds for Worm Behavior Investigation”, 8 th International Symposium on Recent Advances in Intrusion Detection (RAID’05), 2005.

Basic Approach  A dedicated testbed  Internet-inna-box (IBM), Blended Threat Lab (Symantec)  DETER  Goal: understanding worm behavior  Static analysis/ execution trace  Reverse Engineering ( IDA Pro, GDB, … )  Worm experiment within a limited scale  Result:  Only enabling relatively static analysis within a small scale

The Reality – Worm Threats  Speed, Virulence, & Sophistication of Worms  Flash/Warhol Worms  Polymorphic/Metamorphic Appearances  Zombie Networks (DDoS Attacks, Spam)  What we also need  A high-fidelity, large-scale, live but safe worm playground

Picture by Peter Szor, Symantec Corp. A Worm Playground

Requirements  Cost & Scalability  How about a topology with nodes?  Confinement  In-house private use?  Management & user convenience  Diverse environment requirement  Recovery from damages from a worm experiment  re-installation, re-configuration, and reboot …

Our Approach  vGround  A virtualization-based approach  Virtual Entities:  Leveraging current virtual machine techniques  Designing new virtual networking techniques  User Configurability  Customizing every node (end-hosts/routers)  Enabling flexible experimental topologies

An Example Run: Internet Worms A shared infrastructure (e.g. PlanetLab) A worm playground Virtual Physical

Key Virtualization Techniques  Full-System Virtualization  Network Virtualization

Full-System Virtualization  Emerging and New VM Techniques  VMware, Xen, Denali, UML  Supporting for real-world services  DNS, Sendmail, Apache w/ “native” vulnerabilities  Adopted technique: UML  Deployability  Convenience/Resource Efficiency

User-Mode Linux ( )  System-Call Virtualization  User-Level Implementation Host OS Kernel Device Drivers Hardware Device DriversMMU Guest OS Kernel UM User Process 1 ptraceptrace UM User Process 2

New Network Virtualization  Link Layer Virtualization  User-Level Implementation Host OS Virtual Node 1Virtual Node 2 Virtual Switch 1 IP-IP

User Configurability  Node Customization  System Template  End Node ( BIND, Apach, Sendmail, … )  Router ( RIP, OSPF, BGP, … )  Firewall ( iptables )  Sniffer/IDS ( bro, snort )  Topology Customization  Language  Network, Node  Toolkits

Project Planetlab-Worm template slapper { image slapper.ext2 cow enabled startup { /etc/rc.d/init.d/httpd start } template router { image router.ext2 routing ospf startup { /etc/rc.d/init.d/ospfd start } router R1 { superclass router network eth0 { switch AS1_lan1 address /24 } network eth1 { switch AS1_AS2 address /24 } switch AS1_lan1 { unix_sock sock/as1_lan1 host planetlab6.millennium. berkeley.edu } switch AS1_AS2 { udp_sock 1500 host planetlab6.millennium. berkeley.edu } node AS1_H1 { superclass slapper network eth0 { switch AS1_lan1 address /24 gateway } node AS1_H2 { superclass slapper network eth0 { switch AS1_lan1 address /24 gateway } switch AS2_lan1 { unix_sock sock/as2_lan1 host planetlab1.cs.purdue.edu } switch AS2_AS3 { udp_sock 1500 host planetlab1.cs.purdue.edu } node AS2_H1 { superclass slapper network eth0 { switch AS2_lan1 address /24 gateway } node AS2_H2 { superclass slapper network eth0 { switch AS2_lan1 address /24 gateway } switch AS3_lan1 { unix_sock sock/as3_lan1 host planetlab8.lcs.mit.edu } router R2 { superclass router network eth0 { switch AS2_lan1 address /24 } network eth1 { switch AS1_AS2 address /24 } network eth2 { switch AS2_AS3 address /24 } node AS3_H1 { superclass slapper network eth0 { switch AS3_lan1 address /24 gateway } node AS3_H2 { superclass slapper network eth0 { switch AS3_lan1 address /24 gateway } router R3 { superclass router network eth0 { switch AS3_lan1 address /24 } network eth1 { switch AS2_AS3 address /24 } Networked Node Network System Template AS1_H1R1 AS1_H2 AS2_H1AS2_H2 R2R3 AS3_H1 AS3_H2

Features  Scalability  3000 virtual hosts in 10 physical nodes  Iterative Experiment Convenience  Virtual node generation time: 60 seconds  Boot-strap time: 90 seconds  Tear-down time: 10 seconds  Strict Confinement  High Fidelity

Evaluation  Current Focus  Worm behavior reproduction  Experiments  Probing, exploitation, payloads, and propagation  Further Potentials – on-going work  Routing worms / Stealthy worms  Infrastructure security (BGP)

Experiment Setup  Two Real-World Worms  Lion, Slapper, and their variants LionSlapper  A vGround Topology  10 virtual networks  1500 virtual Nodes  10 physical machines in an ITaP cluster

Evaluation  Target Host Distribution  Detailed Exploitation Steps  Malicious Payloads  Propagation Pattern

Probing: Target Network Selection Lion Worms Slapper Worms ,81

Exploitation (Lion) 1: Probing 2: Exploitation! 3: Propagation!

Exploitation (Slapper) 1: Probing 2: Exploitation! 3: Propagation!

Malicious Payload (Lion)

Propagation Pattern and Strategy  Address-Sweeping  Randomly choose a Class B address (a.b.0.0)  Sequentially scan hosts a.b.0.0 – a.b  Island-Hopping  Local subnet preference

Propagation Pattern and Strategy  Address-Sweeping (Slapper Worm) Infected Hosts: 2% Infected Hosts: 5% Infected Hosts: 10% a.b

Propagation Pattern and Strategy  Island-Hopping Infected Hosts: 2% Infected Hosts: 5% Infected Hosts: 10%

Summary (Back-End)  vGround – the back-end  A Virtualization-Based Worm Playground  Properties:  High Fidelity  Strict Confinement  Good Scalability 3000 Virtual Hosts in 10 Physical Nodes  High Resource Efficiency  Flexible and Efficient Worm Experiment Control

Combining Collapsar and vGround Domain A Domain B GRE Worm Analysis Worm Capture

Conclusions  An integrated virtualization-based platform for worm and malware investigation  Front-end : Collapsar  Back-end : vGround  Great potential for automatic  Characterization of unknown service vulnerabilities  Generation of 0-day worm signatures  Tracking of worm contaminations

On-going Work  More real-world evaluation  Stealthy worms  Polymorphic worms  Additional capabilities  Collapsar center federation  On-demand honeypot customization  Worm/malware contamination tracking  Automated signature generation

Thank you. Stop by our poster and demo this afternoon! For more information: URL: Google: “Purdue Collapsar Friends”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.