Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi."— Presentation transcript:

1 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi

2 The menace

3 Context Worm Detection  Scan detection  Honeypots  Host based behavioral detection  Payload-based ???

4 Context Characterization  A priori vulnerability signatures Generally manual  Honeycomb Host based Longest common subsequences  Autograph Network level automatic signature generation

5 Context Containment  Host quarantine  String matching  Connection throttling Address Blacklisting Content Filtering Internet Quarantine

6 Worm behavior Content Invariance  Limited polymorphism e.g. encryption  key portions are invariant e.g. decryption routine Content Prevalence  invariant portion appear frequently Address Dispersion  # of infected distinct hosts grow overtime  reflecting different source and dest. addresses

7 Key Idea Detect unknown worms on the basis of  A common exploit sequence  Rage of unique sources and destination

8 Content Sifting For each string w, maintain  prevalence(w): Number of times it is found in the network traffic  sources(w): Number of unique sources corresponding to it  destinations(w): Number of unique destinations corresponding to it If thresholds exceeded, then block(w)

9 Issues How to compute prevalence(w), sources(w) and destinations(w) efficiently ? Scalable Low memory and CPU requirements Real time deployment over a Gigabit scale link

10 prevalence(w) w – entire packet  Use multi-stage filters (k-ary sketches?) w – small fixed length b  Rabin fingerprints  Value sampling

11 Value Sampling The problem: s-b+1 substrings Solution: Sample But: Random sampling is not good enough Trick: Sample only those substrings for which the fingerprint matches a certain pattern Since Rabin fingerprints are randomly ditributed, Pr track (x)=1-e -f(x-b+1)

12 sources(w) & destinations(w) Address Dispersion Counting distinct elements vs. repeating elements Simple list or hash table is too expensive Key Idea: Bitmaps Trick : Scaled Bitmaps

13 Direct Bitmap Each content source is hashed into a bitmap, the corresponding bit is set, and an alarm is raised when the number of bits set exceeds a threshold Drawback: lose estimation of actual values of each counter

14 Scaled Bitmap Idea: Subsample the range of hash space How it works?  multiple bitmaps each mapped to progressively smaller and smaller portions of the hash space.  bitmap recycled if necessary. Result Roughly 5 time less memory + actual estimation of address dispersion

15 Putting it together

16 Experience System design: Sensors and Aggregators  sensor sift through traffic on configurable address space zones of responsibility  aggregator coordinates real-time updates from the sensors, coalesces related signatures and so on. Parameters:  content prevalence: 3  address dispersion threshold:30  garbage collection time: several hours

17 prevalence(w) threshold

18 Address Dispersion threshold

19 Garbage Collection threshold

20 Trace-based False Positives

21 Performance Processing time: Memory Consumption: 4M bytes

22 Live Experience Detect known worms: CodeRed, Detect new worms: MyDoom, Sasser, Kibvu.B

23 Limitation & Extension Variant content Network evasion Extension: Dealing with slow worms

24 Comparison EarlybirdAutograph Infect the system with Network Data (real traces) Rabin fingerprint White-list/blacklist No-prefilteringFlow-reassembly Single sensor algorithmics + centralized aggregators Distributed Deployment + active cooperation between multiple sensors On-lineOff-line Overlapping, fixed-length chunks Non-overlapping, variable- length chunks Qinghua Zhang

25 Breather

26 Polygraph: Automatically Generating Signatures For Polymorphic Worms James Newsome, Brad Karp, Dawn Song

27 The case for polymorphic worms Single Substring Insufficient  Sensitive: Should exist in all payload of a worm  Specific: Should be long enough to not exist in any non-worm payload

28 Examples

29 Signature Classes Signature – set of tokens  Conjunction Signatures  Token-subsequence Signatures  Bayes Signatures

30 Problem Formulation

31 Algorithms Preprocessing  Distinct substrings of a minimum length l that occur in at least k samples in suspicious pool Generating signatures  Conjunction signatures  Token Subsequence Signatures  Bayes Signatures

32 Wrap Up Automated Worm Fingerprinting ( OSDI 2004 ) Polygraph: Automatically Generating Signatures For Polymorphic Worms (IEEE Security Symposium 2005) Manan Sanghi

Download ppt "Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Presenter:

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Presenter:
SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.

SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.
Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.
 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &

Usenix Security 2004 Autograph Toward Automated, Distributed Worm Signature Detection Hyang-Ah KimBrad Karp Carnegie Mellon UniversityIntel Research &
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Payload Attribution via Hierarchical Bloom Filters

Payload Attribution via Hierarchical Bloom Filters
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin.

Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin.
On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

Similar presentations

Ads by Google