Presentation is loading. Please wait.

Presentation is loading. Please wait.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Published byAnabel Kerry Reeves Modified over 8 years ago

Similar presentations

Presentation on theme: "DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar."— Presentation transcript:

1 DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar

2 2 - Sailesh Kumar - 10/15/2015 Worm Detection n Two well known approaches »Content filtering –Parse packet payload and match against known signatures –On-line => quick detection –Effective for known threats »Anomaly detection –Examine distribution of layer-4 features –Presence of worm disturbs the normal statistical characteristics –Detect such changes by Principal Component Analysis or Residual State Analysis –Off-line => slow detection –Paper claims that such methods are robust which may not be true! Problem Effective only for known threats Parses the entire data stream, not efficient Problem Off-line algorithms Slow

3 3 - Sailesh Kumar - 10/15/2015 DoWitcher n DoWitcher is a hybrid of these two approaches n Objective »Avoid parsing the payload of all flows »Perform anomaly detection on-line n Solution »First examine layer-4 traffic features to identify an anomaly »Generate a flow filter mask to identify the anomalous flows »Create payload signature of these anomalous flows »Perform payload inspection of the anomalous flows

4 4 - Sailesh Kumar - 10/15/2015 DoWitcher Architecture Multiple DLAs deployed in network Flow reconstruction Key features extraction Send these information to GLA Sends the policy to DLA, which will begin complete payload extraction Extracts histogram of key features and compute entropies Grouping all entropies into single PMER metric Profile normal traffic and generate alerts in case of deviation Compose policy rule for the worm activity (flow filter)

5 5 - Sailesh Kumar - 10/15/2015 DoWitcher Architecture n Extract following features »Source ip_address »Source port »Destination ip_address »Destination port »Flow_size n Attack »Scanning – distribution of source_ip will be skewed towards the scanning hosts ip »Scanning – generally the destination port is also skewed –Sapphire worm – destination port 1434 –Code Red worm – destination port 80 –Welchia worm– destination port 135 »Flow_size histogram also gets skewed to flow size used by the worm

6 6 - Sailesh Kumar - 10/15/2015 Per Feature Entropy Computation n Use entropy to detect changes in feature histogram »Monitor feature X of a set of flows A »M X ( x ) be the frequency distribution of feature X –i.e. number of times we see an element x  X –In time window i, M X i( x ) = { x i} »Empirical probability distribution –P X i( x ) = {p X i( x ) | p X i( x ) = x i/m X }, where m X =∑ x i »Information entropy –Low entropy indicates high probability in few elements (concentrated usage of some port, high traffic from some source) –High entropy indicates a more uniform usage (random scan of destination IP, variable source port) –H X i will be between 0 and, where N X is the maximum number of distinct values of X –Normalize H X i, which is called Relative Uncertainty (RU), H X

7 7 - Sailesh Kumar - 10/15/2015 PMER Computation n During a worm outbreak, the Relative Uncertainties of at least two of the five features diverges [5]. n Use PMER (Pair-wise Marginal Entropy ratio) »F denotes the set of features (|F|=5) »(X, Y) denotes a pair of different features »Instantaneous ratio between two marginal RUs »Avg. R XY over last N S time windows n PMER is the maximum over all feature-pairs (X, Y ) of the ratio between the marginal RUs (H X, H Y ) and its average computed using the last N S time-windows. »It is max. divergence from normal behavior in all feature-pairs

8 8 - Sailesh Kumar - 10/15/2015 Profiling n When to alert »Requires profiling normal traffic wait for W samples Compute R W Compute R W R W+1 R W+2 Keep computing Begin operation Report anomaly if Maintain a running average Learn for Tw samples

9 9 - Sailesh Kumar - 10/15/2015 Flow Filter Mask Generation n In alert what to do »Which flows are misbehaving? »Which features are anomalous? n The R i will tell us which two features are involved »From two, consider only the feature whose RU has decreased –Feature’s histogram is now concentrated around few elements –How to identify these elements? –Relative entropy technique applied to the features histogram –Isolate k dominant elements of the anomalous feature l e.g. k source IP addresses n Once k dominant elements of the anomalous features is identified »Identify k dominant elements of other features ????? »Intersect these and generate the filter »?????

10 10 - Sailesh Kumar - 10/15/2015 Signature Generation n Flow filters are deployed around the network n Automatic filter generation »Identify two flows that match the flow filter »Extract their payloads »Find Longest Common Subsequence (LCS) »computer and housetent »Signature may be o.*u.*te

11 11 - Sailesh Kumar - 10/15/2015 Experiments n Very limited

12 12 - Sailesh Kumar - 10/15/2015 Questions?

Download ppt "DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:

1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google