Sheldrake Rupert -De perros que saben que sus amos estan camino de casa
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan...
-
Upload
darren-rogers -
Category
Documents
-
view
220 -
download
0
description
Transcript of Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan...
![Page 1: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/1.jpg)
Automated Worm Fingerprinting
Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan SavagePublish: OSDI'04. Presenter: YanYan Wang
![Page 2: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/2.jpg)
Introduction
Recent large scale internet worm post profound threat.
Traditional detection methods are usually expensive and slow.
This paper investigate “Early bird” method that automatically detect and contain new worms on the network using precise signature.
![Page 3: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/3.jpg)
Existing Detecting Techniques
Scan detection Example: code red. Network telescope: passive network
monitors that observe large ranges of unused, yet routable, address space.
Assumption: worms select target victims at random
Limitations: not suited to non-random spreading worms
![Page 4: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/4.jpg)
Existing Detecting Techniques
Honeypots Monitoring idel hosts with untreated
vulnerabilities Limitations: requires significant amount
of slow manual analysis, depend on the honeypot being quickly infected
![Page 5: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/5.jpg)
Existing Detecting Techniques
Behavioral techniques at end hosts Dynamically analyze the patterns of
system calls for anomalous activity. Limitations: expensive, only detect
attack against a single host.
![Page 6: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/6.jpg)
Characterization
Priori vulnerability signatures: match known exploitable vulnerabilities in deployed software.
Automation for signature extraction: extracts the infected decoy programs in a controlled environment and identify invariant code strings.
Autograph: (early bird)
![Page 7: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/7.jpg)
Containment
To slow or stop the spread of an active worm Host quarantine: preventing an infect host
from communicating with other hosts String matching: matches network traffic
against particular strings, or signatures Connection throttling: limit rate of all outgoing
connection made by a machine, slow but not stop
![Page 8: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/8.jpg)
Worm Behavior
Content invariance Program is identical across every host it
infects, though some has limited polymorphism
Content prevalence: content not prevalent is not useful for constructing signatures
Address dispersion: the no. of infected hosts will grow over time
![Page 9: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/9.jpg)
Finding Worm Signature: Content Sifting
For each network: Extract content and process substring Index each substring into a prevalence
table Each table entry includes IP addresses Sort the table
![Page 10: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/10.jpg)
Finding Worm Signature: Content Sifting
Huge memory consumption: Multi-stage filters
![Page 11: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/11.jpg)
Finding Worm Signature: Content Sifting
Address dispersion: trade precision for dramatic reductions in memory requirements Example: For example, to count up to
64 sources using 32 bits, one might hash sources into a space from 0 to 63 yet only set bits for values that hash between 0 and 31 . thus ignoring half of the sources.
![Page 12: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/12.jpg)
Finding Worm Signature: Content Sifting
Payload string requires significant processing: value sampling select only those substrings for which the
fingerprint matches a certain pattern. Example: if f is the fraction of the tracked
substrings (e.g. f = 1=64 if we track the substrings whose Rabin fingerprint ends on 6 0s), then the probability of detecting a worm with a signature of length x is
![Page 13: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/13.jpg)
Finding Worm Signature: Content Sifting
If = 1=64 and = 40, the probability of tracking a worm with a signature of 100 bytes is 55%, but for a worm with a signature of 200 bytes it increases to 92%, and for 400 bytes to 99.64%.
![Page 14: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/14.jpg)
Practical Content Sifting: Early Bird packet granularity
![Page 15: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/15.jpg)
Early Bird
As each packet arrives, its content (or substrings of its content) is hashed and appended with the protocol identifier and destination port to produce a content hash code. 32 bit cyclic redundancy check (CRC) 40 byte rabin fingerprints for substring
hashses
![Page 16: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/16.jpg)
Early Bird
If the content hash is not found in the dispersion table, it is indexed into the content prevalence table. 4 independent hash functions creat
indexes into 4 counter arrays.
![Page 17: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/17.jpg)
Early Bird
![Page 18: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/18.jpg)
Practical Content Sifting: Early Bird
![Page 19: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/19.jpg)
Prototype System : Early Bird
Sensor: sifts through traffic on configurable address space “zones” of responsibility and reports anomalous signature.
Aggregator: coordinated real-time updates from the sensors, coalesces related signatures, activates any network-level or host level blosing services and is responsible for administrative reporting and control.
Single threaded, excute at user-level, and captures packets using libpcap library.
![Page 20: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/20.jpg)
Prototype System
![Page 21: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/21.jpg)
Early Bird
![Page 22: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/22.jpg)
Early Bird
![Page 23: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/23.jpg)
Early Bird
![Page 24: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/24.jpg)
Early Bird
![Page 25: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/25.jpg)
What’s the paper’s contribution?
A combination of existing and novel algorithms for content sifting
Low memory and CPU requirements
![Page 26: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/26.jpg)
What’s the paper’s weakness?
Depend on invariant content Attackers can design variant content for worms
Attackers can evade by creating metamorphic worms and traditional IDS evasion techniques
Assume max growing time Automated containment can be used
trigger a worm defense by attackers.
![Page 27: Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.](https://reader036.fdocuments.in/reader036/viewer/2022062401/5a4d1af57f8b9ab0599815db/html5/thumbnails/27.jpg)
How to improve the paper?
Hybrid pattern matching: separate non code string from potential exploits
Investigate traffic normalization Maintain triggering date across
multiple time scale Develop efficient mechanisms for
comparing signature with existing traffic corpus