Worm Detection: Network-internal Mechanisms and Infrastructure · –A “proof-of-concept” worm...
Transcript of Worm Detection: Network-internal Mechanisms and Infrastructure · –A “proof-of-concept” worm...
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Worm Detection: Network-internalMechanisms and Infrastructure
Kostas AnagnostakisInstitute of Computer Science (ICS)
Foundation for Research and Technology – Hellas (FORTH)Crete, Greece
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Talk Roadmap
• Background on worms– A brief timeline– End system vs. network-level solutions
• Network-level detection mechanisms– Scan detection, payload scanning, polymorphic
worm detection, shadow honeypots• Infrastructure efforts
– the LOBSTER initiative
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
A brief timeline
• Summer 2001: Code-Red worm– Infected 350,000 computers in 24 hours– A “proof-of-concept” worm
• January 2003: Sapphire/Slammer worm– Infected 75,000 computers in 30 minutes– Demonstrated the need for automated defense mechanisms
• March 2004: Witty Worm– Infected 20,000 computers in 60 minutes– A “niche” worm targeting a system deployed in <<0.1% of
the Internet
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
End system vs. network-level solutions
• End-system approach– Proactive: “secure by design”
ideal, but very expensive– Reactive: end-host firewall,
anti-virus, intrusion detection, auto-patching• Network-level approach
– Good aggregation properties,centralized control
– Less accurate
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Day-zero worms: scan detection
• Observation: most worms spread by probing(scanning) random targets
• Approach: look for unusually large number offailed connection attempts
• Advantages: relatively cheap (no contentinspection), application-independent
• Disadvantages: not entirely foolproof -- stealthierscans possible, or no scans at all (hitlist worms),also susceptible to false positives
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Day-zero worms: content fingerprinting
• Observation: when a worm starts spreading,one could see many “similar” packets,with increasing frequency over time
• Approach: keep track of packet “fingerprints”,raise alarm on frequency threshold
• Advantages: application-agnostic, automaticallyprovides worm signature for firewalls/IPS, alsoworks for non-scanning worms
• Disadvantages: worms can change their form toevade detection (polymorphism), possible falsepositives with P2P, flash crowds
[Several published studies, including FORTH paper at ICC’05]
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Day-zero worms: polymorphic sled detection
• Observation: control-hijacking portionof polymorphic worms (sled) is exposed,even when obfuscated: it looks like code!
• Approach: look for valid instruction sequences inpacket stream
• Advantages: relatively cheap, reasonablyaccurate
• Disadvantages: only applies to stack-smashingbuffer overflow attacks, does not provide signature
[see FORTH paper at IFIP Security’05]
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Day-zero worms: shadow honeypots
• Observation: false positives are a real problemfor network-level detection
• Approach: validate suspicious traffic by replayingsessions in “shadow honeypots”
• Advantages: zero false positives, can tunenetwork-level detection to higher sensitivity
• Disadvantages: potentially huge shadow serverfarms to cover different types of applications, anddifferent versions
[see FORTH paper at USENIX Security’05]
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Day-zero worms: shadow honeypots II
• Shadow honeypot implementation:
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Infrastructure requirements
• Flexibility: deep content inspection, updateability• High-performance: operate at 1 Gbit/s +• Ease of use: API and/or scripting• Scale: larger coverage improves detection• Cooperation: different providers• Privacy: outsider and insider threats
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Infrastructure: The LOBSTER Initiative
• Project profile:– A “Specific Support Action”– Funded by the European Commission– Two-year effort, started late 2004
• Partners:– Research Organizations: ICS-FORTH (GR),
Vrije Universiteit (NL), TNO Telecom (NL)– NRNs/ISPs, Associations: CESNET (CZ),
UNINETT (NO), FORTHNET(GR),TERENA(NL)
– Industrial Partners: ALCATEL (FR)Endace (UK)
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
The LOBSTER infrastructure
• A distributed system of passivemonitoring sensors
• Focus on cooperation– Share raw and preprocessed data– Correlate results
• Initially three sites– UNINETT, CESNET, FORTHnet
• Open participation model– similar to PlanetLab
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
LOBSTER Engineering Challenges
• Trust: cooperating sensors may not trust each other– Configurable privacy and anonymization policies– Distinction between internal and external users– Audit trail for accountability
• Security: prevent attackers from gaining access toprivate/confidential data– Strong authentication– Tamper-proof hardware-level anonymization
• Ease of use: need a common programmingenvironment– Use DiMAPI (Distributed Monitoring Application
Programming Interface)– Extension to MAPI developed within the SCAMPI project
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Who can benefit from LOBSTER?
• NRNs/ISPs– Better Internet traffic monitoring of their networks– Better understanding of their interactions with other
NRNs/ISPs• Security analysts and researchers
– Access to anonymized data– Access to “safe” testbed
• Study trends and validate research results
• Network and security administrators– Access to a traffic monitoring infrastructure– Access to early-warning systems– Access to software and tools
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Concluding remarks
• Network-level detection is necessary, but hard to get right• Many promising proposals for detection mechanisms, still
waiting to be field-tested and deployed• “Arms race” between attacks + defenses likely• Need large-scale, distributed, passive network monitoring
infrastructure• EC-funded LOBSTER initiative a first step in this direction
http://www.ist-lobster.org/
Kostas Anagnostakis, FORTH
Worm Detection: Network-internalMechanisms and Infrastructure
Kostas Anagnostakis