Embed Size (px)
Citation preview
Looked at some research approaches to:o Evaluate defense effectivenesso Stop worm from spreading from a given hosto Defend a circle of friends against wormso Detect the worm earlyo Slow-down and impair worm propagation
Summary from the Last Lecture
The goal is to build an overlay network so that nodes cooperatively detect intrusion activityoCooperation reduces the number of false
positivesOverlay can be used for worm detectionMain feature are active-sink nodes that
detect traffic to unused IP addressesThe reaction is to build blacklists of
infected nodes
DOMINO
V. Yegneswaran, P. Barford, S. Jha, “Global Intrusion Detection in the DOMINOOverlay System,” NDSS 2004
DOMINO Architecture
Axis nodes collect, aggregate and share dataoNodes in large, trustworthy ISPsoEach node maintains a NIDS and an active sink
over large portion of unused IP spaceAccess points grant access to axis nodes
after thorough administrative checksSatellite nodes form trees below an axis
node, collect information and deliver it to axis nodes and pull relevant information
Terrestrial nodes supply daily summaries of port scan data
DOMINO Architecture
Every axis node maintains a global and local view of intrusion activity
Periodically a node receives summaries from peers which are used to update global viewoList of worst offenders grouped per portoLists of top scanned ports
RSA is used to authenticate nodes and signed SHA digests are used to ensure message integrity and authenticity
Information Sharing
How Many Nodes We Need?
40 for port summaries
20 for worst offender list
How Frequent Info Exchange?Staleness doesn’t matter much but more frequent lists are better to catch worst offenders
How Long Blacklists?About 1000 IPs are enough
How Close Monitoring Nodes?Blacklists in same /16 space are similar satellites in /16 space should be groupedunder the same axis node and sets of /16 spaces should be randomly distributed
among different axis nodes
Slow worm propagated in May 2002Nodes exchange reports hourlyAlarm is raised if 20% or more nodes vote
for an alarmA node votes if all of these hold:o200% increase in number of scans from hourly
averageo100% increase in sources from hourly averageoNumber of sources > 5
SQL Snake Experiments
SQL Snake Reaction Time
Almost zero
Extremely fast worm periodic information exchange will not be enough
We need spontaneous alerts issued through triggers
A trigger is issued if it holds:oNumber of sources > 5, andoRule 1: Number of scans is 10 times the average, oroRule 2: Number of sources is 10 times the average,
oroRule 3: The duration of anomalous event (horizontal,
vertical or coordinated scan) is 10 times the average Detection is called if more than 10% (Rule1),
20% (Rule 2) or 30% (Rule 3) nodes issue alerts
SQL Slammer Experiments
SQL Slammer Reaction Time
About 80-100 class C subnets are enough
Focus on TCP worms that propagate via scanning
Idea: vulnerability exploit is not easily mutable so worm packets should have some common signature
Step 1: Select suspicious TCP flows using heuristics
Step 2: Generate signatures using content prevalence analysis
Automatic Worm Signatures
Kim, H.-A. and Karp, B., Autograph: Toward Automated, Distributed Worm Signature Detection, in the Proceedings of the 13th Usenix Security
Symposium (Security 2004), San Diego, CA, August, 2004.
Detect scanners as hosts that make many unsuccessful connection attempts (>2)
Select their successful flows as suspiciousBuild suspicious flow pooloWhen there’s enough flows inside trigger
signature generation step
Suspicious Flows
Use most frequent byte sequences across flows as the signature
Naïve techniques fail at byte insertion, deletion, reordering
Content-based payload partitioning (COPP)o Partition if Rabin fingerprint of a sliding window
matches breakmark = content blockso Configurable parameters: window size,
breakmarko Analyze which content blocks appear most
frequently and what is the smallest set of those that covers most/all samples in suspicious flow pool
Signature Generation
Tested on traces of HTTP traffic interlaced with known worms
For large block sizes and large coverage of suspicious flow pool (90-95%) Autograph performs very wello Small false positives and false negatives
How Well Does it Work?
Would detect more scannersWould produce more data for suspicious
flow poolo Reduce false positives and false negatives
Distributed Autograph
Detect content prevalence o Some content may vary but some portion of
worm remains invariantDetect address dispersiono Same content will be sent from many hosts to
many destinationsChallenge: how to detect these efficiently
(low cost = fast operation)
Automatic Signatures (approach 2)
S.Singh, C. Estan, G. Varghese and S. Savage “Automated Worm Fingerprinting,” OSDI 2004
Hash content + port + proto and use this as key to a table where counters are kepto Content hash is calculated over overlapping
blocks of fixed size o Use Rabin fingerprint as hash functiono Autograph calculates Rabin fingerprint over
variable-length blocks that are non-overlapping
Content Prevalence Detection
Remembering sources and destinations for each content would require too much memory
Scaled bitmap:o Sample down input space, e.g., hash into values
0-63 but only remember those values that hash into 0-31
o Set the bit for the output value (out of 32 bits)o Increase sampling-down factor each time bitmap
is full = constant space, flexible counting
Address Dispersion Detection
Implemented and deployed at UCSD network
How Well Does This Work?
Some false positiveso Spam, common HTTP protocol headers .. (easily
whitelisted)o Popular BitTorrent files (not easily whitelisted)
No false negativeso Detected each worm outbreak reported in newso Cross-checked with Snort’s signature detection
How Well Does This Work?
Insight: multiple invariant substrings must be present in all variants of the worm for the exploit to worko Protocol framing (force the vulnerable code
down the path where the vulnerability exists)o Return address
Substrings not enough = too shortSignature: multiple disjoint byte stringso Conjunction of byte stringso Token subsequences (must appear in order)o Bayes-scored substrings (score + threshold)
Polymorphic Worm Signatures
J. Newsome, B. Karp and D. Song, “Polygraph: Automatically Generating Signatures for Polymorphic Worms,”
IEEE Security and Privacy Symposium, 2005
Invariant bytes: any change makes the worm fail
Wildcard bytes: any change has no effectCode bytes: Can be changed using some
polymorphic technique and worm will still worko E.g., encryption
Worm Code Structure
All traffic is seen, some is identified as part of suspicious flows and sent to suspicious traffic pooloMay contain some good trafficoMay contain multiple worms
Rest of traffic is sent to good traffic poolAlgorithm makes a single pass over pools
and generates signatures
Polygraph Architecture
Extract tokens (variable length) that occur in at least K sampleso Conjuction signature is this set of tokenso To find token-subsequence signatures samples in
the pool are aligned in different ways (shifted left or right) so that the maximum-length subsequences are identified
o Contiguous tokens are preferredo For Bayes signatures for each token a probability
is computed that it is contained by a good or a suspicious flow – use this as a score
o Set high value of threshold to avoid false positives
Signature Detection
Legitimate traffic traces: HTTP and DNSo Good traffic poolo Some of this traffic mixed with worm traffic to
model imperfect separationWorm traffic: Ideally-polymorphic worms
generated from 3 known exploitsVarious tests conducted
How Well Does This Work?
When compared with single signature (longest substring) detection, all proposed signatures result in lower false positive rateso False negative rate is always zero if the
suspicious pool has at least three samples If some good traffic ends up in suspicious
poolo False negative rate is still lowo False positive rate is low until noise gets too big
If there are multiple worms in suspicious pool and noiseo False positives and false negatives are still low
How Well Does This Work?
