Download - PPT slides
![Page 1: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/1.jpg)
Automated Worm Automated Worm Fingerprinting Fingerprinting
[Singh, Estan et al][Singh, Estan et al]
Internet Quarantine: Internet Quarantine: Requirements for Self-Requirements for Self-
Propagating Code [Moore, Propagating Code [Moore, Shannon et al]Shannon et al]
David W. HillDavid W. HillCSCI 297CSCI 2976.28.20056.28.2005
![Page 2: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/2.jpg)
What is a worm?What is a worm?
Self-replicating/self-propagating code.Self-replicating/self-propagating code.
Spreads across a network by exploiting flaws Spreads across a network by exploiting flaws in open services.in open services.– As opposed to viruses, which require user action As opposed to viruses, which require user action
to quicken/spread.to quicken/spread.
Not new --- Morris Worm, Nov. 1988Not new --- Morris Worm, Nov. 1988– 6-10% of all Internet hosts infected6-10% of all Internet hosts infected
Many more since, but none on that scale ….Many more since, but none on that scale ….until Code Reduntil Code Red
![Page 3: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/3.jpg)
Internet Worm History Internet Worm History
Xerox PARC, Schoch and Hupp, 1982Xerox PARC, Schoch and Hupp, 1982Morris Worm <DEC VAX, sendmail, Morris Worm <DEC VAX, sendmail, fingerd> 1988fingerd> 1988Code Red (V1, V2, II) <IIS>, 2001Code Red (V1, V2, II) <IIS>, 2001NIMDA, <various exploits>, 2001NIMDA, <various exploits>, 2001Slammer Worm <SQL>, 2003Slammer Worm <SQL>, 2003Blaster Worm, <DCOM>, 2003Blaster Worm, <DCOM>, 2003Sasser Worm, <LSASS>, 2004Sasser Worm, <LSASS>, 2004
![Page 4: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/4.jpg)
Code Red V1Code Red V1
Initial version released July 13, 2001.Initial version released July 13, 2001.
Exploited known bug in Microsoft IIS Web servers.Exploited known bug in Microsoft IIS Web servers.
11stst through 20 through 20thth of each month: spread. of each month: spread.2020thth through end of each month: attack. through end of each month: attack.
Payload: web site defacement.Payload: web site defacement.
Spread: via random scanning of 32-bitSpread: via random scanning of 32-bitIP address space.IP address space.
But: failure to seed random number generator But: failure to seed random number generator linear growth.linear growth.
![Page 5: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/5.jpg)
Code Red V2Code Red V2
Revision released July 19, 2001.Revision released July 19, 2001.
Payload: flooding attack onPayload: flooding attack on www.whitehouse.govwww.whitehouse.gov..
But: this time random number generator But: this time random number generator correctly seeded. Bingo!correctly seeded. Bingo!
Resident in memory, reboot clears the Resident in memory, reboot clears the infectioninfection
Web defacementWeb defacement
![Page 6: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/6.jpg)
Code Red V2 - SpreadCode Red V2 - Spread
![Page 7: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/7.jpg)
Code Red IICode Red II
New New wormworm released August 4, 2001. released August 4, 2001.
IntelIntelligent Replication Engineligent Replication Engine
Installed backdoorsInstalled backdoors
Used more threadsUsed more threads
![Page 8: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/8.jpg)
Life Just Before SlammerLife Just Before Slammer
![Page 9: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/9.jpg)
Life Just After SlammerLife Just After Slammer
![Page 10: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/10.jpg)
Worm Detection – Current Worm Detection – Current MethodsMethods
Network telescoping- passive monitors that Network telescoping- passive monitors that monitor unused address space (Downfalls – monitor unused address space (Downfalls – non-random, only provide IP not signaturenon-random, only provide IP not signatureHoneypots – slow manual analysisHoneypots – slow manual analysisHost-based behavioral detection – Host-based behavioral detection – dynamically analyze anomalous activity, no dynamically analyze anomalous activity, no inference of large scale attackinference of large scale attackIDS, IPS – SnortIDS, IPS – Snort
– Labor-intensive, Human-mediatedLabor-intensive, Human-mediated
![Page 11: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/11.jpg)
Worm ContainmentWorm Containment
Host Quarantine – IP ACL, router, Host Quarantine – IP ACL, router, firewall (blacklist)firewall (blacklist)
String-matching containmentString-matching containment
Connection throttling – Slow the spreadConnection throttling – Slow the spread
![Page 12: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/12.jpg)
Earlybird – Content SiftingEarlybird – Content Sifting
Content in existing worms is invariantContent in existing worms is invariantDynamics for worm to spread are Dynamics for worm to spread are atypicalatypicalThe Earlybird system can extract The Earlybird system can extract signatures from traffic to detect worms signatures from traffic to detect worms and automatically reactand automatically react
![Page 13: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/13.jpg)
05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.80: . 0:1460(1460) ack 1 win 8760 (DF)0x0000 4500 05dc 84af 4000 6f06 5315 5ac4 16c4 [email protected] d14e eb80 06b4 0050 5e86 fe57 440b 7c3b .N.....P^..WD.|;0x0020 5010 2238 6c8f 0000 4745 5420 2f64 6566 P."8l...GET./def0x0030 6175 6c74 2e69 6461 3f58 5858 5858 5858 ault.ida?XXXXXXX0x0040 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX . . . . .0x00e0 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX0x00f0 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX0x0100 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX0x0110 5858 5858 5858 5858 5825 7539 3039 3025 XXXXXXXXX%u9090%0x01a0 303d 6120 4854 5450 2f31 2e30 0d0a 436f 0=a.HTTP/1.0..Co .
SignaturesSignatures
Worm SignatureWorm SignatureContent-based blocking [Moore et al., 2003]
Signature for CodeRed II
Signature: A Payload Content String Specific To A Worm
![Page 14: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/14.jpg)
Worm Behavior - EarlybirdWorm Behavior - Earlybird
Content InvarianceContent Invariance
Content PrevalenceContent Prevalence
Address DispersionAddress Dispersion
![Page 15: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/15.jpg)
Earlybird ImplementationEarlybird Implementation
Each network packet is scanned for Each network packet is scanned for invariant contentinvariant contentMaintain a count of unique source and Maintain a count of unique source and destination IPsdestination IPsSort based on substring count and size Sort based on substring count and size of address list will determine worm of address list will determine worm traffictrafficUse substrings to automatically create Use substrings to automatically create signatures to filter the wormsignatures to filter the worm
![Page 16: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/16.jpg)
Earlybird Cont.Earlybird Cont.
![Page 17: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/17.jpg)
Earlybird Cont.Earlybird Cont.System consists of sensors and aggregratorSystem consists of sensors and aggregrator
Aggregator – pulls data from sensors, activates network or host Aggregator – pulls data from sensors, activates network or host level blocking, reporting and controllevel blocking, reporting and control
![Page 18: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/18.jpg)
Earlybird – Memory & CPUEarlybird – Memory & CPU
Memory and CPU cycle constraintsMemory and CPU cycle constraintsIndex content table by using a fixed size Index content table by using a fixed size hash of the packet payloadhash of the packet payloadScaled bitmaps are used to reduce Scaled bitmaps are used to reduce memory consumption on address memory consumption on address dispersion countsdispersion counts
![Page 19: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/19.jpg)
Earlybird Cont.Earlybird Cont.
Sensor – 1.6Ghz AMD Opteron 242, Sensor – 1.6Ghz AMD Opteron 242, Linux 2.6 kernelLinux 2.6 kernelCaptures using libpcapCaptures using libpcapCan sift 1TB of traffic per day and is Can sift 1TB of traffic per day and is able to sift 200Mbps of continuous able to sift 200Mbps of continuous traffictrafficCisco router configured for mirroringCisco router configured for mirroring
![Page 20: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/20.jpg)
ThresholdsThresholdsContent Prevalence = 3Content Prevalence = 397 percent of signatures repeat two or fewer times97 percent of signatures repeat two or fewer times
![Page 21: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/21.jpg)
ThresholdsThresholdsAddress Dispersion = 30 src and 30 dstAddress Dispersion = 30 src and 30 dstLower dispersion threshold will produce more false positivesLower dispersion threshold will produce more false positivesGarbage collection – several hoursGarbage collection – several hours
![Page 22: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/22.jpg)
Earlybird False PositivesEarlybird False Positives
99% percent of FPs are from SMTP header strings and HTTP user agents - whitelist99% percent of FPs are from SMTP header strings and HTTP user agents - whitelistSPAM e-mails – distributed mailers and relaysSPAM e-mails – distributed mailers and relaysBitTorrent file striping creates many-to-many download profileBitTorrent file striping creates many-to-many download profile
![Page 23: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/23.jpg)
Earlybird – Issues of Earlybird – Issues of ConcernConcern
SSH, SSL, IPSEC, VPNsSSH, SSL, IPSEC, VPNsPolymorphismPolymorphismIP spoofing source addressIP spoofing source addressPacket injectionPacket injection
![Page 24: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/24.jpg)
Earlybird – Current StateEarlybird – Current State
UCSD UCSD NetSift NetSift Cisco Cisco
![Page 25: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/25.jpg)
Internet Quarantine – Internet Quarantine – Requirements for Requirements for
containing self propagated containing self propagated codecode
![Page 26: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/26.jpg)
Modeling ContainmentModeling Containment
![Page 27: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/27.jpg)
Blacklisting vs. Content Blacklisting vs. Content FilteringFiltering
![Page 28: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/28.jpg)
Blacklisting vs. Content Blacklisting vs. Content Filtering - AggresivenessFiltering - Aggresiveness
![Page 29: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/29.jpg)
Deployment ScenariosDeployment Scenarios
![Page 30: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/30.jpg)
ReferencesReferences
- The Threat of Internet Worms, Vern PaxsonThe Threat of Internet Worms, Vern Paxson
http://www.icir.org/vern/talks/vp-worms-ucla-Feb05.pdf
-Cooperative Association for Internet Data Analysis (CAIDA)http://www.caida.org
-Autograph, Toward Automated, Distributed Worm Signature Detection- Usenix Security 2004
-Wikipedia, computer worms, hashing.
-Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute
![Page 31: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/31.jpg)
Thank You!Thank You!
Discussion…..Discussion…..
![Page 32: PPT slides](https://reader033.vdocuments.us/reader033/viewer/2022061115/5464d660af7959167a8b4827/html5/thumbnails/32.jpg)