1 / 42

Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp)

Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp). Yunhai & Justin. Agenda. Autograph Overview Introduction & Motivation Design Goals Autograph System Design Selecting Suspicious Traffic Content-Based Signature Generation Evaluation

anika
Download Presentation

Autograph Toward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AutographToward Automated, Distributed Worm Signature Detection (Hyang-Ah Kim, Brad Karp) Yunhai & Justin

  2. Agenda • Autograph Overview • Introduction & Motivation • Design Goals • Autograph System Design • Selecting Suspicious Traffic • Content-Based Signature Generation • Evaluation • Local Signature Detection • Distributed Signature Detection • Attacks & Limitations • Conclusion & Future Work • Questions & Answers

  3. Autograph Overview • What is Autograph • A system that automatically generates signatures for novel Internet worms that propagate using TCP transport • How does it work • Generates signatures by analyzing the prevalence of portions of flow payloads • What is the main feature • Designed to produce signatures that exhibit high sensitivity and high specificity

  4. Introduction • Self-replicating Worm • Remotely exploits a software vulnerability • Severity goes far beyond mere inconvenience • High cost in lost productivity • Code Red: $2.6 billion • Researches • Worm Quarantine • Worm Origin Identification Using Random Moonwalks • Assumes attack flows do not use spoofed source IP address • Assumes worm propagation occurs in a tree-like structure

  5. Methods for Containing • Internet Worm Quarantine Techniques • Destination port blocking • Discovering ports on which worms appear to be spreading, and filtering all traffic destined for those ports • Infected source host IP blocking • Discovering source addresses of infected hosts and filtering all traffic from those source addresses • Content-based blocking • Discovering the payload content string that a worm uses in its infection attempts, and filtering all flows contain it

  6. Motivation • Motivation • How should one obtain worm content signatures for use in content-based filtering accurately and quickly? • Worm Signature 05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.80: . 0:1460(1460) ack 1 win 8760 (DF) 0x0000 4500 05dc 84af 4000 6f06 5315 5ac4 16c4 E.....@.o.S.Z... 0x0010 d14e eb80 06b4 0050 5e86 fe57 440b 7c3b .N.....P^..WD.|; 0x0020 5010 2238 6c8f 0000 4745 5420 2f64 6566 P."8l...GET./def 0x0030 6175 6c74 2e69 6461 3f58 5858 5858 5858ault.ida?XXXXXXX 0x0040 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX . . . . . 0x00e0 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x00f0 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0100 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0110 5858 5858 5858 5858 5825 7539 3039 3025 XXXXXXXXX%u9090% 0x01a0 303d 6120 4854 5450 2f31 2e30 0d0a 436f 0=a.HTTP/1.0..Co . Signature for CodeRed II Signature: A Payload Content String Specific To A Worm

  7. Content-based Blocking Signature for CodeRed II Traffic Filtering Internet Our network X • Can be used by Bro, Snort, Cisco’s NBAR, ...

  8. Signature derivation is too slow • Current Signature Derivation Process • New worm outbreak • Report of anomalies from people via phone/email/newsgroup • Worm trace is captured • Manual analysis by security experts • Signature generation • Labor-intensive, Human-mediated

  9. Design Assumptions • Focus on TCP worms that propagate via scanning Actually, any transport • in which spoofed sources cannot communicate successfully • in which transport framing is known to monitor • Worm’s payloads share a common substring • Vulnerability exploit part is not easily mutable • Not polymorphic

  10. Agenda • Autograph Overview • Introduction & Motivation • Design Goals • Autograph System Design • Selecting Suspicious Traffic • Content-Based Signature Generation • Evaluation • Local Signature Detection • Distributed Signature Detection • Attacks & Limitations • Conclusion & Future Work • Questions & Answers

  11. Design Goals • Automation: Minimal manual intervention • Signature quality: Sensitive & specific • Sensitive: match all worms  low false negative rate • Specific: match onlyworms  low false positive rate • Timeliness: Early detection • Application neutrality • Broad applicability • Bandwidth Efficiency • Signature Quantity & Length

  12. Agenda • Autograph Overview • Introduction & Motivation • Design Goals • Autograph System Design • Selecting Suspicious Traffic • Content-Based Signature Generation • Evaluation • Local Signature Detection • Distributed Signature Detection • Attacks & Limitations • Conclusion & Future Work • Questions & Answers

  13. Automated Signature Generation • Step 1: Select suspicious flows using heuristics • Step 2: Generate signature using content-prevalence analysis Internet Traffic Filtering Autograph Monitor Our network X Signature Signature Signature

  14. Reduce the work by filtering out vast amount of innocuous flows S1: Suspicious Flow Selection • Heuristic: Flows from scanners are suspicious • Focus on the successful flows from IPs who made unsuccessful connections to more than s destinations for last 24hours • Suitable heuristic for TCP worm that scans network • Suspicious Flow Pool • Holds reassembled, suspicious flows captured during the last time period t • Triggers signature generation if there are more than  flows Autograph (s = 2)  Non-existent Non-existent This flow will be selected

  15. Reduce the work by filtering out vast amount of innocuous flows S1: Suspicious Flow Selection • Heuristic: Flows from scanners are suspicious • Focus on the successful flows from IPs who made unsuccessful connections to more than sdestinations for last 24hours • Suitable heuristic for TCP worm that scans network • Suspicious Flow Pool • Holds reassembled, suspicious flows captured during the last time period t • Triggers signature generation if there are more than  flows

  16. Use the most frequent byte sequences across suspicious flows as signatures S2: Signature Generation All instances of a worm have a common byte pattern specific to the worm Rationale • Worms propagate by duplicating themselves • Worms propagate using vulnerability of a service How to find the most frequent byte sequences?

  17. Divide Payloads into Content Block • Use the entire payload • Brittle to byte insertion, deletion, reordering Flow 1 GARBAGEEABCDEFGHIJKABCDXXXX GARBAGEABCDEFGHIJKABCDXXXXX Flow 2

  18. Divide Payloads into Content Block Partition flows into non-overlapping small blocks and count the number of occurrences • Fixed-length Partition • Still brittle to byte insertion, deletion, reordering Flow 1 GARBAGEEABCDEFGHIJKABCDXXXX GARBAGEABCDEFGHIJKABCDXXXXX Flow 2

  19. Divide Payloads into Content Block • Content-based Payload Partitioning (COPP) • Partition if Rabin fingerprint of a sliding window matches Breakmark • Configurable parameters: content block size (minimum, average, maximum), breakmark, sliding window  Content Blocks Flow 1 GARBAGEEABCDEFGHIJKABCDXXXX GARBAGEABCDEFGHIJKABCDXXXXX Flow 2 Breakmark = last 8 bits of fingerprint (ABCD)

  20. Definition • Prevalence • The number of suspicious flows in which each content block occurs

  21. Nimda CodeRed2 Nimda (16 different payloads) WebDAV exploit Innocuous, misclassified Why Prevalence? Prevalence Distribution in Suspicious Flow Pool • Worm flows dominate in the suspicious flow pool • Content-blocks from worms are highly ranked - From 24-hr http traffic trace

  22. Select Most Frequent Content Block f0 C F C D G f1 f2 A B D f3 A C E f4 A B E A B D f5 H I J f6 I H J f7 G I J f8

  23. f0 C f0 C F f1 C D G C f1 f2 A B D f2 A f3 A C E f3 A E f4 A B E f5 A B D f4 A B E f6 H I J A B f5 f7 I H J f8 G I J H I I J B C D J f6 I J E G H B C D I H J f7 I G H B C D J E I J f8 Select Most Frequent Content Block F D G B D C D A A A A F G

  24. f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J A f7 I H J f8 G I J I A B C D J I J E G H A B C D I G H A B C D J E F Select Most Frequent Content Block Signature: W≥90% W: target coverage in suspicious flow pool P: minimum occurrence to be selected P≥3

  25. f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J A f7 I H J f8 G I J I A B C D J I J E G H A B C D I G H A B C D J E F Select Most Frequent Content Block Signature: A W≥90% W: target coverage in suspicious flow pool P: minimum occurrence to be selected P≥3

  26. f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J A C E A C A E Select Most Frequent Content Block Signature: A W≥90% W: target coverage in suspicious flow pool P: minimum occurrence to be selected A I P≥3 B D J I J G H B D I G H B C D J F

  27. f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J I J C I J H C I G H J Select Most Frequent Content Block Signature: A I W≥90% W: target coverage in suspicious flow pool P: minimum occurrence to be selected P≥3 G D F

  28. f0 C F f1 C D G f2 A B D f3 A C E f4 A B E f5 A B D f6 H I J f7 I H J f8 G I J C C Select Most Frequent Content Block Signature: Signature: A I W≥90% W: target coverage in suspicious flow pool P: minimum occurrence to be selected P≥3 G D F

  29. Agenda • Autograph Overview • Introduction & Motivation • Design Goals • Autograph System Design • Selecting Suspicious Traffic • Content-Based Signature Generation • Evaluation • Local Signature Detection • Distributed Signature Detection • Attacks & Limitations • Conclusion & Future Work • Questions & Answers

  30. Evaluation - Local • Objectives • Effect of COPP parameters on signature quality • Metrics • Sensitivity = # of true alarms / total # of worm flows false negatives • Efficiency = # of true alarms / # of alarms  false positives • Trace • Contains 24-hour http traffic • Includes 17 different types of worm payloads

  31. Signature Quality • Larger block sizes generate more specific signatures • A range of w (90-95%, workload dependent) produces a good signature

  32. Number of Signatures • Smaller block sizes generate small # of signatures

  33. Agenda • Autograph Overview • Introduction & Motivation • Design Goals • Autograph System Design • Selecting Suspicious Traffic • Content-Based Signature Generation • Evaluation • Local Signature Detection • Distributed Signature Detection • Attacks & Limitations • Conclusion & Future Work • Questions & Answers

  34. A A A A A A A Signature Generation Speed • Bounded by worm payload accumulation speed • Aggressiveness of scanner detection heuristic s: # of failed connection peers to detect a scanner • # of payloads enough for content analysis : suspicious flow pool size to trigger signature generation • Single Autograph • Worm payload accumulation is slow • Distributed Autograph • Share scanner IP list • Tattler: limit bandwidth consumption within a predefined cap Internet tattler

  35. Many innocuous misclassified flows Benefit from tattler • Worm payload accumulation (time to catch 5 worms) • Signature generation • More aggressive scanner detection (s) and signature generation trigger ()  faster signature generation, more false positives • With s=2 and =15, Autograph generates the good worm signature before < 2% hosts get infected

  36. tattler • A modified RTCP (RTP Control Protocol) • Limit the total bandwidth of announcements sent to the group within a predetermined cap

  37. Agenda • Autograph Overview • Introduction & Motivation • Design Goals • Autograph System Design • Selecting Suspicious Traffic • Content-Based Signature Generation • Evaluation • Local Signature Detection • Distributed Signature Detection • Attacks & Limitations • Conclusion & Future Work • Questions & Answers

  38. Attacks & Limitation • Overload due to flow reassembly Solutions Multiple instances of Autograph on separate HW (port-disjoint)  Suspicious flow sampling under heavy load • Abuse Autograph for DoS: pollute suspicious flow pool • Port scan and then send innocuous traffic Solution Distributed verification of signatures at many monitors • Source-address-spoofed port scan Solution Reply with SYN/ACK on behalf of non-existent hosts/services

  39. Agenda • Autograph Overview • Introduction & Motivation • Design Goals • Autograph System Design • Selecting Suspicious Traffic • Content-Based Signature Generation • Evaluation • Local Signature Detection • Distributed Signature Detection • Attacks & Limitations • Conclusion & Future Work • Questions & Answers

  40. Future Work • Attacks • Online evaluation with diverse traces & deployment on distributed sites • Broader set of suspicious flow selection heuristics • Non-scanning worms (ex. hit-list worms, topological worms, email worms) • UDP worms • Egress detection • Distributed agreement for signature quality testing • Trusted aggregation

  41. Conclusion • Stopping spread of novel worms requires early generation of signatures • Autograph: automated signature detection system • Automated suspicious flow selection→ Automated content prevalence analysis • COPP: robustness against payload variability • Distributed monitoring: faster signature generation • Autograph finds sensitive & specific signatures early in real network traces

  42. Questions & Answers

More Related