Network based and attack resilient length signature generation for zero day polymorphic worms
Download
1 / 25

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms - PowerPoint PPT Presentation


  • 61 Views
  • Uploaded on

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms. Zhichun Li 1 , Lanjia Wang 2 , Yan Chen 1 and Judy Fu 3. 1 Lab for Internet and Security Technology (LIST), Northwestern Univ. 2 Tsinghua University, China 3 Motorola Labs, USA.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms' - owena


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Network based and attack resilient length signature generation for zero day polymorphic worms

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms

Zhichun Li1, Lanjia Wang2, Yan Chen1and Judy Fu3

1 Lab for Internet and Security Technology (LIST), Northwestern Univ.

2 Tsinghua University, China

3 Motorola Labs, USA


The spread of sapphire slammer worms
The Spread of Sapphire/Slammer Worms Generation for Zero-day Polymorphic Worms


Limitations of exploit based signature

1010101 Generation for Zero-day Polymorphic Worms

10111101

11111100

00010111

Limitations of Exploit Based Signature

Signature: 10.*01

Traffic Filtering

Internet

Our network

X

X

Polymorphism!

Polymorphic worm might not have exact exploit based signature


Vulnerability signature
Vulnerability Signature Generation for Zero-day Polymorphic Worms

Work for polymorphic worms

Work for all the worms which target the

same vulnerability

Vulnerability signature trafficfiltering

Internet

X

X

Our network

X

X

Unknown

Vulnerability

Better!


Benefits of network based detection
Benefits of Network Based Detection Generation for Zero-day Polymorphic Worms

  • At the early stage of the worm, only limited worm samples.

  • Host based sensors can only cover limited IP space, which might have scalability issues.

Internet

Gateway routers

Our network

Host based

detection

Early Detection!


Design space and related work
Design Space and Related Work Generation for Zero-day Polymorphic Worms

Network Based

Host Based

  • Most host approaches depend on lots of host information, such as source/binary code of the vulnerable program, vulnerability condition, execution traces, etc.

Exploit Based

Vulnerability Based


Outline
Outline Generation for Zero-day Polymorphic Worms

Motivation and Related Work

Design of LESG

Problem Statement

Three Stage Algorithm

Attack Resilience Analysis

Evaluation

Conclusions


Basic ideas
Basic Ideas Generation for Zero-day Polymorphic Worms

  • At least 75% vulnerabilities are due to buffer overflow

  • Intrinsic to buffer overflow vulnerability and hard to evade

  • However, there could be thousands of fields to select the optimal field set is hard

Overflow!

Protocol message

Vulnerable buffer


Framework
Framework Generation for Zero-day Polymorphic Worms

ICDCS06, INFOCOM06, TON


Lesg signature generator
LESG Signature Generator Generation for Zero-day Polymorphic Worms


Outline1
Outline Generation for Zero-day Polymorphic Worms

Motivation and Related Work

Design of LESG

Problem Statement

Three Stage Algorithm

Attack Resilience Analysis

Evaluation

Conclusions


Field hierarchies
Field Hierarchies Generation for Zero-day Polymorphic Worms

DNS PDU


Length based signature definition
Length-based Signature Definition Generation for Zero-day Polymorphic Worms

100

Length Signature (Name,100)

Name

Type

Class

TTL

RDlength

RDATA

Length Signature

RDATA

Vulnerable

Signature Set

{(Name,100), (Class,50), (RDATA,300)}

“OR” relationship

Ground truth signature

(RDATA,315)

Buffer length!


Problem formulation
Problem Formulation Generation for Zero-day Polymorphic Worms

Worms which are not covered in the suspicious pool are at most 

Suspicious pool

LESG

Signature

Normal pool

Minimize the false positives in the normal pool

With noise

NP-Hard!


Outline2
Outline Generation for Zero-day Polymorphic Worms

Motivation and Related Work

Design of LESG

Problem Statement

Three Stage Algorithm

Attack Resilience Analysis

Evaluation

Conclusions


Stages i and ii
Stages I and II Generation for Zero-day Polymorphic Worms

Trade off between specificity and sensitivityScore function Score(COV,FP)

COV≥1%FP≤0.1%

Stage I: Field Filtering

Stage II: Length Optimization


Stage iii
Stage III Generation for Zero-day Polymorphic Worms

  • Find the optimal set of fields as the signature with high coverage and low false positive

  • Separate the fields to two sets, FP=0 and FP>0

    • Opportunistic step (FP=0)

    • Attack Resilience step (FP>0)

  • The similar greedy algorithm for each step


Stage iii cont
Stage III (cont.) Generation for Zero-day Polymorphic Worms

Name

Type

Class

TTL

Comments

RDATA

Stage ICOV0≥1%FP0≤0.1%

Residual coverage≥5%

50%

0.05%

(RDATA,300) [50%,0.05%]

(Name,100) [40%,0.03%]

(Class,50) [35%,0.09%]

(Comments,2000) [10%,0.1%]

suspicious

normal


Stage iii cont1
Stage III (cont.) Generation for Zero-day Polymorphic Worms

Name

Type

Class

TTL

Comments

RDATA

Stage ICOV0≥1%FP0≤0.1%

Residual coverage≥5%

50%

0.05%

{(RDATA,300)}

(Class,50) [25%,0.02%]

(Name,100) [3%,0.08%]

(Comments,2000) [1%,0.05%]

suspicious

normal


Stage iii cont2
Stage III (cont.) Generation for Zero-day Polymorphic Worms

Name

Type

Class

TTL

Comments

RDATA

Stage ICOV0≥1%FP0≤0.1%

Residual coverageγ≥5%

(50+25)%

(0.05+0.02)%

{(RDATA,300),(Class,50)}

(Class,50) [25%,0.02%]

(Name,100) [3%,0.08%]

(Comments,2000) [1%,0.05%]

suspicious

normal


Attack resilience bounds
Attack Resilience Bounds Generation for Zero-day Polymorphic Worms

  • Depend on whether deliberated noise injection (DNI) exists, we get different bounds

  • With 50% noise in the suspicious pool, we can get the worse case bound FN<2% and FP<1%

  • In practice, the DNI attack can only achieve FP<0.2%

  • Resilient to most proposed attacks (proposed in other papers)


Outline3
Outline Generation for Zero-day Polymorphic Worms

Motivation and Related Work

Design of LESG

Problem Statement

Three Stage Algorithm

Attack Resilience Analysis

Evaluation

Conclusions


Methodology
Methodology Generation for Zero-day Polymorphic Worms

  • Protocol parsing with Bro and BINPAC (IMC2006)

  • Worm workload

    • Eight polymorphic worms created based on real world vulnerabilities including CodeRed II and Lion worms.

    • DNS, SNMP, FTP, SMTP

  • Normal traffic data

    • 27GB from a university gateway and 123GB email log


Results
Results Generation for Zero-day Polymorphic Worms

  • Single/Multiple worms with noise

    • Noise ratio: 0~80%

    • False negative: 0~1% (mostly 0)

    • False positive: 0~0.01% (mostly 0)

  • Pool size requirement

    • 10 or 20 flows are enough even with 20% noises

  • Speed results

    • With 500 samples in suspicious pool and 320K samples in normal pool, For DNS, parsing 58 secs, LESG 18 secs


Conclusions
Conclusions Generation for Zero-day Polymorphic Worms

A novel network-based automated worm signature generation approach

  • Work for zero day polymorphic worms with unknown vulnerabilities

  • First work which is both Vulnerability based and Network based using length signature for buffer overflow vulnerabilities

  • Provable attack resilience

  • Fast and accurate through experiments


ad