1 / 12

Presented by: Sailesh Kumar

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007. Presented by: Sailesh Kumar. Worm Detection. Two well known approaches Content filtering Parse packet payload and match against known signatures On-line => quick detection

percy
Download Presentation

Presented by: Sailesh Kumar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DoWitcher: Effective Worm Detection andContainment in the Internet CoreS. Ranjan et. alin INFOCOM 2007 Presented by: Sailesh Kumar

  2. Worm Detection • Two well known approaches • Content filtering • Parse packet payload and match against known signatures • On-line => quick detection • Effective for known threats • Anomaly detection • Examine distribution of layer-4 features • Presence of worm disturbs the normal statistical characteristics • Detect such changes by Principal Component Analysis or Residual State Analysis • Off-line => slow detection • Paper claims that such methods are robust which may not be true! Problem Effective only for known threats Parses the entire data stream, not efficient Problem Off-line algorithms Slow

  3. DoWitcher • DoWitcher is a hybrid of these two approaches • Objective • Avoid parsing the payload of all flows • Perform anomaly detection on-line • Solution • First examine layer-4 traffic features to identify an anomaly • Generate a flow filter mask to identify the anomalous flows • Create payload signature of these anomalous flows • Perform payload inspection of the anomalous flows

  4. DoWitcher Architecture Multiple DLAs deployed in network Flow reconstruction Key features extraction Send these information to GLA Compose policy rule for the worm activity (flow filter) Profile normal traffic and generate alerts in case of deviation Grouping all entropies into single PMER metric Extracts histogram of key features and compute entropies Sends the policy to DLA, which will begin complete payload extraction

  5. DoWitcher Architecture • Extract following features • Source ip_address • Source port • Destination ip_address • Destination port • Flow_size • Attack • Scanning – distribution of source_ip will be skewed towards the scanning hosts ip • Scanning – generally the destination port is also skewed • Sapphire worm – destination port 1434 • Code Red worm – destination port 80 • Welchia worm– destination port 135 • Flow_size histogram also gets skewed to flow size used by the worm

  6. Per Feature Entropy Computation • Use entropy to detect changes in feature histogram • Monitor feature X of a set of flows A • MX(x) be the frequency distribution of feature X • i.e. number of times we see an element x X • In time window i, MXi(x) = {xi} • Empirical probability distribution • PXi(x) = {pXi(x) | pXi(x) = xi/mX}, where mX=∑xi • Information entropy • Low entropy indicates high probability in few elements (concentrated usage of some port, high traffic from some source) • High entropy indicates a more uniform usage (random scan of destination IP, variable source port) • HXi will be between 0 and , where NX is the maximum number of distinct values of X • Normalize HXi, which is called Relative Uncertainty (RU), HX

  7. PMER Computation • During a worm outbreak, the Relative Uncertainties of at least two of the five features diverges [5]. • Use PMER (Pair-wise Marginal Entropy ratio) • F denotes the set of features (|F|=5) • (X, Y) denotes a pair of different features • Instantaneous ratio between two marginal RUs • Avg. RXY over last NS time windows • PMER is the maximum over all feature-pairs (X, Y ) of the ratio between the marginal RUs (HX, HY) and its average computed using the last NStime-windows. • It is max. divergence from normal behavior in all feature-pairs

  8. Profiling • When to alert • Requires profiling normal traffic Maintain a running average RW+1 RW+1 Compute RW Compute RW RW+2 Keep computing wait for W samples Learn for Tw samples Begin operation Report anomaly if

  9. Flow Filter Mask Generation • In alert what to do • Which flows are misbehaving? • Which features are anomalous? • The Ri will tell us which two features are involved • From two, consider only the feature whose RU has decreased • Feature’s histogram is now concentrated around few elements • How to identify these elements? • Relative entropy technique applied to the features histogram • Isolate k dominant elements of the anomalous feature • e.g. k source IP addresses • Once k dominant elements of the anomalous features is identified • Identify k dominant elements of other features ????? • Intersect these and generate the filter • ?????

  10. Signature Generation • Flow filters are deployed around the network • Automatic filter generation • Identify two flows that match the flow filter • Extract their payloads • Find Longest Common Subsequence (LCS) • computer and housetent • Signature may be o.*u.*te

  11. Experiments • Very limited

  12. Questions?

More Related