1 / 25

Vigilante: End-to-End Containment of Internet Worms

CS-558. Vigilante: End-to-End Containment of Internet Worms. Manuel Costa, Jon  Crowcroft , Miguel Castro, Antony  Rowstron ,  Lidong  Zhou,  Lintao  Zhang, Paul  Barham. Smyrnaki Ourania. Problems with Worm Containment. Worms spread too fast for humans to respond.

arav
Download Presentation

Vigilante: End-to-End Containment of Internet Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS-558 Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham SmyrnakiOurania

  2. Problems with Worm Containment • Worms spread too fast for humans to respond. • Recent network-level techniques have limitations: No information about the vulnerabilities exploited by worms at the network level.

  3. Introduction-Proposal • Propose a new system called Vigilante used for automatic Worm Containment. • Detector hosts distributed all over the network. Hard for worms to avoid detection Hard to disable them with denial-of-service attacks.

  4. Vigilante • End-to-end approach that contains worms automatically • Collaborative worm detection at end hosts, does not require hosts to trust each other. • Hosts detect worms and broadcast SCAs upon worm detection

  5. Components in Vigilante • Detection of Worms • Generation of SCAs • Verification Process • Distribution Process • Protection Process by generating filters to protect themselves

  6. Network Network Network Network Vigilante Vulnerable Application Generation of SCAs Filter Detection Engine Protection SCA Verification Network SCA Verification SCA Distribution SCA Distribution Vulnerable host Detector host

  7. Self-Certifying Alert (SCA) • Three different types of SCAs (describe vulerability) • Arbitrary Execution Control Alert: • Identifies vulnerabilities that allow worms to redirect execution to arbitrary pieces of code. • Arbitrary Code Execution Alert: • Describes code-injection vulnerabilities • Arbitrary Function argument: • Identify data-injection vulnerabilities that allow worms to to change the values of arguments to critical functions

  8. Self-Certifying Alert (SCA) for Slammer Worm • All three types of SCAs have a common format

  9. Alert cerification • Reproduce the infection process in a Virtual Machine. • Each host runs a VM with a verification manager. Step 2:Verification manager uses the data in the SCA to identify the vulnerable service Step 4:If Verified is executed, the Verification Manager signals SUCCESS to the SCA Verifier. Otherwise the SCA Verifier declares failure after timeout.

  10. Alert generation 2 Detection engines • Non-executable pages • Dynamic DataFlow Analysis

  11. Non-executable pages • Non-execute protection on stack and heap pages. • When a worm attempts to execute code in a protected page  exception is thrown. • Detector catches exception and tries to generate a SCA. • Traverses the message logs searching for the code to be executed or for the address of the faulting instructions  Generates a SCA

  12. Dynamic-Dataflow Analysis • Dynamic information flow tracking is a hardware mechanism to protect programs against malicious attacks by identifying spurious information flows and restricting the usage of spurious information • Track flow data received in certain network/input operations. • Instrument every control transfer instruction RET,CALL,JPM and every push instruction MOV,PUSH

  13. Dynamic-Dataflow Analysis • Simple algorithm: • Whenever an instruction moves data from a source to a destination, the Destinations becomes dirty if the source is dirty, or clean otherwise • .

  14. Distribution of SCAs Race Worm propagation Vs SCA Distribution

  15. Distribution process Secure Overlay network called Pastry with super peers in order to broadcast the alerts • Flooding in order to broadcast alerts to ALL the hosts in the overlay. • Each hosts maintains 15log16N neighbors and the expected length is log16N • Vigilante overlay extremely effective  once a detector is probed, it takes 2.5 secs to reach almost all the vulnerable hosts

  16. Evaluation • Evaluated Vigilante with Real Worms • Slammer: • Infected approximately 75,000 Microsoft SQL Servers. • Fastest computer worm in History • During its outbreak, the number of infected machines doubled every 8.5 seconds

  17. Evaluation CodeRed: • Infected approximately 360,000 Microsoft IIS Servers. • Speads much slower than Slammer. • Took 37 minutes to double the infected population

  18. Evaluation Blaster: • Infected the RPC service on Microsoft Windows machines. • Infected 500,000 hosts • Spread rate similar to CodeRed’s.

  19. Evaluation- Alert Generation Detectors generate arbritaryexecution control alert for Slammer and Blaster and arbritary code execution alert for CodeRed. Both detectors generate SCAs fast. Generation is higher in CodeRed since the number of instructions executed is larger. NX detector performs best: Instrumentation is less intrusive and less general. SCA generation time in milliseconds for real worms using two detectors

  20. Evaluation- Alert Generation Size of SCAs is small Mostly determined by the size of the worm probe messages SCAsizes in bytes for real worms

  21. Evaluation- Alert Verification Verification is fast. Keep a VM running, ready to verify SCAs when they arrive Starting VMs on demand resulted in additional delay SCAverification time in ms for real worms

  22. Modeling of Worm propagation/Infection • S: Susceptible hosts • Fraction p for detectors • β : infection rate • It total number of infected hosts at time t • Pt number of distinct susceptible hosts that have been probed by worm at time t

  23. Evaluation- Containment Infected percentage of vulnerable hosts with different fractions of p detectors. A small fraction of detectors p=0.001 is enough to contain the worm infection to less than 5% of the vulnerable population, even under DoS attacks.

  24. Evaluation- Filter generation Filter generation for CodeRed more expensive Number of instructions analysed is larger Filter generation time for real worms

  25. Evaluation- Containment Effect of SCA Verification time, infection rate and number of initially infected hosts. • When is ffectiveness of Vigilante reduced ? • Verification time is 1000 ms • Infection rate is 8β • 10000 initially infected nodes

More Related