automated worm fingerprinting sumeet singh, cristian estan, george varghese, and stefan savage manan...
Post on 21-Dec-2015
215 views
TRANSCRIPT
![Page 1: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/1.jpg)
Automated Worm Fingerprinting
Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage
Manan Sanghi
![Page 2: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/2.jpg)
The menace
![Page 3: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/3.jpg)
Context
Worm Detection Scan detection Honeypots Host based behavioral detection
Payload-based ???
![Page 4: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/4.jpg)
Context
Characterization A priori vulnerability signatures
Generally manual Honeycomb
Host based Longest common subsequences
Autograph Network level automatic signature generation
![Page 5: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/5.jpg)
Context
Containment Host quarantine String matching Connection throttling
Address Blacklisting
Content Filtering
Internet Quarantine
![Page 6: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/6.jpg)
Worm behavior
Content Invariance Limited polymorphism e.g. encryption key portions are invariant e.g. decryption routine
Content Prevalence invariant portion appear frequently
Address Dispersion # of infected distinct hosts grow overtime reflecting different source and dest. addresses
![Page 7: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/7.jpg)
Key Idea
Detect unknown worms on the basis of
A common exploit sequence
Rage of unique sources and destination
![Page 8: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/8.jpg)
Content Sifting
For each string w, maintain prevalence(w): Number of times it is found in the
network traffic sources(w): Number of unique sources
corresponding to it destinations(w): Number of unique destinations
corresponding to it
If thresholds exceeded, then block(w)
![Page 9: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/9.jpg)
Issues
How to compute prevalence(w), sources(w) and destinations(w) efficiently?
Scalable Low memory and CPU requirements Real time deployment over a Gigabit scale
link
![Page 10: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/10.jpg)
prevalence(w)
w – entire packet Use multi-stage filters (k-ary sketches?)
w – small fixed length b Rabin fingerprints Value sampling
![Page 11: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/11.jpg)
Value Sampling
The problem: s-b+1 substrings Solution: Sample But: Random sampling is not good enough Trick: Sample only those substrings for which
the fingerprint matches a certain pattern Since Rabin fingerprints are randomly
ditributed,
Prtrack(x)=1-e-f(x-b+1)
![Page 12: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/12.jpg)
sources(w) & destinations(w)
Address Dispersion Counting distinct elements vs. repeating
elements Simple list or hash table is too expensive Key Idea: Bitmaps Trick : Scaled Bitmaps
![Page 13: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/13.jpg)
Direct Bitmap
Each content source is hashed into a bitmap, the corresponding bit is set, and an alarm is raised when the number of bits set exceeds a threshold
Drawback: lose estimation of actual values of each counter
![Page 14: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/14.jpg)
Scaled Bitmap
Idea: Subsample the range of hash space How it works?
multiple bitmaps each mapped to progressively smaller and smaller portions of the hash space.
bitmap recycled if necessary.
Result
Roughly 5 time less memory + actual estimation of address dispersion
![Page 15: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/15.jpg)
Putting it together
![Page 16: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/16.jpg)
Experience
System design: Sensors and Aggregators sensor sift through traffic on configurable address space
zones of responsibility aggregator coordinates real-time updates from the sensors,
coalesces related signatures and so on. Parameters:
content prevalence: 3 address dispersion threshold:30 garbage collection time: several hours
![Page 17: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/17.jpg)
prevalence(w) threshold
![Page 18: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/18.jpg)
Address Dispersion threshold
![Page 19: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/19.jpg)
Garbage Collection threshold
![Page 20: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/20.jpg)
Trace-based False Positives
![Page 21: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/21.jpg)
Performance Processing time:
Memory Consumption: 4M bytes
![Page 22: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/22.jpg)
Live Experience
Detect known worms: CodeRed,
Detect new worms: MyDoom, Sasser, Kibvu.B
![Page 23: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/23.jpg)
Limitation & Extension
Variant content
Network evasion
Extension: Dealing with slow worms
![Page 24: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/24.jpg)
Comparison
Earlybird Autograph
Infect the system with Network Data (real traces)
Rabin fingerprint
White-list/blacklist
No-prefiltering Flow-reassembly
Single sensor algorithmics + centralized aggregators
Distributed Deployment + active cooperation between
multiple sensors
On-line Off-line
Overlapping, fixed-length chunks
Non-overlapping, variable-length chunks
Qinghua Zhang
![Page 25: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/25.jpg)
Breather
![Page 26: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/26.jpg)
Polygraph: Automatically Generating Signatures For Polymorphic Worms
James Newsome, Brad Karp, Dawn Song
![Page 27: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/27.jpg)
The case for polymorphic worms
Single Substring Insufficient
Sensitive: Should exist in all payload of a worm
Specific: Should be long enough to not exist in any non-worm payload
![Page 28: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/28.jpg)
Examples
![Page 29: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/29.jpg)
Signature Classes
Signature – set of tokens
Conjunction Signatures
Token-subsequence Signatures
Bayes Signatures
![Page 30: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/30.jpg)
Problem Formulation
![Page 31: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/31.jpg)
Algorithms
Preprocessing Distinct substrings of a minimum length l that
occur in at least k samples in suspicious pool
Generating signatures Conjunction signatures Token Subsequence Signatures Bayes Signatures
![Page 32: Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d5d5503460f94a3b9b5/html5/thumbnails/32.jpg)
Wrap Up
Automated Worm Fingerprinting (OSDI 2004)
Polygraph: Automatically Generating Signatures For Polymorphic Worms
(IEEE Security Symposium 2005)
Manan Sanghi