ieee communications surveys & tutorials 1st quarter 2008
TRANSCRIPT
IEEE Communications Surveys & Tutorials • 1st Quarter 2008
OutlineTerminologyInternet WormsDefending Against Internet WormsContainment
Terminology Activation
Activation is when a worm starts performing its malicious activities. Activation might be triggered on a specific date or under certain conditions.
False alarm A false alarm is an incorrect alert generated by a worm detection system.
False positive A false positive is a false alarm where an alert is generated when there is
no actual attack or threat. False negative
False negative means the detection system missed an attack. It is a false negative if no alert is generated while the system is under an attack.
Infection Infection is the result of the worm performing its malicious activities on
the host. Target finding
Target finding is the first step in a worm’s life to discover victims (vulnerable hosts).
TerminologyThreshold
Threshold is a predefined condition that, if met, indicates the existence of specious traffic or a worm attack.
TransferTransfer refers to sending a copy of the worm to the target
after the victim (target) is discovered.Virus
A virus is a malicious piece of code that attaches to other programs to propagate. It cannot propagate by itself, and normally depends on a certain user intervention, such as opening up an email attachment or running an executable file, to be activated .
WormA worm is a malicious piece of code that self propagates,
often via network connections, exploiting security flaws in computers on the network.
Internet WormsDefinition: a piece of malicious code that
duplicates and propagates by itself. Usually, it does not require any human interaction and spreads via network connections.
Life of a wormPhase 1: target finding Phase 2: worm transforming Phase 3: worm activationPhase 4: infection
Can be caught by
NIDS
Categorization of worm characteristics
Worm target finding schemeBlind target finding
1. Sequential2. Random3. Permutation High failure connection rate Many anomaly-based detection systems are
designed to capture this type of worm.Hit list
prescanned stealthily more accurate and may cause more damage
Worm target finding schemeTopological
Many hosts on the Internet store information about other hosts on the network.
Worms use this information to gain knowledge of topology of the network and use that as the path of infection.
Spread very fast.Passive
Require certain host behavior or human intervention to propagate
Use search engines
Worm Propagation SchemeSelf-carried wormsThrough a second channelEmbedded propagationBotnet
A group of compromised hosts under the control of a botmaster.
Worm Payload FormatMonomorphic worm
Worms send the payload in a straightforward unchanged fashion
Polymorphic wormWorms change their payload dynamically by
scrambling the programMetamorphic worm
Worms change not only its appearance but also its behavior
Internet Worm Defense
Worm DetectionSignature Based
traditional technique used for intrusion detection systems (IDSs)
take a look at the payload and indentify whether or not it contains a worm
require an entry in the databaseAnomaly Based
detect abnormal behaviors and generate alarmsrequires the definition of normal network
behavior
Traffic Rate/Connection Count: TCP SYNIf the number of SYN packets sent from a
certain host exceeds a threshold value within a period of time, the host is considered to be scanning.Pro’s
able to catch most active scanning wormsCon’s
easy to cause false alarms not efficient useless against UDP worms
Failed Connection Counts: TCP RST and ICMPFailed connection
attempt to connect to a nonexisting IP address or an existing IP address with the target port closed
Failed Connection Counts: TCP RST and ICMP (cont’d)To detect active scanning worms depending
on failed connectionsPro’s
more efficient and accurate useful for both TCP and UDP worms
Con’s not effective for hit list, topological or passive
scanning worms ICMP error messages may blocked or dropped by
some border routers or gateway systems not suitable for large networks
Ratio of Success and Failure ConnectionsInstead of counting the failure or successful
connection attempts, some believe it is the ratio or correlation of successful and failed connections that matters.
Counting the number of connections, whether successful or not, depends on the Internet usage and network size to be effective.
If the network being monitored is large, this can be very resource consuming.
Destination-Source Correlationbase on the correlation between incoming
and outgoing trafficPro’s
able to detect almost all types of scans with the same port
works for both TCP and UDP wormsCon’s
only capture scans from worms targeting the same port
Illustration of a destination-source correlation scheme
DarkNet/Unused Address SpaceMonitor unused address space instead of
used onesscanning or connection attempts toward
nonexisting addresses are abnormal behaviors of a regular network
Pro’s requires significantly less resources works for both TCP and UDP worms
Con’s not very useful against hit list, topological, or
passive scans
HoneypotsA honeypot is a vulnerable system on the
network that does not provide any real servicesa security resource whose value lies in being
probed, attacked, or compromisedIn a normal situation, no traffic is supposed to
come toward the honeypot.Pro’s
able to detect both TCP and UDP wormsgather less but higher quality data able to detect hit list scan and topological worms
Con’snot useful to passive worms
Honeypot used in worm detection and containment
Unknown Signature Detection SystemsSignature-based detection systems is vulnerability
against unknown attacks.To remedy this issue, some algorithms have been
proposed to detect unknown attacks by generating signatures in real time.considered anomaly-based
E.g.1. Honeycombhoneypot-based IDS systemcapable of generating signatures for unknown worms
E.g.2. Autograph methodRelies on unsuccessful scansAutomatically generates signatures for TCP worms
by analyzing the contents of the payload based on the most frequently occurring byte sequence in the suspicious flow.
Detecting Polymorphic WormsMost payload detection algorithms target
monomorphic worm payloads only and have no defense against polymorphic worms.
Karp, and Song proposed polygraphCertain payload contents are not changed
Protocol framing bytes Value used for return address Pointer to overwrite a jump target
Dived signatures into tokensGenerate tokens automatically and detect
worms based on these tokens
Combination usage of detection schemesUnknown signature-based detection system
Take time to generate signatures, and since there are defined signatures already
Known signature-based detection systemCan’t detect unknown worms
Merge them!
Anomaly detection methods vs. worms characteristic.
ContainmentSlowing Down Infection
Rate limiting techniquesBlocking
Address Blocking when a host is identified as a scanner or victim, any
traffic from that host address is dropped.Content Blocking
If packet content matches a worm signature, the packet will be dropped automatically
HoneypotTrap worms to infect simulated machine by
Honeypot
CommentsNo perfect solution to deal with all existing
and future worms.Efficiency issue