DOCSLIB.ORG

Detecting Early Worm Propagation Through Packet Matching

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Detecting Early Worm Propagation Through Packet Matching Detecting Early Worm Propagation through Packet Matching Xuan Chen and John Heidemann ∗ ISI-TR-2004-585 February 2004 Abstract detection system, it needs to monitor and react to worm traffic within a small time interval (in seconds) In this paper, we present DEWP, a router-based in order to quarantine worm propagation quickly. system designed to automatically detect and quar- Signature-based intrusion detection systems (IDS) antine Internet worm propagation. DEWP detects can not respond to these 0-day attacks at this speed worm probing traffic by matching destination port due to the time-consuming worm packet content anal- numbers between incoming and outgoing connec- ysis. Anomaly-based IDS improves detection speed tions. This approach does not require knowledge by monitoring traffic changes but usually have high of worm packet contents or profiles of normal traf- false alarm rate. In this work, we believe that routers fic conditions; it can automatically detect and sup- should apply simple but essential worm detection press worms due to their unusual traffic patterns. techniques for fast reaction. These techniques should We describe how DEWP works and evaluate its per- capture key characteristics of worm traffic but are not formance with simulations. We study the speed of computational consuming. detection and the effectiveness of vulnerable host Second, a worm defense system needs to create protection relative to factors including worm scan- worm signatures without human interference in order ning techniques, DEWP deployment coverage and to react and quarantine worm propagation rapidly. A detection intervals. We also investigate false detec- signature identifies common characteristics of a spe- tions with network trace playback. We show that cific worm suitable for detection and suppression. For DEWP detects worm propagation within about 4 sec- example, it could be the destination port number in onds. By blocking worm probing traffic automati- worm packet headers, or substrings of worm packet cally, DEWP can protect more than 99% hosts from payload. Although signatures based on packet data random-scanning worms. contents can unambiguously detect a worm, it is chal- lenging for an worm detection system to generate 1 Introduction such signatures automatically because of the large computational overhead. On the other hand, we will Since the widespread outbreak of the Code-Red show that simple signatures based on destination port worm in July 2001 [1, 2] worm intrusion has become numbers can effectively detect and contain worm traf- an increasingly severe threat to the Internet. Code- fic. Red II [3], Nimda [4], Slammer [5], and SoBig [6] worms have all led to considerable cost to our soci- Third, it is important to reduce the false alarm rate ety [7, 8]. Prior work [7, 9] has suggested that an of worm detection because false positives potentially automatic worm detection and containment system lead to denial-of-service to legitimate traffic. There- is important to protect the Internet from worm at- fore, we need to carefully consider the trade-off be- tacks. We identify three essential requirements for tween fast detection and low false-alarm rate when such a system. designing an automatic worm detection and quaran- tine system. First, this system must detect worm propagation at a very early stage to suppress the worm before In this paper, we present a router-based worm de- it gets out of control [7, 8, 9]. For a router-based tection and containment system called DEWP (De- tector for Early Worm Propagation). As observed ∗Xuan Chen and John Heidemann are with University of below, DEWP detects worm intrusions, creates worm Southern California, Information Sciences Institute. This ma- signatures, and contains worm propagation automat- terial is based upon work supported by DARPA via the Space ically, without human interference. We believe it will and Naval Warfare Systems Center San Diego under Contract No. N66001-00-C-8066 (\SAMAN"), and by the CONSER be especially important against worms that propa- project supported by NSF. gate rapidly [9], such as the Slammer worm. 1 This work has three major contributions. First, traffic measurement and its normal condition (usually DEWP applies a novel worm detection algorithm by in a profile). Since it is difficult to create a \proper" matching destination port numbers between incom- profile to cover all representative aspects of normal ing and outgoing connections. This idea is from the traffic condition, anomaly-based IDS have high false following two observations on worm traffic. First, alarm rate. a worm usually exploits particular security vulner- DEWP does not need signatures with worm packet ability corresponding to specific network port num- contents or traffic profiles. By matching destina- bers. Second, the nature of worms is that an infected tion port numbers between incoming and outgoing host will probe other vulnerable hosts exploiting the connections, it automatically detects worm intrusion same vulnerability. Therefore, routers seeing unusu- within seconds. DEWP also has lower false alarm ally high levels of bi-directional probing traffic with rate since it captures common characteristics of worm the same destination port number can infer a new traffic directly. worm has arisen. In addition, since matching des- Early Bird System (EBS) [10] is proposed to au- tination port numbers consumes low computational tomatically detect worm propagation. Similar to our power, DEWP is more applicable to real networks work, EBS also discovers worm by observing com- than systems based on packet content analysis such mon patterns in network traffic. Unlike the simple as the Early Bird System [10]. technique of destination port matching, EBS needs Second, we evaluate DEWP performance by sim- per-packet content analysis and complicated hash- ulating an outbreak of the Slammer worm, which ing function to identify suspicious worm traffic ag- is known for the extremely fast spreading (infected gregates. Therefore, its applicability to real networks about a total of 75,000 hosts in about 15 minutes). is questionable. Our results show that DEWP detects worm propa- Honey-pots [14, 15] and its variations (through ag- gation in about 4 seconds. With automatic desti- gregation and virtulization) monitor un-used address nation port discovery and packet blocking, DEWP space (that is, dark space) and capture traffic inter- protects most hosts from infection: less than 1% action with dark space as worm intrusions. Honey- hosts are compromised by random-scanning worm, pot is a flexible technique to detect unknown threats. and about 9% hosts are infected by local-scannning However, it only detects worm propagation when be- worm. We further investigate several important fac- ing directly probed. Also, honey-pots by themselves tors that affect DEWP performance including worm could be compromised by worms. probing techniques, deployment coverage, and detec- Since worm is a threat to the Internet globally, tion intervals. We also study issues on false detections some proposals [9] call for a nation-wide Internet with network trace playback. worm control authority to coordinate worm detection The final contribution is that we introduce a new and immunization efforts. Other intrusion detection hybrid simulation model of worm propagation. This system [16] also proposed to deploy sensors around model allows detailed packet-level simulations within the Internet, collect traffic statistics, and send them one particular network while representing the rest In- to a data processing center. We agree that global co- ternet analytically. We present the detailed descrip- ordination is necessary to protect the Internet from tion of our model in Section 5. worm intrusions. However, there are some difficulties for these proposals to realize in near future, such as 2 Related Work resource constraint and administrative issues. So, we take another approach of designing a distributed sys- In this section, we first briefly describe techniques tem that detects worm probing traffic through local to detect worm attacks. We also review different ap- traffic observations. proaches to quarantine worm propagation. NetBait [17] is a distributed system that provides Intrusion detection systems (IDS) are deployed to detailed information about network intrusions. It discover DDoS attacks and worm intrusions. There collects data from geographically located machines, are two different kinds of IDS, namely signature- and which use traditional intrusion detection systems anomaly-based. Signature-based IDS [11, 12] cap- (such as Snort [11]) to discover worm attacks. The ture worm attacks based on pre-compiled signatures goal of NetBait is to provide accurate information stored in database. Although they identify threats to identify infected hosts and expedite the process accurately, signature-based IDS have little effect on of worm containment and cleanup. It is complemen- unknown worms. On the other hand, anomaly-based tary to DEWP which aims at fast detection of worm IDS [13] detect new threats by observing unusual traf- propagation. fic changes, that is the difference between current Current schemes to contain worm propagation is by 2 Incoming DEWP 3.1 Detecting Worm Propagation with traffic Destination Port Matching packet filter DEWP applies a two-step detection algorithm, Outgoing first port-matching, then address-counting. It first traffic identifies suspicious traffic by matching destination d_port d_addr worm d_port port numbers between incoming and outgoing con- num nections. This simple technique
Load more

Recommended publications
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Undergraduate Report
    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
    [Show full text]
  • Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone
    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland [email protected] DIMVA 2005, Wien, Austria Agenda 1) Introduction 2) Flow-Level Backbone Traffic 3) Network Worm Blaster.A 4) E-Mail Worm Sobig.F 5) Conclusions and Outlook © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -2- 1) Introduction Authors Prof. Dr. Bernhard Plattner Professor, ETH Zurich (since 1988) Head of the Communication Systems Group at the Computer Engineering and Networks Laboratory TIK Prorector of education at ETH Zurich (since 2005) Thomas Dübendorfer Dipl. Informatik-Ing., ETH Zurich, Switzerland (2001) ISC2 CISSP (Certified Information System Security Professional) (2003) PhD student at TIK, ETH Zurich (since 2001) Network security research in the context of the DDoSVax project at ETH Further authors: Arno Wagner, Theus Hossmann © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -3- 1) Introduction Worm Analysis Why analyse Internet worms? • basis for research and development of: • worm detection methods • effective countermeasures • understand network impact of worms Wasn‘t this already done by anti-virus software vendors? • Anti-virus software works with host-centric signatures Research method used 1. Execute worm code in an Internet-like testbed and observe infections 2. Measure packet-level traffic and determine network-centric worm signatures on flow-level 3. Extensive analysis of flow-level traffic of the actual worm outbreaks captured in a Swiss backbone © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -4- 1) Introduction Related Work Internet backbone worm analyses: • Many theoretical worm spreading models and simulations exist (e.g.
    [Show full text]
  • Wannacry Ransomware
    KNOW THE UNKNOWN® Success Story: WannaCry Ransomware WHITE PAPER Challenge Stopping a Worm & Saving Millions Worms like WannaCry and Petya operate as essentially Even the most recent of these attacks like WannaCry and zero-day attacks: they can lie dormant on our networks Petya still echo the basic principles of past-worms, and as and then rapidly spread between devices upon waking up. such, they are both preventable and stoppable. During The consequences of being hit by one is dramatic: precious the Code Red, Nimda, and ILOVEYOU attacks of the early- data is either ransom-locked or wiped and thus often 2000s, businesses that had invested in a NIKSUN-like irrecoverable. This means millions in lost data, restoration solution were able to run a rapid report to get a list of fees, public relations, and stock-holder confidence. all infected devices and cut them off from their network. Instead of thousands of machines being affected, they When FedEx was hit by Petya, for example, their subsidiary were able to resolve the incident with minor losses of TNT Express experienced “widespread service delays” and hundreds or less. This process takes a mere few minutes were unable to “fully restore all of the affected systems and thus could have saved Reckitt Benckiser from their and recover all of the critical business data that was hour-long attack. encrypted by the virus.”1 Shares in the company dropped 3.4% in the wake of the attack.2 Total, 100% visibility is simply the only way to stop these worms from becoming too damaging.
    [Show full text]
  • Nimda Worm Shows You Can't Always Patch Fast Enough
    Research Publication Date: 19 September 2001 ID Number: FT-14-5524 Nimda Worm Shows You Can't Always Patch Fast Enough John Pescatore Nimda bundles several known exploits against Internet Information Server and other Microsoft software. Enterprises with Web applications should start to investigate less- vulnerable Web server products. © 2001 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. NEWS ANALYSIS Event On 18 September 2001, a new mass-mailing computer worm began infecting computers worldwide, damaging local files as well as remote network files. The w32.Nimda.A @ mm worm can spread through e-mail, file sharing and Web site downloads. For more information, visit: http://www.microsoft.com/technet/security/topics/Nimda.asp or http://www.sarc.com/avcenter/venc/data/[email protected]. Analysis As a "rollup worm," Nimda bundles several known exploits against Microsoft's Internet Information Server (IIS), Internet Explorer (IE) browser, and operating systems such as Windows 2000 and Windows XP, which have IIS and IE embedded in their code. To protect against Nimda, Microsoft recommends installing numerous patches and service packs on virtually every PC and server running IE, IIS Web servers or the Outlook Express e-mail client.
    [Show full text]
  • Computer Viruses, in Order to Detect Them
    Behaviour-based Virus Analysis and Detection PhD Thesis Sulaiman Amro Al amro This thesis is submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy Software Technology Research Laboratory Faculty of Technology De Montfort University May 2013 DEDICATION To my beloved parents This thesis is dedicated to my Father who has been my supportive, motivated, inspired guide throughout my life, and who has spent every minute of his life teaching and guiding me and my brothers and sisters how to live and be successful. To my Mother for her support and endless love, daily prayers, and for her encouragement and everything she has sacrificed for us. To my Sisters and Brothers for their support, prayers and encouragements throughout my entire life. To my beloved Family, My Wife for her support and patience throughout my PhD, and my little boy Amro who has changed my life and relieves my tiredness and stress every single day. I | P a g e ABSTRACT Every day, the growing number of viruses causes major damage to computer systems, which many antivirus products have been developed to protect. Regrettably, existing antivirus products do not provide a full solution to the problems associated with viruses. One of the main reasons for this is that these products typically use signature-based detection, so that the rapid growth in the number of viruses means that many signatures have to be added to their signature databases each day. These signatures then have to be stored in the computer system, where they consume increasing memory space. Moreover, the large database will also affect the speed of searching for signatures, and, hence, affect the performance of the system.
    [Show full text]
  • Code Red Worm Propagation Modeling and Analysis ∗
    Code Red Worm Propagation Modeling and Analysis ∗ Cliff Changchun Zou Weibo Gong Don Towsley Dept. Electrical & Dept. Electrical & Dept. Computer Science Computer Engineering Computer Engineering Univ. Massachusetts Univ. Massachusetts Univ. Massachusetts Amherst, MA Amherst, MA Amherst, MA [email protected] [email protected] [email protected] ABSTRACT the Internet has become a powerful mechanism for propa- The Code Red worm incident of July 2001 has stimulated gating malicious software programs. Worms, defined as au- activities to model and analyze Internet worm propagation. tonomous programs that spread through computer networks In this paper we provide a careful analysis of Code Red prop- by searching, attacking, and infecting remote computers au- agation by accounting for two factors: one is the dynamic tomatically, have been developed for more than 10 years countermeasures taken by ISPs and users; the other is the since the first Morris worm [30]. Today, our computing in- slowed down worm infection rate because Code Red rampant frastructure is more vulnerable than ever before [28]. The propagation caused congestion and troubles to some routers. Code Red worm and Nimda worm incidents of 2001 have Based on the classical epidemic Kermack-Mckendrick model, shown us how vulnerable our networks are and how fast we derive a general Internet worm model called the two- a virulent worm can spread; furthermore, Weaver presented factor worm model. Simulations and numerical solutions some design principles for worms such that they could spread of the two-factor worm model match the observed data of even faster [34]. In order to defend against future worms, we Code Red worm better than previous models do.
    [Show full text]
  • Chapter 3: Viruses, Worms, and Blended Threats
    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57
    [Show full text]
  • Combating Spyware in the Enterprise.Pdf
    www.dbebooks.com - Free Books & magazines Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you will find an assortment of value-added features such as free e-booklets related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE EBOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These eBooks are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our ebooks onto servers in corporations, educational institutions, and large organizations.
    [Show full text]
  • Symantec Internet Security Threat Report
    Symantec Internet EXECUTIVE SUMMARY Symantec Internet Security Threat Report September 2003 EXECUTIVE EDITOR Executive Summary Linda McCarthy Symantec Office of the CTO The Symantec Internet Security Threat Report provides a six-month update about Internet threat MANAGER, DEVELOPMENT activity1. It includes analysis of network-based attacks, a review of known vulnerabilities, and David Ahmad Symantec Security Response highlights of malicious code. This summary of that report can alert executives to impending threats and current trends. SENIOR THREAT ANALYST Cori Lynn Arnold Symantec Managed Security With over 20,000 sensors monitoring network activity in over 180 countries, Symantec has Services established one of the most comprehensive sources of Internet threat data in the world, giving SENIOR MANAGER, ANALYSIS Symantec's analysts a superior source of attack data from which to spot important trends. OPERATIONS These trends educate executives about potential threats and exposures, and using the data Brian Dunphy Symantec Managed Security can help them identify weaknesses in their own security architecture or policies. Services In August 2003, the Win32.Blaster blended threat rapidly spread worldwide, and several other SENIOR MANAGER, DEVELOPMENT Oliver Friedrichs highly severe worms followed. In only eight days the pace and frequency of these threats created Symantec Security Response havoc for systems administrators as well as for PC home users, with an estimated cost of damages 2 RESEARCH FELLOW running up to $2 billion . This report
    [Show full text]
  • Ethical Hacking
    Official Certified Ethical Hacker Review Guide Steven DeFino Intense School, Senior Security Instructor and Consultant Contributing Authors Barry Kaufman, Director of Intense School Nick Valenteen, Intense School, Senior Security Instructor Larry Greenblatt, Intense School, Senior Security Instructor Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Official Certified Ethical Hacker © 2010 Course Technology, Cengage Learning Review Guide ALL RIGHTS RESERVED. No part of this work covered by the copyright herein Steven DeFino may be reproduced, transmitted, stored or used in any form or by any means Barry Kaufman graphic, electronic, or mechanical, including but not limited to photocopying, Nick Valenteen recording, scanning, digitizing, taping, Web distribution, information networks, Larry Greenblatt or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior Vice President, Career and written permission of the publisher. Professional Editorial: Dave Garza Executive Editor: Stephen Helba For product information and technology assistance, contact us at Managing Editor: Marah Bellegarde Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, Senior Product Manager: submit all requests online at www.cengage.com/permissions Michelle Ruelos Cannistraci Further permissions questions can be e-mailed to Editorial Assistant: Meghan Orvis [email protected]
    [Show full text]
  • Email Worm Modeling and Defense
    Email Worm Modeling and Defense CliffC.Zou∗,DonTowsley†, Weibo Gong∗ ∗Department of Electrical & Computer Engineering †Department of Computer Science University of Massachusetts, Amherst, MA 01003 {czou, gong}@ecs.umass.edu, [email protected] Abstract— Email worms constitute one of the major Internet little differences in terms of the propagation dynamics of email security problems. In this paper, we present an email worm worms. model that accounts for the behaviors of email users by con- Based on the above email worm model, we study the ef- sidering email checking time and the probability of opening email attachments. Email worms spread over a logical network fectiveness of “selective immunization defense”, i.e., selecting defined by email address relationship, which plays an important some most connected email users’ computers to make them role in determining the spreading dynamics of an email worm. immune to an email worm. The results explain why selective Our observations suggest that the node degrees of an email immunization defense against email worm propagation is quite network are heavy-tailed distributed. We compare email worm effective for a power law topology but not so good for the other propagation on three topologies: power law, small world and random graph topologies; and then study how the topology two topologies. affects immunization defense on email worms. The impact of The rest of the paper is organized as follows. Section II the power law topology on the spread of email worms is mixed: surveys related work. Section III presents the email worm email worms spread more quickly on a power law topology than propagation model.
    [Show full text]