Title: Networkbased and Attackresilient Length Signature Generation for Zeroday Polymorphic Worms
1Network-based and Attack-resilient Length
Signature Generation for Zero-day Polymorphic
Worms
- Zhichun Li1, Lanjia Wang2, Yan Chen1 and Judy
Fu3
1 Lab for Internet and Security Technology
(LIST), Northwestern Univ. 2 Tsinghua
University, China 3 Motorola Labs, USA
2The Spread of Sapphire/Slammer Worms
3Limitations of Exploit Based Signature
Signature 10.01
Traffic Filtering
Internet
Our network
X
X
Polymorphism!
Polymorphic worm might not have exact exploit
based signature
4Vulnerability Signature
Vulnerability signature traffic filtering
Internet
X
X
Our network
X
X
Unknown Vulnerability
Better!
- Work for polymorphic worms
- Work for all the worms which target the
- same vulnerability
5Benefits of Network Based Detection
Gateway routers
Internet
Our network
Host based detection
Early Detection!
- At the early stage of the worm, only limited worm
samples. - Host based sensors can only cover limited IP
space, which might have scalability issues.
6Design Space and Related Work
Network Based
Host Based
Exploit Based
Vulnerability Based
- Most host approaches depend on lots of host
information, such as source/binary code of the
vulnerable program, vulnerability condition,
execution traces, etc.
7Outline
- Motivation and Related Work
- Design of LESG
- Problem Statement
- Three Stage Algorithm
- Attack Resilience Analysis
- Evaluation
- Conclusions
8Basic Ideas
- At least 75 vulnerabilities are due to buffer
overflow - Intrinsic to buffer overflow vulnerability and
hard to evade - However, there could be thousands of fields to
select the optimal field set is hard
Overflow!
Protocol message
Vulnerable buffer
9Framework
10LESG Signature Generator
11Outline
- Motivation and Related Work
- Design of LESG
- Problem Statement
- Three Stage Algorithm
- Attack Resilience Analysis
- Evaluation
- Conclusions
12Field Hierarchies
DNS PDU
13Length-based Signature Definition
Length Signature
RDATA
Vulnerable
Signature Set
(Name,100), (Class,50), (RDATA,300)
OR relationship
Ground truth signature
(RDATA,315)
Buffer length!
14Problem Formulation
Worms which are not covered in the suspicious
pool are at most ?
Suspicious pool
LESG
Signature
Normal pool
?
Minimize the false positives in the normal pool
With noise
NP-Hard!
15Outline
- Motivation and Related Work
- Design of LESG
- Problem Statement
- Three Stage Algorithm
- Attack Resilience Analysis
- Evaluation
- Conclusions
16Stages I and II
Trade off between specificity and
sensitivityScore function Score(COV,FP)
COV1FP0.1
Stage I Field Filtering
Stage II Length Optimization
17Stage III
- Find the optimal set of fields as the signature
with high coverage and low false positive - Separate the fields to two sets, FP0 and FPgt0
- Opportunistic step (FP0)
- Attack Resilience step (FPgt0)
- The similar greedy algorithm for each step
18Stage III (cont.)
Stage I COV01FP00.1
50
0.05
Residual coverage5
(RDATA,300) 50,0.05
(Name,100) 40,0.03
(Class,50) 35,0.09
(Comments,2000) 10,0.1
suspicious
normal
19Stage III (cont.)
Stage I COV01FP00.1
50
0.05
Residual coverage5
(RDATA,300)
(Class,50) 25,0.02
(Name,100) 3,0.08
(Comments,2000) 1,0.05
suspicious
normal
20Stage III (cont.)
Stage I COV01FP00.1
(5025)
(0.050.02)
Residual coverage?5
(RDATA,300),(Class,50)
(Class,50) 25,0.02
(Name,100) 3,0.08
(Comments,2000) 1,0.05
suspicious
normal
21Attack Resilience Bounds
- Depend on whether deliberated noise injection
(DNI) exists, we get different bounds - With 50 noise in the suspicious pool, we can get
the worse case bound FNlt2 and FPlt1 - In practice, the DNI attack can only achieve
FPlt0.2 - Resilient to most proposed attacks (proposed in
other papers)
22Outline
- Motivation and Related Work
- Design of LESG
- Problem Statement
- Three Stage Algorithm
- Attack Resilience Analysis
- Evaluation
- Conclusions
23Methodology
- Protocol parsing with Bro and BINPAC (IMC2006)
- Worm workload
- Eight polymorphic worms created based on real
world vulnerabilities including CodeRed II and
Lion worms. - DNS, SNMP, FTP, SMTP
- Normal traffic data
- 27GB from a university gateway and 123GB email
log
24Results
- Single/Multiple worms with noise
- Noise ratio 080
- False negative 01 (mostly 0)
- False positive 00.01 (mostly 0)
- Pool size requirement
- 10 or 20 flows are enough even with 20 noises
- Speed results
- With 500 samples in suspicious pool and 320K
samples in normal pool, For DNS, parsing 58 secs,
LESG 18 secs
25Conclusions
- A novel network-based automated worm signature
generation approach - Work for zero day polymorphic worms with unknown
vulnerabilities - First work which is both Vulnerability based and
Network based using length signature for buffer
overflow vulnerabilities - Provable attack resilience
- Fast and accurate through experiments