Automated Worm Fingerprinting - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Automated Worm Fingerprinting

Description:

CodeRed: mid-2001, 14 hours, 360,000 victims. Slammer: 2003, 10 minutes, 360,000 victims ... signatures were made available by the various anti-virus vendors. ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 28
Provided by: Sibra
Category:

less

Transcript and Presenter's Notes

Title: Automated Worm Fingerprinting


1
Automated Worm Fingerprinting
  • Ming Chen
  • 3/3/2005

2
Outline
  • Introduction
  • Defining Worm Behavior
  • Finding Worm Signatures
  • Practical Content Sifting
  • Selective Experiences
  • Limitation and Conclusion

3
Introduction
  • Worms
  • CodeRed mid-2001, 14 hours, 360,000 victims
  • Slammer 2003, 10 minutes, 360,000 victims
  • Nimda 2,000,000 victims
  • MyDoom notorious for its backdoor

4
Introduction (cont.)
  • Why so vulnerable
  • Buggy software (Windowz, ?)
  • Widespread software homogeneity
  • Internets unrestricted communication

5
Introduction (cont.)
  • Conventional Fight Back
  • Course
  • Detecting
  • Isolating
  • Decompiling
  • Characterizing
  • Testing
  • Updating
  • Insufficient, expensive, slow take hours even
    days to complete
  • Reaction Time Limit 60 seconds!

6
Outline
  • Introduction
  • Defining Worm Behavior
  • Finding Worm Signatures
  • Practical Content Sifting
  • Selective experiences
  • Limitation and Conclusion

7
Worm Behaviors
  • Content invariance
  • Content prevalence
  • Address Dispersion

8
Content invariance
  • Limited polymorphism
  • Encrypting each worm instance independently
    and/or randomizing filler text
  • Much of the worm body is variable, but key
    portions are still invariant (such as decryption
    routing)

9
Content prevalence
  • The invariant portion of a worms content will
    appear frequently on the network as its spreads
    or attempts to spread.

10
Address Dispersion
  • Packets containing a live worm will tend to
    reflect a variety of different source and
    destination addresses.
  • Significant clustering

11
Finding Worm Signatures
12
Outline
  • Introduction
  • Defining Worm Behavior
  • Finding Worm Signatures
  • Practical Content Sifting
  • Selective experiences
  • Limitation and Conclusion

13
Practical Content Sifting
  • Target high-speed links
  • Small processing requirements
  • Small memory consume
  • Approximated methodologies
  • Estimating content prevalence
  • Estimating address dispersion
  • CPU scaling

14
Estimating content prevalence
  • Identifying common content involves finding the
    packet payloads that appear at least x times
    among the N packets sent during a given interval.
  • Improvement
  • Short hash
  • Heavy hitters amended by append the destination
    port protocol to the content before hashing
  • Rabin fingerprints for intra-packet substrings
    with a small fixed length ß

15
Estimating address dispersion
  • Why consider address dispersion?
  • Without this, a system could not distinguish a
    worm from a piece of conetent that frequently
    occurs between two computers, such as a mail
    client sending the same user name repeatedly as
    it checks for new mail on the mail server
    regularly.

16
Estimating address dispersion (cont.)
  • Intuitive method directly count the source and
    destination address
  • Refinement
  • Direct bitmap each content source is hashed to a
    bitmap, the corresponding bit is set, and an
    alarm is raised when the number of bits set
    exceeds a threshold.
  • Scaled bitmap

17
Example of direct bitmap
  • If the dispersion threshold T is 30, the source
    address is hashed into a bitmap of 32 bits and an
    alarm is raised if the number of bits set crosses
    20 (the value 20 is calculated analytically to
    account for hash collisions).

18
CPU scaling
  • Each payload substring requires significant
    processing.
  • Value sampling and select only those substrings
    for which the fingerprint matches a certain
    pattern (e.g. the last 6 bits of the fingerprint
    are 0).

19
Outline
  • Introduction
  • Defining Worm Behavior
  • Finding Worm Signatures
  • Practical Content Sifting
  • Selective experiences
  • Limitation and Conclusion

20
Selective experiences trace-based
21
Selective experiences trace-based (cont.)
22
Selective experiences live
  • Sasser detected Sasser on the morning of
    Saturday May 1st, 2004 before signatures were
    made available by the various anti-virus vendors.
  • Kibvu.B detected on Friday May 14th, 2003 at
    308AM PDT, reported signatures long before there
    were public reports of the worm's spread, and
    used these signatures to assist network
    operations staff in tracking down infected hosts

23
Outline
  • Introduction
  • Defining Worm Behavior
  • Finding Worm Signatures
  • Practical Content Sifting
  • Selective Experiences
  • Limitation and Conclusion

24
Limitation
  • Variant content
  • Metamorphic viruses
  • Compression
  • IPSEC and VPN
  • Network evasion
  • Overlapping IP fragments
  • If a worm may only require only a single packet
    for transmission, the attacker could spoof the
    source address

25
Limitation (cont.)
  • Parameters tuning?
  • Autotuning content sifting parameters
  • Slow worms?
  • Content sifting trained by smart worms?
  • Containment
  • Manual vs. automatic

26
Conclusion
  • Novel work, but need further practical
    examination.

27
Q A
  • Thanks
Write a Comment
User Comments (0)
About PowerShow.com