Defending Against Internet Worms: A SignatureBased Approach

1
Defending Against Internet Worms A
Signature-Based Approach
2
Worm Defense

• Worm Early Warning
• Chen et al., Zou et al., Gu et al.
• New requirements
• local deployment without large address space
• detect before local systems are compromised
• Worm Detection
• Anomaly-based defense
• Misuse-based defense
• Signature
• Inexact signature
• Worm Mitigation

3
Automatic Defense System

• Detect the existence of a new (polymorphic) worm
• Isolate enough samples
• Exact a signature
• Deploy the signature
• Automatic with minimal assistance from human
  experts

4
Worm Warning

• Honeypot system.
• A monitored system attracting and trapping attack
  traffic
• High-interactive honeypot and low-interactive
  honeypot
• Nature of worm
• An infected host will make outbound connections
  to infect other similar systems
• Honeypot-based detection systems

5
Double-Honeypot System
Automatically separate attack traffic from the
background of normal traffic
6
Detect before Being Compromised

• N size of local address space
• h number of publicly-accessible servers
  on a particular port
• (N-h)/N probability of compromising a honeypot
  first
• h/N probability of compromising a server
  first
• (N-h)/h ratio
• When N gtgt h, it is almost certain that
• a honeypot will be compromised first.

7
Polymorphism of Internet Worms

• Self-encryption
• Garbage-code insertion.
• Instruction substitution.
• Code transposition
• Register reassignment
• Embed in a lengthy normal traffic stream
• Executable analysis technique by Christodorescu
  and Jha
• Cure-all solution unlikely

8
Inexact, Flexible Signatures

• Identify significant region from embedded
  background
• Tolerate extensive, local changes
• Capture static elements, as well as the likely
  values for variable elements

9
Position-Aware Distribution Signature (PADS)

• Each position in the signature string is not a
  byte but a byte-frequency distribution
• Matching Score of a sample variant against PADS
  signature

• Significant region A substring in sample variant
  that maximize the matching score

10
Calculating PADS Signature

• Consider a set of sample variants
• Given PADS, we can find significant regions
• Given significant regions, we can estimate PADS
• We dont know either, but want to know both
• Iterative Approaches

11
Expectation-Maximization (EM) Algorithm

• Initialization.
• Guess significant regions randomly and estimate
  PADS signature
• Expectation.
• Use estimated signature to refine the guess on
  significant regions
• Maximization.
• Obtain new maximum likelihood estimate of PADS
  signature from significant regions.

12
Gibbs Sampling Algorithm

• Initialization
• Guess significant regions randomly
• Predictive update.
• Randomly select one sample variant. Estimate the
  PADS signature based on significant regions of
  remaining sample variants.
• Sampling step.
• Guess the significant region of the selected worm
  variant with a probability distribution based on
  matching scores

13
Experiment Setup

• MS Blaster worm, 1.8KB, exploiting DCOM RPC
  interface
• Instruction substitution
• Garbage-code insertion
• Embed in a normal traffic stream of 2-20KB
• 100 sample variants to produce signature
• 100 sample variants and 100 normal streams as
  test data

14
Calculating PADS signature
15
Separating Attack Traffic from Normal Traffic
16
Conclusion

• Double-honeypot systems
• automatically detect on-going worm attacks and
  capture sample variants of a worm
• Worm polymorphism
• Inexact, flexible signatures
• PADS signature