Worm Detection: Network-internal Mechanisms and Infrastructure · –A “proof-of-concept” worm •January 2003: Sapphire/Slammer worm –Infected 75,000 computers in 30 minutes

http://www.ist-lobster.org/

Kostas Anagnostakis, FORTH

Worm Detection: Network-internalMechanisms and Infrastructure

Kostas AnagnostakisInstitute of Computer Science (ICS)

Foundation for Research and Technology – Hellas (FORTH)Crete, Greece



Talk Roadmap

• Background on worms– A brief timeline– End system vs. network-level solutions

• Network-level detection mechanisms– Scan detection, payload scanning, polymorphic

worm detection, shadow honeypots• Infrastructure efforts

– the LOBSTER initiative



A brief timeline

• Summer 2001: Code-Red worm– Infected 350,000 computers in 24 hours– A “proof-of-concept” worm

• January 2003: Sapphire/Slammer worm– Infected 75,000 computers in 30 minutes– Demonstrated the need for automated defense mechanisms

• March 2004: Witty Worm– Infected 20,000 computers in 60 minutes– A “niche” worm targeting a system deployed in <<0.1% of

the Internet



End system vs. network-level solutions

• End-system approach– Proactive: “secure by design”

ideal, but very expensive– Reactive: end-host firewall,

anti-virus, intrusion detection, auto-patching• Network-level approach

– Good aggregation properties,centralized control

– Less accurate



Day-zero worms: scan detection

• Observation: most worms spread by probing(scanning) random targets

• Approach: look for unusually large number offailed connection attempts

• Advantages: relatively cheap (no contentinspection), application-independent

• Disadvantages: not entirely foolproof -- stealthierscans possible, or no scans at all (hitlist worms),also susceptible to false positives



Day-zero worms: content fingerprinting

• Observation: when a worm starts spreading,one could see many “similar” packets,with increasing frequency over time

• Approach: keep track of packet “fingerprints”,raise alarm on frequency threshold

• Advantages: application-agnostic, automaticallyprovides worm signature for firewalls/IPS, alsoworks for non-scanning worms

• Disadvantages: worms can change their form toevade detection (polymorphism), possible falsepositives with P2P, flash crowds

[Several published studies, including FORTH paper at ICC’05]



Day-zero worms: polymorphic sled detection

• Observation: control-hijacking portionof polymorphic worms (sled) is exposed,even when obfuscated: it looks like code!

• Approach: look for valid instruction sequences inpacket stream

• Advantages: relatively cheap, reasonablyaccurate

• Disadvantages: only applies to stack-smashingbuffer overflow attacks, does not provide signature

[see FORTH paper at IFIP Security’05]



Day-zero worms: shadow honeypots

• Observation: false positives are a real problemfor network-level detection

• Approach: validate suspicious traffic by replayingsessions in “shadow honeypots”

• Advantages: zero false positives, can tunenetwork-level detection to higher sensitivity

• Disadvantages: potentially huge shadow serverfarms to cover different types of applications, anddifferent versions

[see FORTH paper at USENIX Security’05]



Day-zero worms: shadow honeypots II

• Shadow honeypot implementation:



Infrastructure requirements

• Flexibility: deep content inspection, updateability• High-performance: operate at 1 Gbit/s +• Ease of use: API and/or scripting• Scale: larger coverage improves detection• Cooperation: different providers• Privacy: outsider and insider threats



Infrastructure: The LOBSTER Initiative

• Project profile:– A “Specific Support Action”– Funded by the European Commission– Two-year effort, started late 2004

• Partners:– Research Organizations: ICS-FORTH (GR),

Vrije Universiteit (NL), TNO Telecom (NL)– NRNs/ISPs, Associations: CESNET (CZ),

UNINETT (NO), FORTHNET(GR),TERENA(NL)

– Industrial Partners: ALCATEL (FR)Endace (UK)



The LOBSTER infrastructure

• A distributed system of passivemonitoring sensors

• Focus on cooperation– Share raw and preprocessed data– Correlate results

• Initially three sites– UNINETT, CESNET, FORTHnet

• Open participation model– similar to PlanetLab



LOBSTER Engineering Challenges

• Trust: cooperating sensors may not trust each other– Configurable privacy and anonymization policies– Distinction between internal and external users– Audit trail for accountability

• Security: prevent attackers from gaining access toprivate/confidential data– Strong authentication– Tamper-proof hardware-level anonymization

• Ease of use: need a common programmingenvironment– Use DiMAPI (Distributed Monitoring Application

Programming Interface)– Extension to MAPI developed within the SCAMPI project



Who can benefit from LOBSTER?

• NRNs/ISPs– Better Internet traffic monitoring of their networks– Better understanding of their interactions with other

NRNs/ISPs• Security analysts and researchers

– Access to anonymized data– Access to “safe” testbed

• Study trends and validate research results

• Network and security administrators– Access to a traffic monitoring infrastructure– Access to early-warning systems– Access to software and tools



Concluding remarks

• Network-level detection is necessary, but hard to get right• Many promising proposals for detection mechanisms, still

waiting to be field-tested and deployed• “Arms race” between attacks + defenses likely• Need large-scale, distributed, passive network monitoring

infrastructure• EC-funded LOBSTER initiative a first step in this direction



Worm Detection: Network-internalMechanisms and Infrastructure

Kostas Anagnostakis

Documents

Worm Detection: Network-internal Mechanisms and Infrastructure · –A “proof-of-concept” worm •January 2003: Sapphire/Slammer worm –Infected 75,000 computers in 30 minutes