Review Study on Techniques for Network worm Signatures Automation



Similar documents
Behaviour Based Worm Detection and Signature Automation

Announcements. Lab 2 now on web site

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e

Detecting Bots with Automatically Generated Network Signatures

The Second International Conference on Innovations in Information Technology (IIT 05)

Firewalls and Intrusion Detection

Symptoms Based Detection and Removal of Bot Processes

Second-generation (GenII) honeypots

Intelligent Worms: Searching for Preys

Network Based Intrusion Detection Using Honey pot Deception

Defending Against Internet Worms: A Signature-Based Approach

Taxonomy of Intrusion Detection System

Chapter 9 Firewalls and Intrusion Prevention Systems

Botnet Detection by Abnormal IRC Traffic Analysis

A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Zero-Day Attack Signatures Detection Using Honeypot

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

A Critical Investigation of Botnet

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

Detecting Zero-Day Attack Signatures using Honeycomb in a Virtualized Network

On the Performance of SWORD in Detecting Zero-Day-Worm-Infected Hosts

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

Intruders and viruses. 8: Network Security 8-1

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Computer Worm Attack Using IDS and Trace Back Approaches

Network Intrusion Detection with Semantics-Aware Capability

Intrusion Detection in AlienVault

An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets

Implementation of Botcatch for Identifying Bot Infected Hosts

IDS / IPS. James E. Thiel S.W.A.T.

Two State Intrusion Detection System Against DDos Attack in Wireless Network

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Volume 2, Issue 9, September 2014 International Journal of Advance Research in Computer Science and Management Studies

Dynamic Rule Based Traffic Analysis in NIDS

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

The HoneyNet Project Scan Of The Month Scan 27

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

SURVEY OF INTRUSION DETECTION SYSTEM

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Multi-phase IRC Botnet and Botnet Behavior Detection Model

Network Security Demonstration - Snort based IDS Integration -

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

A SURVEY OF INTERNET WORM DETECTION

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

HoneyBOT User Guide A Windows based honeypot solution

A Survey on Honeypot Based Signature Generation Techniques in Computer Network Security

The Effect of Infection Time on Internet Worm Propagation

Intrusion Detections Systems

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Intrusion Detection System using Virtual Honeypots

Chapter 15. Firewalls, IDS and IPS

INTRUSION DETECTION SYSTEMS and Network Security

Fuzzy Network Profiling for Intrusion Detection

Network Incident Report

How To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme

Detecting UDP attacks using packet symmetry with only flow data

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Architecture Overview

Network Defense Tools

Role of Anomaly IDS in Network

DDoS Protection Technology White Paper

Intrusion Detection System

The Effects of Filtering Malicious Traffic. under DoS Attacks

Internet Worms, Firewalls, and Intrusion Detection Systems

Application Security Backgrounder

Cisco IPS Tuning Overview

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, IDS and IPS

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CS 356 Lecture 16 Denial of Service. Spring 2013

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Honeycomb Creating Intrusion Detection Systems

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

NETWORK SECURITY (W/LAB) Course Syllabus

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Taxonomy of Hybrid Honeypots

A Novel Packet Marketing Method in DDoS Attack Detection

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Analyzing Intrusion Detection System Evasions Through Honeynets

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 21

THE ROLE OF IDS & ADS IN NETWORK SECURITY

How To Prevent Hacker Attacks With Network Behavior Analysis

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

Radware s Behavioral Server Cracking Protection

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

Flashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?

Transcription:

Review Study on Techniques for Network worm Signatures Automation 1 Mohammed Anbar, 2 Sureswaran Ramadass, 3 Selvakumar Manickam, 4 Syazwina Binti Alias, 5 Alhamza Alalousi, and 6 Mohammed Elhalabi 1, 3,3,4,6 National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, {anbar,sures,selva,syazwina}@nav6.org 5 School of Computer and Communication Engineering, Universiti Malaysia Perlis, Perlis, Malaysia, g1340811014@studentmail.unimap.edu.my Abstract The network worm signature is a specific string that exists in the packet payload. This string will be used by signature based IDSs such as Snort (Snort) to compare it with the existing signatures in the database, if there is a match found in signatures database, worm can be detected, and otherwise the network worm cannot be detected. This paper presents a review study on network worms signature automation techniques. This study will first define the network worm and worm signatures. Furthermore, it will discuss the severity of presence the network worm in the network. The network propagation and activation schemas will be discussed. In addition, this article explores the current techniques to automate signatures for network worms. 1. Introduction Keywords: Network worm, Worm signature, Intrusion Detection System (IDS) A network worm is a self-propagating, self-duplicating malicious code that spread without human intervention in computer networks and attacks vulnerable hosts and services. Network worms are typically classified based on two attributes: methods used to spread and the techniques used to exploit vulnerabilities. Meanwhile, network worms have destructive effects in the network topology, resources and service [1-7]. Therefore, many researchers attention have been grabbed to propose techniques to automate signatures for network worms. According to Li, Salour & Su [8] the life cycle of a network worm after its release typically includes four phases: target finding or scanning, network worm transferring, network worm activation, and infection. The network worm is active on the network during target finding; network worm transferring and can be detected by network-based intrusion detection systems (NIDSs). The activities in the last two phases (activation and infection) are limited to local machines and are harder to detect by NIDSs because the network worm activities are more focused on individual computers rather than on the entire network. In contrast, the activities in the first two phases (scanning and transferring) are easier to detect because network worm activities are centered on the network, such as the existence of abnormal traffic generated from scanning. Figure 1shows the typical location of NIDS in the network. Figure 1. The typical location of NIDS in the network Advances in information Sciences and Service Sciences(AISS) Volume5, Number17, December 2013 8

Similar to a computer virus or other malicious codes, a network worm has a signature that can be used by IDS in the detection phase. Automated signature generation for new attacks is extremely difficult due to three reasons. First, in order to create an attack signature, we must identify and isolate attack traffic from legitimate traffic. Automatic identification of new worms is critical, which is the foundation of other defense measures. Second, the signature generation must be general enough to capture all attack traffic of certain type while at the mean time specific enough to avoid overlapping with the content of normal traffic in order to reduce false-positives. This problem has so far been handled in an ad-hoc way based on human judgment. Third, the defense system must be flexible enough to deal with the polymorphism in the attack traffic. Otherwise, worms may be programmed to deliberately modify themselves each time they replicate and thus fool the defense system [9]. The packets that were used to transfer malicious code from the sender to the destination have specific patterns and noticeable behaviors. After the malicious code infects the destination host, this new host will act in the same manner as the host that infected it. 2. The severtiy of worms The severity of network worms depends on the propagation process, wherein network scanning is initiated to determine the vulnerability of the host and services. Network scanning will degrade network performance and consume bandwidth and resource (CPU and memory) by making the network machines busy due to the requests that are received and responded in the scanner machine. Once a network worm infects a network, it will automatically begin to propagate, which will cause great destruction throughout the network due to network congestion. This will create unnecessary traffic, which serves only network worm propagation. Figure 2 shows the worm propagation process. 3. Network Worm Propagation Schemes Figure 2. Worm propagation As reported by Weaver et al. [5], there are three network worm propagation schemes which are as follows (1) self-carried (2) embedded (3) second channel. Self-carried network worms are actively transmit itself to the target host (the network worms are fully transmitted to the target during the initial connection), second channel network worms need second communication channel, in this scheme, the network worm communicates with the victim machine using original channel then the victim machine connects back to the infecting machine using another channel to download the network worm payload. The embedded propagation scheme is very stealthy and it s done by append the payload after, or replace, legitimate traffic to hide itself. No anomalous events will be triggered, and it is hard for anomaly-based detection systems to detect. In addition to the three propagation schemes discussed, 9

Botnets have been utilized to propagate network worms, spams, spyware, and launching distributed denial-of-service (DDoS) attacks [8]. A Botnet is a group of compromised hosts under the control of a Botmaster. The communication channel for the Botmaster to issue commands that can be implemented using different protocols such as http or point-to-point (P2P) protocols. However, the majority of Botnets use the Internet Relay chat (IRC) protocol for this purpose[14]. 4. Network Worm Activation Schemes Network worm activation means running network worms under certain condition or schedule. Weaver et al. [15] classified the network worm activation as following: 1. Human activated, this type of network worm activation require human intervention to execute the network worm 2. The network worm activate based on specific activity which is performed by user (such as open CD or bin drive) 3. Activated by a scheduled processes. In scheduled process, network worms are activated by a legitimate automated process which has not been properly secured, such as a legitimate program which automatically updates itself from an infected web server. Self-activated, this kind of network worm can activate without human intervention, and it considers the most dangerous one, this thesis focus on detecting this kind of network worms. 5. Techniques for automating network worm signatures Snort open source network-based intrusion detection system (NIDS) has the ability to perform realtime traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk [16]. In intrusion detection mode, Snort has the ability to detect different type of malicious code such as network worm. In case of network worm, Snort is a Signature Based Network Worm Detection (SBWD). In other words, Snort will detect the presence of network worm in the network based on the networm worm signature, Snort checks the incoming packet payload and system log files against the network worm signatures that are already stored in the IDS database. An alert will be triggered when a match is found [16]. Kreibich & Crowcroft [17] developed Honeycomb which aims to generate signature for malicious network traffic automatically and it uses pattern-detection techniques and packet header similarities tests on traffic captured from Honeypots. The traffic that bypass the Honeypot is logged into log file, the log file consist of IP, TCP and UDP header as well as payload data. After protocol analysis, Honeycomb proceeds to the analysis of the reassembled flow content. Honeycomb applies the longest common substring (LCS) algorithm on binary strings that built out the exchanged messages. It does this in two different ways which are horizontal detection and vertical detection. The contents of the signature pool are periodically reported to an output module which implements the actual logging of the signature records. At the moment, there are modules that convert the signature records into Bro [18] or pseudo-snort format, and a module that dumps the signature strings to a file. Figure 3 shows Honeycomb architecture. 10

Figure 3. Honeycomb architecture (Kreibich & Crowcroft, 2004). Autograph proposed by [19] is a distributed system for automatically generating network worm signatures for Bro [18] and Snort [16]. Autograph aims to automatically generate signatures for unknown network worms that propagate using TCP transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level. It is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives). Unlike Honeycomb, Autograph s inputs are packet traces from a demilitarized zone (DMZ) that includes benign traffic. Content blocks that match enough suspicious flows are used as input to COPP, an algorithm based on Rabin fingerprints that searches for repeated byte sequences by partitioning the payload into content blocks. Similar to Honeycomb, Autograph generates signatures consisting of a single, contiguous substring of a network worm s payload to match all network worm instances. These signatures, unfortunately, fail to match all polymorphic network worm instances with low false positives and low false negatives. Earlybird is a system proposed by Singh et al [20] for generating signatures to detect network worms based on the assumption that the network worms must generate significant traffic to propagate. This traffic will contain common substring which will transfer from source (attacker) to destinations. Based on this assumption the authors believe that identifying this traffic pattern is sufficient for detecting network worms, for identifying traffic pattern, a content sifting is proposed which work as the follows: (A) for each network packet, the content is extracted and all substrings processed, and (B) each substring is indexed into a log table that increments a count field for a given substring each time it is found. In effect, this table implements a histogram of all observed substrings. To maintain a count of unique source and destination addresses, each table entry also maintains two lists, containing IP addresses that are searched and potentially updated each time a substring count is incremented. Sorting this table on the substring count and the size of the address lists will produce the set of likely network worm traffic. Earlybird, also like Honeycomb and Autograph, generates signatures consisting of a single, contiguous substring of a network worm s payload to match all network worm instances. These signatures, however, fail to match all polymorphic network worm instances with low false positives and low false negatives. A double-honeynet is another system aims to detect new network worms automatically, the proposed system consists of two honeynets namely honetpot1 and honeynet 2. Gate translator at the edge router between the local network and the internet is deployed to detect the unwanted inbound connections and forwards them to Honeynet 1, once Honeynet 1 is compromised, the network worm will attempt to make outbound connections. Each honeynet is associated with an Internal Translator implemented in router that separates the Honeynet from the rest of the network. The internal translator 1 intercepts all outbound connections from honeynet 1 and redirects them to honeynet 2. Honeynet 2 will capture the packets that make outbound connections, and hence the Double-honeynet forwards only packets that make outbound connections. If the Honeynet 2 captures enough instances of network worm payloads, the internal 11

translator 2 will automatically forwarded to the signature generator which generates signatures, it receives the packet payloads captured by double-honeynet. These packets are checked by the protocol classifier which classifies packets in terms of different protocols (TCP/UDP) and port numbers. Then the Known-network worms filter component filters out known-network worm samples and pass the remaining samples (unknown network worms) to the Signature Generation Algorithms component which extracts all the distinct tokens in the samples. Then it clusters the distinct tokens according to their similarity. The set of tokens in each cluster is used as a signature for that cluster. The total number of the signatures is equals the total number of clusters [21]. Figure 4 shows double Honeynet system architecture. Table1 shows a summary of techniques for automating network worm signatures. Figure 4. Double Honeynet system architecture Table1: A summary of techniques for automating network worm signatures. Approach Description Disadvantage Honeycomb approach aims to generate signature for malicious network traffic automatically and it Kreibich & Fail to match all polymorphic uses pattern-detection techniques Crowcroft, 2004 network worm instances and packet header similarities tests on traffic captured from Honeypots Kim & Karp, 2004 Singh, Estan, Varghese, & Savage, 2004 Proposed an Autograph which aims to automatically generate signatures for unknown network worms that propagate using TCP transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level Proposed an Earlybird system for generating signatures to detect network worms based on the assumption that the network worms must generate significant traffic to propagate. This traffic will contain common substring which will transfer from source (attacker) to destinations Fail to match all polymorphic network worm instances Fail to match all polymorphic network worm instances 12

6. Conclusion This paper has highlighted the severity of presence the network worm in the network. Then the existing approach for worm signature automations are explored and advantages and drawbacks for each approach are highlighted, the existing approaches which are used to generate network worm signature are unfortunately fail to match all polymorphic network worm instances (because the signature of polymorphic network worm keep on changing every time it send from source to destination and proposed approaches based on generating static signature for detected worm ) [22]. 7. Acknowledgment This research is supported by National Advanced IPv6 Center of Excellence (NAv6), Universiti Sains Malaysia (USM). 8. References [1] S. Staniford, V. Paxson, and N. Weaver, "How to Own the Internet in Your Spare Time," in USENIX Security Symposium, 2002, pp. 149-167. [2] D. Moore, C. Shannon, G. M. Voelker, and S. Savage, "Internet quarantine: Requirements for containing self-propagating code," in INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies, 2003, pp. 1901-1910. [3] S. Chen and Y. Tang, "Slowing down internet worms," in Distributed Computing Systems, 2004. Proceedings. 24th International Conference on, 2004, pp. 312-319. [4] C. Kruegel and G. Vigna, "Anomaly detection of web-based attacks," in Proceedings of the 10th ACM conference on Computer and communications security, 2003, pp. 251-261. [5] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the slammer worm," Security & Privacy, IEEE, vol. 1, pp. 33-39, 2003. [6] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks," in Proceedings of the 7th USENIX Security Symposium, 1998, pp. 346-355. [7] M. W. Eichin and J. A. Rochlis, "With microscope and tweezers: An analysis of the internet virus of november 1988," in Security and Privacy, 1989. Proceedings., 1989 IEEE Symposium on, 1989, pp. 326-343. [8] P. Li, M. Salour, and X. Su, "A survey of internet worm detection and containment," Communications Surveys & Tutorials, IEEE, vol. 10, pp. 20-35, 2008. [9] Y. Tang and S. Chen, "Defending against internet worms: A signature-based approach," in INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, 2005, pp. 1384-1394. [10] C. C. Zou, W. Gong, and D. Towsley, "Code red worm propagation modeling and analysis," in Proceedings of the 9th ACM conference on Computer and communications security, 2002, pp. 138-147. [11] Z. Chen, L. Gao, and K. Kwiat, "Modeling the spread of active worms," in INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies, 2003, pp. 1890-1900. [12] D. Moore and C. Shannon, "Code-Red: a case study on the spread and victims of an Internet worm," in Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, 2002, pp. 273-284. [13] J. O. Kephart and S. R. White, "Directed-graph epidemiological models of computer viruses," in Research in Security and Privacy, 1991. Proceedings., 1991 IEEE Computer Society Symposium on, 1991, pp. 343-359. [14] G. Gu, R. Perdisci, J. Zhang, and W. Lee, "BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection," 2008, pp. 139-154. [15] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A taxonomy of computer worms," in Proceedings of the 2003 ACM workshop on Rapid malcode, 2003, pp. 11-18. [16] Snort, "A free lightweight network intrusion detection system for UNIX and Windows," 2010. 13

[17] C. Kreibich and J. Crowcroft, "Honeycomb: creating intrusion detection signatures using honeypots," ACM SIGCOMM Computer Communication Review, vol. 34, pp. 51-56, 2004. [18] V. Paxson, "Bro: a system for detecting network intruders in real-time," Computer networks, vol. 31, pp. 2435-2463, 1999. [19] H. Kim and B. Karp, "Autograph: Toward automated, distributed worm signature detection," in USENIX security symposium,2004, p. 19. [20] S. Singh, C. Estan, G. Varghese, and S. Savage, "The earlybird system for real-time detection of unknown worms," Citeseer2003. [21] M. Mohammed, H. Chan, and N. Ventura, "Honeycyber: Automated signature generation for zeroday polymorphic worms,," in Military Communications Conference, 2008. MILCOM 2008. IEEE, 2008, pp. 1-6. [22] S. Stafford and J. Li, "Behavior-based worm detectors compared," in Recent Advances in Intrusion Detection, 2010, pp. 38-57. 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information