Worm Detection: Network-internal Mechanisms and Infrastructure



Similar documents
LOBSTER: Large-Scale Monitoring of Broadband Internet Infrastructures An FP6 IST Research Infrastructures project

How To Monitor Network Traffic On A Network With A Network Monitor

EU FP6 LOBSTER. personal view on the future of ero-day Worm Containment. European Infrastructure for accurate network monitoring

LOBSTER: Overview. LOBSTER: Large Scale Monitoring for Broadband Internet Infrastructure

Deliverable D4.2a: First LOBSTER Workshop Proceedings and Summary

Introduction to Network Traffic Monitoring. Evangelos Markatos. FORTH-ICS

The SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA

Ecom Infotech. Page 1 of 6

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Taxonomy of Intrusion Detection System

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Cisco Remote Management Services for Security

Intrusion Defense Firewall

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

INTRUSION DETECTION SYSTEMS and Network Security

Chapter 9 Firewalls and Intrusion Prevention Systems

Operational Programme Competitiveness

USM IT Security Council Guide for Security Event Logging. Version 1.1

Choose Your Own - Fighting the Battle Against Zero Day Virus Threats

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 21

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Design of an Application Programming Interface for IP Network Monitoring

Barracuda Intrusion Detection and Prevention System

Second-generation (GenII) honeypots

Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems. Christopher Roblee Vincent Berk George Cybenko

Effective Intrusion Detection

Application Intrusion Detection

End-user Security Analytics Strengthens Protection with ArcSight

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Description: Objective: Attending students will learn:

The Evolution of Computer Security Attacks and Defenses. Angelos D. Keromytis Columbia University

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

The SIEM Evaluator s Guide

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

Defending Against Cyber Attacks with SessionLevel Network Security

Cisco Security Intelligence Operations

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Network Instruments white paper

Intrusion Detection Systems

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Multifaceted Approach to Understanding the Botnet Phenomenon

Intrusion Detection for Mobile Ad Hoc Networks

Network- vs. Host-based Intrusion Detection

Detecting peer-to-peer botnets

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Intruders and viruses. 8: Network Security 8-1

CAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY

Intrusion Detection Systems

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Bio-inspired cyber security for your enterprise

ALERT LOGIC FOR HIPAA COMPLIANCE

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

NetDefend Firewall UTM Services

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Deep Security Vulnerability Protection Summary

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08

Cisco IPS Tuning Overview

Dynamic Rule Based Traffic Analysis in NIDS

Attack and Defense Techniques 2

DiMAPI: An Application Programming Interface for Distributed Network Monitoring

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Vulnerability assessment tools

Name. Description. Rationale

D4.4: Web-based Interactive Monitoring Application

The Truth about False Positives

The Challenge of a Comprehensive Network Protection. Introduction

Stronger than Firewalls And Cheaper Too

WatchGuard Gateway AntiVirus

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Symantec Endpoint Protection Analyzer Report

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Fighting Advanced Threats

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Flow-based detection of RDP brute-force attacks

74% 96 Action Items. Compliance

Evolution of attacks and Intrusion Detection

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Analyzing Intrusion Detection System Evasions Through Honeynets

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

A New Approach to Assessing Advanced Threat Solutions

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Web Application Security

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

CyberSecurity Research in Crete

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

WHITEPAPER. Nessus Exploit Integration

Transcription:

Worm Detection: Network-internal Mechanisms and Infrastructure Kostas Anagnostakis Institute of Computer Science (ICS) Foundation for Research and Technology Hellas (FORTH) Crete, Greece

Talk Roadmap Background on worms A brief timeline End system vs. network-level solutions Network-level detection mechanisms Scan detection, payload scanning, polymorphic worm detection, shadow honeypots Infrastructure efforts the LOBSTER initiative

A brief timeline Summer 2001: Code-Red worm Infected 350,000 computers in 24 hours A proof-of-concept worm January 2003: Sapphire/Slammer worm Infected 75,000 computers in 30 minutes Demonstrated the need for automated defense mechanisms March 2004: Witty Worm Infected 20,000 computers in 60 minutes A niche worm targeting a system deployed in <<0.1% of the Internet

End system vs. network-level solutions End-system approach Proactive: secure by design ideal, but very expensive Reactive: end-host firewall, anti-virus, intrusion detection, auto-patching Network-level approach Good aggregation properties, centralized control Less accurate

Day-zero worms: scan detection Observation: most worms spread by probing (scanning) random targets Approach: look for unusually large number of failed connection attempts Advantages: relatively cheap (no content inspection), application-independent Disadvantages: not entirely foolproof -- stealthier scans possible, or no scans at all (hitlist worms), also susceptible to false positives

Day-zero worms: content fingerprinting Observation: when a worm starts spreading, one could see many similar packets, with increasing frequency over time Approach: keep track of packet fingerprints, raise alarm on frequency threshold Advantages: application-agnostic, automatically provides worm signature for firewalls/ips, also works for non-scanning worms Disadvantages: worms can change their form to evade detection (polymorphism), possible false positives with P2P, flash crowds [Several published studies, including FORTH paper at ICC 05]

Day-zero worms: polymorphic sled detection Observation: control-hijacking portion of polymorphic worms (sled) is exposed, even when obfuscated: it looks like code! Approach: look for valid instruction sequences in packet stream Advantages: relatively cheap, reasonably accurate Disadvantages: only applies to stack-smashing buffer overflow attacks, does not provide signature [see FORTH paper at IFIP Security 05]

Day-zero worms: shadow honeypots Observation: false positives are a real problem for network-level detection Approach: validate suspicious traffic by replaying sessions in shadow honeypots Advantages: zero false positives, can tune network-level detection to higher sensitivity Disadvantages: potentially huge shadow server farms to cover different types of applications, and different versions [see FORTH paper at USENIX Security 05]

Day-zero worms: shadow honeypots II Shadow honeypot implementation:

Infrastructure requirements Flexibility: deep content inspection, updateability High-performance: operate at 1 Gbit/s + Ease of use: API and/or scripting Scale: larger coverage improves detection Cooperation: different providers Privacy: outsider and insider threats

Infrastructure: The LOBSTER Initiative Project profile: A Specific Support Action Funded by the European Commission Two-year effort, started late 2004 Partners: Research Organizations: ICS-FORTH (GR), Vrije Universiteit (NL), TNO Telecom (NL) NRNs/ISPs, Associations: CESNET (CZ), UNINETT (NO), FORTHNET(GR), TERENA(NL) Industrial Partners: ALCATEL (FR) Endace (UK)

The LOBSTER infrastructure A distributed system of passive monitoring sensors Focus on cooperation Share raw and preprocessed data Correlate results Initially three sites UNINETT, CESNET, FORTHnet Open participation model similar to PlanetLab

LOBSTER Engineering Challenges Trust: cooperating sensors may not trust each other Configurable privacy and anonymization policies Distinction between internal and external users Audit trail for accountability Security: prevent attackers from gaining access to private/confidential data Strong authentication Tamper-proof hardware-level anonymization Ease of use: need a common programming environment Use DiMAPI (Distributed Monitoring Application Programming Interface) Extension to MAPI developed within the SCAMPI project

Who can benefit from LOBSTER? NRNs/ISPs Better Internet traffic monitoring of their networks Better understanding of their interactions with other NRNs/ISPs Security analysts and researchers Access to anonymized data Access to safe testbed Study trends and validate research results Network and security administrators Access to a traffic monitoring infrastructure Access to early-warning systems Access to software and tools

Concluding remarks Network-level detection is necessary, but hard to get right Many promising proposals for detection mechanisms, still waiting to be field-tested and deployed Arms race between attacks + defenses likely Need large-scale, distributed, passive network monitoring infrastructure EC-funded LOBSTER initiative a first step in this direction

Worm Detection: Network-internal Mechanisms and Infrastructure Kostas Anagnostakis

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information