Worm Detection: Network-internal Mechanisms and Infrastructure Kostas Anagnostakis Institute of Computer Science (ICS) Foundation for Research and Technology Hellas (FORTH) Crete, Greece
Talk Roadmap Background on worms A brief timeline End system vs. network-level solutions Network-level detection mechanisms Scan detection, payload scanning, polymorphic worm detection, shadow honeypots Infrastructure efforts the LOBSTER initiative
A brief timeline Summer 2001: Code-Red worm Infected 350,000 computers in 24 hours A proof-of-concept worm January 2003: Sapphire/Slammer worm Infected 75,000 computers in 30 minutes Demonstrated the need for automated defense mechanisms March 2004: Witty Worm Infected 20,000 computers in 60 minutes A niche worm targeting a system deployed in <<0.1% of the Internet
End system vs. network-level solutions End-system approach Proactive: secure by design ideal, but very expensive Reactive: end-host firewall, anti-virus, intrusion detection, auto-patching Network-level approach Good aggregation properties, centralized control Less accurate
Day-zero worms: scan detection Observation: most worms spread by probing (scanning) random targets Approach: look for unusually large number of failed connection attempts Advantages: relatively cheap (no content inspection), application-independent Disadvantages: not entirely foolproof -- stealthier scans possible, or no scans at all (hitlist worms), also susceptible to false positives
Day-zero worms: content fingerprinting Observation: when a worm starts spreading, one could see many similar packets, with increasing frequency over time Approach: keep track of packet fingerprints, raise alarm on frequency threshold Advantages: application-agnostic, automatically provides worm signature for firewalls/ips, also works for non-scanning worms Disadvantages: worms can change their form to evade detection (polymorphism), possible false positives with P2P, flash crowds [Several published studies, including FORTH paper at ICC 05]
Day-zero worms: polymorphic sled detection Observation: control-hijacking portion of polymorphic worms (sled) is exposed, even when obfuscated: it looks like code! Approach: look for valid instruction sequences in packet stream Advantages: relatively cheap, reasonably accurate Disadvantages: only applies to stack-smashing buffer overflow attacks, does not provide signature [see FORTH paper at IFIP Security 05]
Day-zero worms: shadow honeypots Observation: false positives are a real problem for network-level detection Approach: validate suspicious traffic by replaying sessions in shadow honeypots Advantages: zero false positives, can tune network-level detection to higher sensitivity Disadvantages: potentially huge shadow server farms to cover different types of applications, and different versions [see FORTH paper at USENIX Security 05]
Day-zero worms: shadow honeypots II Shadow honeypot implementation:
Infrastructure requirements Flexibility: deep content inspection, updateability High-performance: operate at 1 Gbit/s + Ease of use: API and/or scripting Scale: larger coverage improves detection Cooperation: different providers Privacy: outsider and insider threats
Infrastructure: The LOBSTER Initiative Project profile: A Specific Support Action Funded by the European Commission Two-year effort, started late 2004 Partners: Research Organizations: ICS-FORTH (GR), Vrije Universiteit (NL), TNO Telecom (NL) NRNs/ISPs, Associations: CESNET (CZ), UNINETT (NO), FORTHNET(GR), TERENA(NL) Industrial Partners: ALCATEL (FR) Endace (UK)
The LOBSTER infrastructure A distributed system of passive monitoring sensors Focus on cooperation Share raw and preprocessed data Correlate results Initially three sites UNINETT, CESNET, FORTHnet Open participation model similar to PlanetLab
LOBSTER Engineering Challenges Trust: cooperating sensors may not trust each other Configurable privacy and anonymization policies Distinction between internal and external users Audit trail for accountability Security: prevent attackers from gaining access to private/confidential data Strong authentication Tamper-proof hardware-level anonymization Ease of use: need a common programming environment Use DiMAPI (Distributed Monitoring Application Programming Interface) Extension to MAPI developed within the SCAMPI project
Who can benefit from LOBSTER? NRNs/ISPs Better Internet traffic monitoring of their networks Better understanding of their interactions with other NRNs/ISPs Security analysts and researchers Access to anonymized data Access to safe testbed Study trends and validate research results Network and security administrators Access to a traffic monitoring infrastructure Access to early-warning systems Access to software and tools
Concluding remarks Network-level detection is necessary, but hard to get right Many promising proposals for detection mechanisms, still waiting to be field-tested and deployed Arms race between attacks + defenses likely Need large-scale, distributed, passive network monitoring infrastructure EC-funded LOBSTER initiative a first step in this direction
Worm Detection: Network-internal Mechanisms and Infrastructure Kostas Anagnostakis