IEEE Communications Surveys & Tutorials 1st Quarter 2008.
-
Upload
gary-johnson -
Category
Documents
-
view
227 -
download
1
Transcript of IEEE Communications Surveys & Tutorials 1st Quarter 2008.
![Page 1: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/1.jpg)
IEEE Communications Surveys & Tutorials • 1st Quarter 2008
![Page 2: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/2.jpg)
OutlineTerminologyInternet WormsDefending Against Internet WormsContainment
![Page 3: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/3.jpg)
Terminology Activation
Activation is when a worm starts performing its malicious activities. Activation might be triggered on a specific date or under certain conditions.
False alarm A false alarm is an incorrect alert generated by a worm detection system.
False positive A false positive is a false alarm where an alert is generated when there is
no actual attack or threat. False negative
False negative means the detection system missed an attack. It is a false negative if no alert is generated while the system is under an attack.
Infection Infection is the result of the worm performing its malicious activities on
the host. Target finding
Target finding is the first step in a worm’s life to discover victims (vulnerable hosts).
![Page 4: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/4.jpg)
TerminologyThreshold
Threshold is a predefined condition that, if met, indicates the existence of specious traffic or a worm attack.
TransferTransfer refers to sending a copy of the worm to the target
after the victim (target) is discovered.Virus
A virus is a malicious piece of code that attaches to other programs to propagate. It cannot propagate by itself, and normally depends on a certain user intervention, such as opening up an email attachment or running an executable file, to be activated .
WormA worm is a malicious piece of code that self propagates,
often via network connections, exploiting security flaws in computers on the network.
![Page 5: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/5.jpg)
Internet WormsDefinition: a piece of malicious code that
duplicates and propagates by itself. Usually, it does not require any human interaction and spreads via network connections.
Life of a wormPhase 1: target finding Phase 2: worm transforming Phase 3: worm activationPhase 4: infection
Can be caught by
NIDS
![Page 6: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/6.jpg)
Categorization of worm characteristics
![Page 7: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/7.jpg)
Worm target finding schemeBlind target finding
1. Sequential2. Random3. Permutation High failure connection rate Many anomaly-based detection systems are
designed to capture this type of worm.Hit list
prescanned stealthily more accurate and may cause more damage
![Page 8: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/8.jpg)
Worm target finding schemeTopological
Many hosts on the Internet store information about other hosts on the network.
Worms use this information to gain knowledge of topology of the network and use that as the path of infection.
Spread very fast.Passive
Require certain host behavior or human intervention to propagate
Use search engines
![Page 9: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/9.jpg)
Worm Propagation SchemeSelf-carried wormsThrough a second channelEmbedded propagationBotnet
A group of compromised hosts under the control of a botmaster.
![Page 10: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/10.jpg)
Worm Payload FormatMonomorphic worm
Worms send the payload in a straightforward unchanged fashion
Polymorphic wormWorms change their payload dynamically by
scrambling the programMetamorphic worm
Worms change not only its appearance but also its behavior
![Page 11: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/11.jpg)
Internet Worm Defense
![Page 12: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/12.jpg)
Worm DetectionSignature Based
traditional technique used for intrusion detection systems (IDSs)
take a look at the payload and indentify whether or not it contains a worm
require an entry in the databaseAnomaly Based
detect abnormal behaviors and generate alarmsrequires the definition of normal network
behavior
![Page 13: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/13.jpg)
Traffic Rate/Connection Count: TCP SYNIf the number of SYN packets sent from a
certain host exceeds a threshold value within a period of time, the host is considered to be scanning.Pro’s
able to catch most active scanning wormsCon’s
easy to cause false alarms not efficient useless against UDP worms
![Page 14: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/14.jpg)
Failed Connection Counts: TCP RST and ICMPFailed connection
attempt to connect to a nonexisting IP address or an existing IP address with the target port closed
![Page 15: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/15.jpg)
Failed Connection Counts: TCP RST and ICMP (cont’d)To detect active scanning worms depending
on failed connectionsPro’s
more efficient and accurate useful for both TCP and UDP worms
Con’s not effective for hit list, topological or passive
scanning worms ICMP error messages may blocked or dropped by
some border routers or gateway systems not suitable for large networks
![Page 16: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/16.jpg)
Ratio of Success and Failure ConnectionsInstead of counting the failure or successful
connection attempts, some believe it is the ratio or correlation of successful and failed connections that matters.
Counting the number of connections, whether successful or not, depends on the Internet usage and network size to be effective.
If the network being monitored is large, this can be very resource consuming.
![Page 17: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/17.jpg)
Destination-Source Correlationbase on the correlation between incoming
and outgoing trafficPro’s
able to detect almost all types of scans with the same port
works for both TCP and UDP wormsCon’s
only capture scans from worms targeting the same port
![Page 18: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/18.jpg)
Illustration of a destination-source correlation scheme
![Page 19: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/19.jpg)
DarkNet/Unused Address SpaceMonitor unused address space instead of
used onesscanning or connection attempts toward
nonexisting addresses are abnormal behaviors of a regular network
Pro’s requires significantly less resources works for both TCP and UDP worms
Con’s not very useful against hit list, topological, or
passive scans
![Page 20: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/20.jpg)
HoneypotsA honeypot is a vulnerable system on the
network that does not provide any real servicesa security resource whose value lies in being
probed, attacked, or compromisedIn a normal situation, no traffic is supposed to
come toward the honeypot.Pro’s
able to detect both TCP and UDP wormsgather less but higher quality data able to detect hit list scan and topological worms
Con’snot useful to passive worms
![Page 21: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/21.jpg)
Honeypot used in worm detection and containment
![Page 22: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/22.jpg)
Unknown Signature Detection SystemsSignature-based detection systems is vulnerability
against unknown attacks.To remedy this issue, some algorithms have been
proposed to detect unknown attacks by generating signatures in real time.considered anomaly-based
E.g.1. Honeycombhoneypot-based IDS systemcapable of generating signatures for unknown worms
E.g.2. Autograph methodRelies on unsuccessful scansAutomatically generates signatures for TCP worms
by analyzing the contents of the payload based on the most frequently occurring byte sequence in the suspicious flow.
![Page 23: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/23.jpg)
Detecting Polymorphic WormsMost payload detection algorithms target
monomorphic worm payloads only and have no defense against polymorphic worms.
Karp, and Song proposed polygraphCertain payload contents are not changed
Protocol framing bytes Value used for return address Pointer to overwrite a jump target
Dived signatures into tokensGenerate tokens automatically and detect
worms based on these tokens
![Page 24: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/24.jpg)
Combination usage of detection schemesUnknown signature-based detection system
Take time to generate signatures, and since there are defined signatures already
Known signature-based detection systemCan’t detect unknown worms
Merge them!
![Page 25: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/25.jpg)
Anomaly detection methods vs. worms characteristic.
![Page 26: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/26.jpg)
ContainmentSlowing Down Infection
Rate limiting techniquesBlocking
Address Blocking when a host is identified as a scanner or victim, any
traffic from that host address is dropped.Content Blocking
If packet content matches a worm signature, the packet will be dropped automatically
HoneypotTrap worms to infect simulated machine by
Honeypot
![Page 27: IEEE Communications Surveys & Tutorials 1st Quarter 2008.](https://reader036.fdocuments.net/reader036/viewer/2022062408/56649efa5503460f94c0c0cb/html5/thumbnails/27.jpg)
CommentsNo perfect solution to deal with all existing
and future worms.Efficiency issue