Defending Against Internet Worms: A SignatureBased Approach

1
Defending Against Internet Worms A
Signature-Based Approach

• Aurthors Yong Tang, and Shigang Chen
• Publication IEEE INFOCOM'05
• Presenter Richard Bares

2
What is an Internet Worm

• Self-propagated program that automaticlly
  replicates itself to a vulnerable systems and
  spreads across the internet

3
Current ways to detect Worms

• Address blacklisting content filtering
• Anomaly-based
• Signature Based

4
Drawbacks of these systems

• Need of wide spread deployment over the internet
  to be effective with address blacklisting and
  content filtering
• High false positives with anomaly-based systems
• Signature based able to find only know worms and
  process is not automated

5
Solution

• Double HoneyPot System for automatic detection
• New type of signature to help detect polymorphic
  worms (PADS)

6
Double HoneyPot

• Two independent HoneyPot arrays with two address
  translator
• Inbound HoneyPot used to attract attackers
• Outbound HoneyPot to capture attack traffic

7
Double HoneyPot
8
Inbound HoneyPot

• All invalid services requests forwarded to
  inbound HoneyPot by gate translator
• High-interaction HoneyPot used to allow for full
  compromised of hosts
• Infected hosts traffic forwarded to Outbound
  HoneyPot by internal translator

9
Invalid services requests
10
Outbound HoneyPot

• Collect attack information sent by infected
  Inbound HoneyPot
• This information used by Position-Aware
  Distribution System (PADS) to make signatures to
  detect polymorphic worms

11
Polymorphic Techniques

• Single Encryption with random keys
• Random Encryption routine
• Garbage code insertion
• Instruction substitution
• Code transposition
• Register reassignment

12
PADS

• Contains aspects of both signature and anomaly
  based systems
• Uses byte frequency distribution instead of a
  fixed value
• Focuses on generic patterns which allows for some
  variations

13
PADS

• Uses variations of worm attacks captured from
  HoneyPots to make a signature
• Uses two algorithms to compare bits of variants
  to each other to generate signature

14
PADS
15
Testing

• Created 200 variants of MS Blaster Worm
• Used 100 variants to make signature from PADS
  system
• Remaining 100 used to test for

16
Conclusion

• Able to detect 100 of the MS Blaster worms
  created
• Had no false positives in legitimate network
  traffic
• Needed more testing in live environment

17
Contributions

• Design of Double HoneyPot which can detect and
  block attack traffic
• Developed position-aware distribution signature
  which take the best features of signature and
  anomaly-based systems

18
Weaknesses

• Incorrect Data on Honeypots not able to block
  Local Traffic
• One of Algorithm used in PADS contained a serious
  bug
• All Testing done on variations of the same worm
• Not in live testing environment