Digging For Worms, Fishing For Answers - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Digging For Worms, Fishing For Answers

Description:

'Malicious programs like worms also need to do some probing ... Digging for Worms, Fishing for Answers. ... Overview of Worms and Defence Strategies, 2003. ... – PowerPoint PPT presentation

Number of Views:75
Avg rating:3.0/5.0
Slides: 31
Provided by: isc
Category:

less

Transcript and Presenter's Notes

Title: Digging For Worms, Fishing For Answers


1
Digging For Worms, Fishing For Answers
  • Speaker Lim Ka Tiong
  • Based on the original paper by CER

2
Objective
  • Malicious programs like worms also need to do
    some probing (like port scans) in order to select
    potential victims to attack.
  • So can we make use of this behaviour to help us
    detect a worms presence?

3
Outline
  • Background Information
  • Modelling Worms Behaviour
  • Detection Techniques
  • Current Techniques
  • Proposed Technique
  • Final Remarks

4
Background Information
  • Definition of worm SAN
  • A computer program that can run independently,
    can propagate a complete working version of
    itself onto other hosts on a network, and may
    consume computer resources destructively.

5
Background Information
  • Characteristics of worms MIG
  • Propagation nature
  • Exploited vulnerability
  • Impact on infected host
  • Attack rate dynamics
  • IP address scanning

6
Background Information
  • A few recent worms
  • w32.beagle.o_at_mm
  • w32.bizex.worm
  • Refer to Symantec

7
Modelling Worms Behaviour
  • The Four stage Life-cycle

8
Modelling Worms Behaviour
  • Phase 1 Target Selection
  • Performs reconnaissance.
  • Simply probes a potential victim to see if its
    running a service on a particular port.
  • If service is running,
  • go to phase 2

9
Modelling Worms Behaviour
  • Phase 2 Exploitation
  • Compromises the target by exploiting a particular
    vulnerability.
  • Often use well-known vulnerabilities and
    published exploits.
  • If succeed,
  • go to phase 3

10
Modelling Worms Behaviour
  • Phase 3 Infection
  • Set up shop on the newly infected machine.
  • Activities can be anything.
  • e.g. do nothing, open back doors, change system
    files, etc
  • Okies, lets spread!

11
Modelling Worms Behaviour
  • Phase 4 Propagation
  • Attempts to spread by choosing new targets.
  • Difference from Target Selection! - in the point
    of view from which the actions take place.
  • Infected local host is choosing new target using
    probes going out in outbound network traffic.

12
Modelling Worms Behaviour
13
Detection Techniques
  • Current Techniques
  • Focus on detecting Target Selection,
    Exploitation, Infection.
  • Proposed Technique
  • Focus on detecting Propagation by watching
    outbound network traffic from an infected host.

14
Current Techniques
  • Detecting Target Selection
  • Involves inbound network probe Firewall.
  • Involves probe on public services Testing for
    X events of interest across a Y sized time
    window. SDJ
  • Limitation
  • What if infected host sends only one probe into a
    network? (e.g. receive only one inbound request)

15
Current Techniques
  • Detecting Exploitation
  • Keep servers up-to-date with the latest patches!
  • Use signatures based filter NIDS.
  • Limitation
  • What if it is a new vulnerability and the exploit
    has never been seen in the wild?

16
Current Techniques
  • Detecting Infection
  • Modifies system files file integrity program.
  • Opens a backdoor netstat / network scanner.
  • Limitation
  • How do we know the exact actions of a worm?
  • What if there is little noticeable footprints?

17
Proposed Technique
  • Idea To detect Propagation by watching outbound
    network traffic from an infected host.
  • Prior Work in detecting scans
  • GrIDS (Graph Based IDS)
  • Bro IDS
  • Using the X Events in Y Period of Time Technique.

18
Proposed Technique
  • Prior Work Graph Based IDS SSR
  • Building activity graphs of network traffic.
  • e.g. look for tree-like connection graph.

19
Proposed Technique
  • Prior Work Bro IDS VPA
  • Have outbound scan detection built in using rule
    description language.
  • e.g. to look for the number of connections to
    cross a particular threshold, but no timing
    mechanism is used.

20
Proposed Technique
  • X Events in Y Period of Time Technique in
    Outbound Scan Detection
  • Can see all of the scans leaving a scanning
    (infected) host.
  • Attempt to distinguish a horizontal scan.

21
Huh? Explanation
  • Horizontal Scan?
  • Horizontal scan occurs when a worm is only
    probing a particular port on a set of different
    hosts.
  • e.g. probing of port 53 on randomly selected IP
    addresses.
  • Vertical scan occurs when a scanning host probes
    several ports on the same target.

22
Proposed Technique
  • X Events in Y Period of Time Technique in
    Outbound Scan Detection
  • Can see all of the scans leaving a scanning
    (infected) host.
  • Attempt to distinguish a horizontal scan.
  • Detection will be performed at a network sensor
    that can see all traffic, not on the infected
    host.

23
Huh? Explanation
  • Why at the network sensor?
  • So that detection will not be altered or switch
    off (by the worm or user).
  • Detection will be performed at a network sensor
    that can see all traffic,
  • Then determine a fixed count for outbound packets
    (Threshold) over a fixed period of time (Quantum).

24
Proposed Technique
  • X Events in Y Period of Time Technique in
    Outbound Scan Detection
  • Can see all of the scans leaving a scanning
    (infected) host.
  • Attempt to distinguish a horizontal scan.
  • Detection will be performed at a network sensor
    that can see all traffic, not on the infected
    host.
  • Sound alert when Threshold is exceeded.

25
Proposed Technique
  • X Events in Y Period of Time Technique

26
Proposed Technique
  • Limitations
  • What if the worm is content to spread slowly?
  • What if the worm evolve to employ other
    techniques to spread?

27
Final Remarks
  • Current Implementation and Future Work
  • Preliminary tests on isolated network can detect
    rapid horizontal scans.
  • Next is to deploy it on a production network to
    determine value of Threshold and Quantum.
  • Investigation on techniques to detect other type
    of outbound scans.

28
Other Related Works
  • Twycross Williamson TW
  • Focus on the network behaviour of virus.
  • The attempt to create a large number of outgoing
    connections per second.
  • Restrict the rate of connections to new hosts
    such that most normal traffic is unaffected.
  • Toth Kruegel TK

29
Discussion
  • Contact limkatio_at_comp.nus.edu.sg

30
References
  • CER The CERIAS Intrusion Detection Research
    Group. Digging for Worms, Fishing for Answers. In
    Proceedings of the Annual Computer Security
    Application Conference (ACSAC'02), 2002.
    http//www.acsac.org/2002/abstracts/68.html
  • SAN SANS Glossary of Terms Used in Security
    and Intrusion Detection, updated May 2003.
    http//www.sans.org/resources/glossary.php
  • MIG Miguel Vargas Martin. Overview of Worms
    and Defence Strategies, 2003. http//www.scs.carle
    ton.ca/mvargas/lecture95.4108-v1.0.pdf
  • SDJ S. Northcutt, D. McLachlan, and J. Novak.
    Network Intrusion Detection An Analyst's
    HandBook. New Riders, Sep 2000.
  • SSR S. Staniford-Chen, S. Cheung, R. Crawford,
    M. Dilger, J. Frank, J. Hoagland, K. Levitt, C.
    Wee, R. Yip, D. Zerkle. GrIDS - A Graph Based
    Intrusion Detection System for Large Networks.
    http//seclab.cs.ucdavis.edu/arpa/grids/welcome.ht
    ml
  • VPA V. Paxson. Bro A System for Detecting
    Network Intruders in Real-Time.
    http//www.icir.org/vern/bro-info.html
  • TW Twycross Williamson. Implementing and
    testing a virus throttle. In 12th Usenix Security
    Symposium, 2003. http//www.hpl.hp.com/techreport
    s/2003/HPL-2003-103.pdf
  • TK Toth Kruegel. Evaluating the impact of
    automated intrusion response mechanisms. In
    Proceedings of the Annual Computer Security
    Application Conference (ACSAC'02), 2002.
    http//www.acsac.org/2002/papers/78.pdf
Write a Comment
User Comments (0)
About PowerShow.com