Title: Network-based%20and%20Attack-resilient%20Length%20Signature%20Generation%20for%20Zero-day%20Polymorphic%20Worms
1Network-based and Attack-resilient Length
Signature Generation for Zero-day Polymorphic
Worms
- Zhichun Li1, Lanjia Wang2, Yan Chen1 and Judy
Fu3
1 Lab for Internet and Security Technology
(LIST), Northwestern Univ. 2 Tsinghua
University, China 3 Motorola Labs, USA
2The Spread of Sapphire/Slammer Worms
3Limitations of Content Based Signature
Signature 10.01
Traffic Filtering
Internet
Our network
X
X
Polymorphism!
Polymorphic worm might not have exactly content
based signature
4Vulnerability Signature
Vulnerability signature traffic filtering
Internet
X
X
Our network
X
X
Vulnerability
- Work for polymorphic worms
- Work for all the worms which target the
- same vulnerability
5Network Based Detection
Gateway routers
Internet
Our network
Host based detection
- At the early stage of the worm, only limited worm
samples. - Host based sensors can only cover limited IP
space, which might have scalability issues. Thus
they might not be able to detect the worm in its
early stage
6Design Space and Related Work
Network Based
Host Based
Polygraph-SSP05Hamsa-SSP06PADS-INFOCOM05 CFG-RAID05 Nemean-Security05 DOCODA-CCS05 TaintCheck-NDSS05
LESG (this paper) Vulsig-SSP06 Vigilante-SOSP05 COVERS-CCS05 ShieldGen-SSP07
Exploit Based
Vulnerability Based
- Most host approaches depend on lots of host
information, such as source/binary code of the
vulnerable program, vulnerability condition,
execution traces, etc.
7Outline
- Motivation and Related Work
- Design of LESG
- Problem Statement
- Three Stage Algorithm
- Attack Resilience Analysis
- Evaluation
- Discussions and Conclusions
7
8Key Ideas
- At least 75 vulnerabilities are due to buffer
overflow - Some protocol fields might map to the vulnerable
buffer to trigger the vulnerability - The length of some protocol field have to longer
than the buffer length - Intrinsic to buffer overflow vulnerability and
hard to evade - However, there could be thousands of fields to
select the optimal field set is hard
9Framework
- Sniff network traffic from network gateways
- Filter out known worms
- Existing flow classifiers
- Separate traffic into a suspicious traffic pool
and a normal traffic pool - E.g. port scan detector, honeynets
- LESG Signature Generator
10LESG Signature Generator
11Outline
- Motivation and Related Work
- Design of LESG
- Problem Statement
- Three Stage Algorithm
- Attack Resilience Analysis
- Evaluation
- Discussions and Conclusions
11
12Field Hierarchies
DNS PDU
13Length-based Signature Definition
- Signature is
signature length for field - Matching for flow
- if , flow X is labeled as a worm flow
- Signature Set
- worm flows match at least one signature
- Ground truth signature is the
vulnerable buffer length
2018/6/18
13
14Problem Formulation
Coverage in the suspicious pool is bounded by 1-?
Suspicious pool
LESG
Signature
Normal pool
Coverage bound 1-?
Minimize the false positives in the normal pool
With noise
NP-Hard!
15Outline
- Motivation and Related Work
- Design of LESG
- Problem Statement
- Three Stage Algorithm
- Attack Resilience Analysis
- Evaluation
- Discussions and Conclusions
15
16Stage I and II
COV1FP0.1
Trade off Score function Score(COV,FP)
Stage I Field Filtering
Stage II Length Optimization
16
17Stage III
- Find the optimal set of fields as the signature
approximately - Separate the fields to two sets, FP0 and FPgt0
- Opportunistic step (FP0)
- Attack Resilience step (FPgt0)
- The similar greedy algorithm for each step
- Every time find the field with maximum residual
coverage and the coverage is no less than a
threshold.
17
18Attack Resilience Bounds
High
Ground Truth Signature
b0
Know the vulnerable field
b1
Multiple field Optimal
LESG Signature
- With different assumptions on b0 and whether
deliberated noise injection (DNI) exists, get
bound b1 - DNI Theorem2 and 3
- No DNI Theorem4 and 5
- With 90 noise in the suspicious pool, we can get
the FNlt10 and FPlt1.8 - Resilient to most proposed attacks
Accuracy
Low
18
19Outline
- Motivation and Related Work
- Design of LESG
- Problem Statement
- Three Stage Algorithm
- Attack Resilience Analysis
- Evaluation
- Discussions and Conclusions
19
20Methodology
- Protocol parsing with Bro and BINPAC
- Worm workload
- Eight polymorphic worms created based on real
world vulnerabilities - DNS, SNMP, FTP, SMTP
- Normal traffic data
- 27GB from a university gateway and 123GB email
log. - Experiment Settings
20
21Results
- Single/Multiple worms with noise
- Noise ratio 080
- False negative 01 (mostly 0)
- False positive 00.01 (mostly 0)
- Speed and memory consumption
- For DNS, parsing 58 secs, LESG 18 secs for
(500,320K) - Pool size requirement
- 10 or 20 is enough
21
22Results Attack Resilience
- The worm not only spread worms but also spread
worse case faked noise to mislead the signature
generation - DNS Lion worm, noise ratio 892, suspicious
pool size 200
22
23Conclusions
- A novel network-based automated worm signature
generation approach - Work for zero day polymorphic worms with unknown
vulnerabilities - Vulnerability based and Network based
- Length-based signatures for buffer overflow worms
- Provable attack resilience
- Fast and accurate through experiments
2018/6/18
23
24Backup Slides
25Discussions of Practical Issues
- Speed of signature matching
- Major over head protocol parsing
- Software (Bro with Binpac) 50200Mbps
- Optimized Binpac 600Mbps
- Hardware 3Gbps
- Relationship between fields and buffers
- Mostly direct mapping between fields
- Analyzed 19 vulnerabilities, 1 exception
2018/6/18
25
26LEngth-based Signature Generator (LESG)
Thwart zero-day polymorphic worms
Target buffer overflow worms
Only use network level info
Attack resilient
LESG
Network-based
Noise tolerant
Can detect zero-day worm in real-time
Vulnerability-based
75 of Vulnerabilities based on buffer overflow
Efficient signature matching
27(No Transcript)