Network-based%20and%20Attack-resilient%20Length%20Signature%20Generation%20for%20Zero-day%20Polymorphic%20Worms - PowerPoint PPT Presentation

About This Presentation
Title:

Network-based%20and%20Attack-resilient%20Length%20Signature%20Generation%20for%20Zero-day%20Polymorphic%20Worms

Description:

At least 75% vulnerabilities are due to buffer overflow. Some protocol fields might map to the vulnerable buffer to trigger the vulnerability ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 28
Provided by: zhich
Category:

less

Transcript and Presenter's Notes

Title: Network-based%20and%20Attack-resilient%20Length%20Signature%20Generation%20for%20Zero-day%20Polymorphic%20Worms


1
Network-based and Attack-resilient Length
Signature Generation for Zero-day Polymorphic
Worms
  • Zhichun Li1, Lanjia Wang2, Yan Chen1 and Judy
    Fu3

1 Lab for Internet and Security Technology
(LIST), Northwestern Univ. 2 Tsinghua
University, China 3 Motorola Labs, USA
2
The Spread of Sapphire/Slammer Worms
3
Limitations of Content Based Signature
Signature 10.01
Traffic Filtering
Internet
Our network
X
X
Polymorphism!
Polymorphic worm might not have exactly content
based signature
4
Vulnerability Signature
Vulnerability signature traffic filtering
Internet
X
X
Our network
X
X
Vulnerability
  • Work for polymorphic worms
  • Work for all the worms which target the
  • same vulnerability

5
Network Based Detection
Gateway routers
Internet
Our network
Host based detection
  • At the early stage of the worm, only limited worm
    samples.
  • Host based sensors can only cover limited IP
    space, which might have scalability issues. Thus
    they might not be able to detect the worm in its
    early stage

6
Design Space and Related Work
Network Based
Host Based
Polygraph-SSP05Hamsa-SSP06PADS-INFOCOM05 CFG-RAID05 Nemean-Security05 DOCODA-CCS05 TaintCheck-NDSS05
LESG (this paper) Vulsig-SSP06 Vigilante-SOSP05 COVERS-CCS05 ShieldGen-SSP07
Exploit Based
Vulnerability Based
  • Most host approaches depend on lots of host
    information, such as source/binary code of the
    vulnerable program, vulnerability condition,
    execution traces, etc.

7
Outline
  • Motivation and Related Work
  • Design of LESG
  • Problem Statement
  • Three Stage Algorithm
  • Attack Resilience Analysis
  • Evaluation
  • Discussions and Conclusions

7
8
Key Ideas
  • At least 75 vulnerabilities are due to buffer
    overflow
  • Some protocol fields might map to the vulnerable
    buffer to trigger the vulnerability
  • The length of some protocol field have to longer
    than the buffer length
  • Intrinsic to buffer overflow vulnerability and
    hard to evade
  • However, there could be thousands of fields to
    select the optimal field set is hard

9
Framework
  • Sniff network traffic from network gateways
  • Filter out known worms
  • Existing flow classifiers
  • Separate traffic into a suspicious traffic pool
    and a normal traffic pool
  • E.g. port scan detector, honeynets
  • LESG Signature Generator

10
LESG Signature Generator
11
Outline
  • Motivation and Related Work
  • Design of LESG
  • Problem Statement
  • Three Stage Algorithm
  • Attack Resilience Analysis
  • Evaluation
  • Discussions and Conclusions

11
12
Field Hierarchies
DNS PDU
13
Length-based Signature Definition
  • Signature is
    signature length for field
  • Matching for flow
  • if , flow X is labeled as a worm flow
  • Signature Set
  • worm flows match at least one signature
  • Ground truth signature is the
    vulnerable buffer length

2018/6/18
13
14
Problem Formulation
Coverage in the suspicious pool is bounded by 1-?
Suspicious pool
LESG
Signature
Normal pool
Coverage bound 1-?
Minimize the false positives in the normal pool
With noise
NP-Hard!
15
Outline
  • Motivation and Related Work
  • Design of LESG
  • Problem Statement
  • Three Stage Algorithm
  • Attack Resilience Analysis
  • Evaluation
  • Discussions and Conclusions

15
16
Stage I and II
COV1FP0.1
Trade off Score function Score(COV,FP)
Stage I Field Filtering
Stage II Length Optimization
16
17
Stage III
  • Find the optimal set of fields as the signature
    approximately
  • Separate the fields to two sets, FP0 and FPgt0
  • Opportunistic step (FP0)
  • Attack Resilience step (FPgt0)
  • The similar greedy algorithm for each step
  • Every time find the field with maximum residual
    coverage and the coverage is no less than a
    threshold.

17
18
Attack Resilience Bounds
High
Ground Truth Signature
b0
Know the vulnerable field
b1
Multiple field Optimal
LESG Signature
  • With different assumptions on b0 and whether
    deliberated noise injection (DNI) exists, get
    bound b1
  • DNI Theorem2 and 3
  • No DNI Theorem4 and 5
  • With 90 noise in the suspicious pool, we can get
    the FNlt10 and FPlt1.8
  • Resilient to most proposed attacks

Accuracy
Low
18
19
Outline
  • Motivation and Related Work
  • Design of LESG
  • Problem Statement
  • Three Stage Algorithm
  • Attack Resilience Analysis
  • Evaluation
  • Discussions and Conclusions

19
20
Methodology
  • Protocol parsing with Bro and BINPAC
  • Worm workload
  • Eight polymorphic worms created based on real
    world vulnerabilities
  • DNS, SNMP, FTP, SMTP
  • Normal traffic data
  • 27GB from a university gateway and 123GB email
    log.
  • Experiment Settings

20
21
Results
  • Single/Multiple worms with noise
  • Noise ratio 080
  • False negative 01 (mostly 0)
  • False positive 00.01 (mostly 0)
  • Speed and memory consumption
  • For DNS, parsing 58 secs, LESG 18 secs for
    (500,320K)
  • Pool size requirement
  • 10 or 20 is enough

21
22
Results Attack Resilience
  • The worm not only spread worms but also spread
    worse case faked noise to mislead the signature
    generation
  • DNS Lion worm, noise ratio 892, suspicious
    pool size 200

22
23
Conclusions
  • A novel network-based automated worm signature
    generation approach
  • Work for zero day polymorphic worms with unknown
    vulnerabilities
  • Vulnerability based and Network based
  • Length-based signatures for buffer overflow worms
  • Provable attack resilience
  • Fast and accurate through experiments

2018/6/18
23
24
Backup Slides
25
Discussions of Practical Issues
  • Speed of signature matching
  • Major over head protocol parsing
  • Software (Bro with Binpac) 50200Mbps
  • Optimized Binpac 600Mbps
  • Hardware 3Gbps
  • Relationship between fields and buffers
  • Mostly direct mapping between fields
  • Analyzed 19 vulnerabilities, 1 exception

2018/6/18
25
26
LEngth-based Signature Generator (LESG)
Thwart zero-day polymorphic worms
Target buffer overflow worms
Only use network level info
Attack resilient
LESG
Network-based
Noise tolerant
Can detect zero-day worm in real-time
Vulnerability-based
75 of Vulnerabilities based on buffer overflow
Efficient signature matching
27
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com