« May 2004 | Main | July 2004 »

worm papers at RAID04

the two abstracts below are from RAID04 and come via kamal, who is one of the hack in the box guys:

The need for a global monitoring system for Internet worm detection is clear. Likewise, the need for local Detection and response is also obvious. In this study, We used a large data set to review some of the worm monitoring and detection strategies proposed for large networks, and found them difficult to apply to local networks. In particular, the Kalman filter and victim number-based approaches proved unsuitable for smaller networks. They are of course appropriate for large sysems, but what work well for local networks?

We propose two algorithms tailored for local network monitoring needs. First, the Destination Source Correlation (DSC) algorithm focuses on the infection relation, and tracks real infected hosts (and not merely scans) to provide an accurate response. Second, the HoneyStat system provides a way to track the short-term infection behavior used by worms. Potentially, this provides a basis for statistical inference about a worm's behavior on a network.

source: HoneyStat: Local Worm Detection Using Honeypots, David Dagon, Xinzhou Qin, Guofei Gu, Julian Grizzard, John Levine, Wenke Lee, Henry Owen, Georgia Institute of Technology, USA

Worm detection and response systems must act quickly to identify and quarantine scanning worms, as when left unchecked such worms have been able to infect the majority of vulnerable hosts on the Internet in a matter of minutes. We present a hybrid approach to detecting scanning worms that integrates significant improvements we have made to two existing techniques: sequential hypothesis testing and connection rate limiting. Our results show that this two-pronged approach successfully restricts the number of scans that a worm can complete, is highly effective, and has a low false alarm rate.

source: Fast Detection of Scanning Worm Infections, Jaeyeon Jung, Stuart E. Schechter, Arthur W. Berger, MIT, Harvard, USA.

i probably wont be at RAID04, but it looks like it could be a good year for presentations. these are just two of the several interesting papers this year. thanks again, kamal.

June 22, 2004 in papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

cellphone worm finally arrives

well, it's finally here ... with everyone focused on IP networks, a bluetooth worm which attacks phones is finally here. here are some links for you:


we've been hypothesizing about this for a while, i expect to see a totally cross platform worm one of these days ... for now my sony ericson is safe.

all links via infosec daily, another resource i run.

June 15, 2004 in media | Permalink | Comments (3) | TrackBack
Tell others: digg submit del.icio.us this

your very own dark IP monitor

the guys at team cymru have posted instructions on building your own darknet sensor using freebsd. it even made slashdot one day. they construct flows using argus but could easily get flows from their router (and collect them with flow-tools, cFlowd, or SiLK tools). you could also do this with linux, openbsd, or your favorite UN*X variant.

the trick isn't in the construction, by the way, it's in the data analysis. and sadly they provide little in terms of how to analyze the data. you're left with an exercise, but there's no reason you couldn't implement some of the techniques for data analysis listed by projects like iSink, the IMS, or others.

i covered a lot of this already in my worms book. basically the whole concept of Dark IP, blackhole, or darknet space is a powerful monitor into your network. if you run a large network you can shunt off unused portions to a single collection system. if you're a home user (ie broadband) you have fewer possibilities, but you still have a few. bear in mind the larger the network you monitor the more data you collect and the harder your analysis becomes. i found that a combination of tools which distills the data in a near real-time fashion is the best approach. otherwise you spend too much time trying to dig back through old data and make sense of it. hence ... my involvement in projects like the IMS. hopefully our papers will be accepted at conferences and you can see the architectural details. plus i get a chance to test some algorithms i developed to detect and classify traffic.

June 9, 2004 in tools | Permalink | Comments (6)
Tell others: digg submit del.icio.us this

usenix security 2004 papers

several papers at this year's USENIX security 2004 event look promising for worm detection and containment.

A honeypot is a closely monitored network decoy serving several purposes: it can distract adversaries from more valuable machines on a network, can provide early warning about new attack and exploitation trends, or allow in-depth examination of adversaries during and after exploitation of a honeypot. Deploying a physical honeypot is often time intensive and expensive as different operating systems require specialized hardware and every honeypot requires its own physical system. This paper presents Honeyd, a framework for virtual honeypots that simulates virtual computer systems at the network level. The simulated computer systems appear to run on unallocated network addresses. To deceive network fingerprinting tools, Honeyd simulates the networking stack of different operating systems and can provide arbitrary routing topologies and services for an arbitrary number of virtual systems. This paper discusses Honeyd's design and shows how the Honeyd framework helps in many areas of system security, e.g. detecting and disabling worms, distracting adversaries, or preventing the spread of spam email.
source: A Virtual Honeypot Framework, Niels Provos, from the original CITI tech report which has been updated for USENIX Sec 04.
Computer worms -- malicious, self-propagating programs -- represent a significant threat to large networks. One possible defense, containment, seeks to limit a worm's spread by isolating it in a small subsection of the network. In this work we develop containment algorithms suitable for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host after fewer than 10 scans with a very low false-positive rate. We also augment this approach by devising mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection. Finally, we discuss ways that a worm can attempt to bypass containment techniques in general, and ours in particular.
source: Very Fast Containment of Scanning Worms, Nicholas Weaver, Stuart Staniford , and Vern Paxson.
Every month, critical vulnerabilities are reported on a wide variety of operating systems and applications. Computer virus attacks are quickly becoming the number one security problem which ranges between large scale social engineering attacks and exploiting critical vulnerabilities. Sophisticated attacks use polymorphism and even metamorphism mixed with cryptographically strong algorithms and self-updating which makes analysis and defense increasingly difficult.

This presentation will discuss the state of the art in computer viruses and computer virus defense. I will present some promising host-based prevention techniques that can stop entire classes of fast-spreading worms such W32/Sobig@mm and W32/Mydoom@mm as well as worms using buffer overflow attacks, such as Win32/CodeRed, Linux/Slapper, Win32/Slammer and Win32/Blaster. In-depth worm and exploit analysis are also discussed.

It is becoming increasingly important to find ways to bridge the gap between computer virus research and general security research. The primary goal of this presentation is to encourage the fight against computer viruses within the security community.


source: Fighting Computer Virus Attacks, Peter Szor, Chief Researcher, Symantec Corporation (an invited talk).

Viruses and other malicious programs are an ever-increasing threat to current computer systems. They can cause serious damage and consume countless hours of system administrators' time to combat. Most current virus scanners perform scanning only when a file is opened, closed, or executed. Such scanners are inefficient because they scan more data than is needed. Worse, scanning on close may detect a virus after it had already been written to stable storage, opening a window for the virus to spread before detection.

We developed Avfs, a true on-access anti-virus file system that incrementally scans files and prevents infected data from being committed to disk. Avfs is a stackable file system and therefore can add virus detection to any other file system: Ext3, NFS, etc. Avfs supports forensic modes that can prevent a virus from reaching the disk or automatically create versions of potentially infected files to allow safe recovery. Avfs can also quarantine infected files on disk and isolate them from user processes. Avfs is based on the open-source ClamAV scan engine, which we significantly enhanced for efficiency and scalability. Whereas ClamAV's performance degrades linearly with the number of signatures, our modified ClamAV scales logarithmically. Our Linux prototype demonstrates an overhead of less than 15% for normal user-like workloads.


source: Avfs: An On-Access Anti-Virus File System, Yevgeniy Miretskiy, Abhijith Das, Charles P. Wright, and Erez Zadok.

i expect to be there, i hope you will, too. this is where you get to see some of the more promising advancements in the industry take shape. if past leading indicators are any hint, expect to see this stuff become market-wide in the coming years.

June 9, 2004 in papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

distributed worm detection and characterization

a couple of papers crossed my desk recently that i think are impressive and worth looking at. these show part of the state of the art in worm detection. simple honeypots wont cut it any longer, you really need to dig through lots of data. a project i'm involved in (the IMS project) is seeking to do this as well, although our approach is somewhat different. hopefully we complement and don't compete too much with these other projects.

Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation." Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.

source: Characteristics of Internet Background Radiation, Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, Larry Peterson.

Today's Internet intrusion detection systems (IDSes) monitor edge networks' DMZs to identify and/or filter malicious flows. While an IDS helps protect the hosts on its local edge network from compromise and denial of service, it cannot alone effectively intervene to halt and reverse the spreading of novel Internet worms. Generation of the worm signatures required by an IDS--the byte patterns sought in monitored traffic to identify worms--today entails non-trivial human labor, and thus significant delay: as network operators detect anomalous behavior, they communicate with one another and manually study packet traces to produce a worm signature. Yet intervention must occur early in an epidemic to halt a worm's spread. In this paper, we describe Autograph, a system that automatically generates signatures for novel Internet worms that propagate using TCP transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level. It is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives); our evaluation of the system on real DMZ traces validates that it achieves these goals. We extend Autograph to share port scan reports among distributed monitor instances, and using trace-driven simulation, demonstrate the value of this technique in speeding the generation of signatures for novel worms. Our results elucidate the fundamental trade-off between early generation of signatures for novel worms and the specificity of these generated signatures.

source: Autograph: Toward Automated, Distributed Worm Signature Detection, Hyang-Ah Kim and Brad Karp.

in a nutshell this is getting to be a crowded space with lots of promise.

June 2, 2004 in papers | Permalink | Comments (3) | TrackBack
Tell others: digg submit del.icio.us this