worm blog: Trip Report: Worm05

« Wormboy | Main | Visual Basic Worm Recipe »

Trip Report: Worm05

Friday I went to The 3rd Workshop on Rapid Malcode (WORM) and heard some of the latest in worm-related research. I'll be focusing on some of the papers in the coming days and weeks, but two of the invited talks were quite interesting.

The first one of note was Invited talk: Scalable Internet Threat Monitoring by Stefan Savage (UCSD). He talked about two of the major research projects he's been involved in, the Ptomkin honeyfarm and Autograph. Both are large scale worm detection and characterization techniques. The honeyfarm project represents a major step forward in detecting worms using honeypots. The methods used in the project allow for massive amounts of stacking of guest systems on a single host, well beyond the limits possible in previous projects like iSink. Autograph, in turn, had been commercialized by Netsift (since acquired by Cisco). Again, scalability and fidelity beyond the levels which most other groups had been able to achieve before. Think "Honeycomb" on steroids.

The other invited talk of note was An Analysis of the Witty Outbreak: Exploiting Underlying Structure for Detailed Reconstructions of an Internet-scale Event by Vern Paxson (ICSI). What Paxson and his colleagues had been able to do was to take a large amount of data they had gathered on the Witty worm and, knowing how the worm generated its random target addresses and how the random function worked, they were able to do a number of things. They could reconstruct the number of infected hosts, how often they hit the disk with a piece of random damage, their uptime, and the initial site that was infected. All in all, a very impressive piece of work.

November 17, 2005 in slides | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

THere is a tech report version of the witty analysis: http://www.cc.gatech.edu/~akumar/witty.html

Posted by: Nicholas Weaver | Nov 18, 2005 11:18:38 AM

Minor note: the systm I described was Earlybird, not Autograph. The two systems are quite similar although in truth they work for fairly different reasons.

Posted by: Stefan Savage | Nov 19, 2005 11:23:06 AM

The big difference:

EarlyBird is a detector/signature generator combination (common string as both detection of epidemic behavior and the resulting signature).

Autograph and Polygraph on the other hand are JUST signature generators: they both depend on some other "oracle" giving a flow pool of suspcious strings, and they extract either a common-string or a sequence-of-common-strings signature.

Posted by: Nicholas Weaver | Nov 21, 2005 11:15:04 AM

To put this another way, Earlybird's detection power comes from its "address dispersion" measure, while the content similarity is -- in some sense -- really more valuable as a state prefilter (i.e. the system would probably work fine without it if you had infinite memory). By contrast the Autograph's detector used in the paper is a TCP-oriented scan detector.

Posted by: Stefan Savage | Nov 21, 2005 5:56:27 PM

The comments to this entry are closed.