Software Decoys: Intrusion Detection and Countermeasures
Following VB, I got to thinking about some of my previous positions on AV and thought about just how hard a problem it is, at times. This paper sort of fits into that thinking, basically trying to discriminate malicious activity from normal activity, a somewhat related topic.We introduce the notion of an intelligent software decoy, and provide both an architecture and event-based language for automatic implementation of them. Our decoys detect and respond to patterns of suspicious behavior, and maintain a repository of rules for behavior patterns and decoying actions. As an example, we construct a model of system behavior from an initial list of event types and their attributes in the interaction between computer worms and an operating system. The model represents patterns of suspicious or malicious events that the software decoy should detect, and specific actions to be taken in response. Our approach explicitly treats both standard and nonstandard invocations of components, with the latter representing an attempt to circumvent the public interface of the component.Source: Software Decoys: Intrusion Detection and Countermeasures, James Bret Michael, Senior Member, IEEE, Mikhail Auguston, Neil C. Rowe, and Richard D. Riehle.
October 26, 2006 in detection, papers | Permalink | Comments (0)
Global Intrusion Detection in the DOMINO Overlay System
To continue a theme from Monday about using a distributed sensor network, this is one of the premeier papers in this arena. DOMINO and it's applicability to the worm problem is well covered in this paper. In it, the authors describe how they efficiently detected major worm outbreaks.Sharing data between widely distributed intrusion detection systems offers the possibility of significant improvements in speed and accuracy over isolated systems. In this paper, we describe and evaluate DOMINO (Distributed Overlay for Monitoring InterNet Outbreaks); an architecture for a distributed intrusion detection system that fosters collaboration among heterogeneous nodes organized as an overlay network. The overlay design enables DOMINO to be heterogeneous, scalable, and robust to attacks and failures. An important component of DOMINO's design is the use of active-sink nodes which respond to and measure connections to unused IP addresses. This enables efficient detection of attacks from spoofed IP sources, reduces false positives, enables attack classification and production of timely blacklists.Source: Global Intrusion Detection in the DOMINO Overlay System, Vinod Yegneswaran, Paul Barford, Somesh Jha.We evaluate the capabilities and performance of DOMINO using a large set of intrusion logs collected from over 1600 providers across the Internet. Our analysis demonstrates the significant marginal benefit obtained from distributed intrusion data sources coordinated through a system like DOMINO. We also evaluate how to configure DOMINO in order to maximize performance gains from the perspectives of blacklist length, blacklist freshness and IP proximity. We perform a retrospective analysis on the 2002 SQL-Snake and 2003 SQL-Slammer epidemics that highlights how information exchange through DOMINO would have reduced the reaction time and false-alarm rates during outbreaks. Finally, we provide preliminary results from our prototype active-sink deployment that illustrates the limited variability in the sink traffic and the feasibility of efficient classification and discrimination of attack types
October 25, 2006 in detection, papers | Permalink | Comments (0)
Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation
While I'm back from VB, I've also been very busy with work, so posts here slipped a bit.The COVERAGE algorithm outlined here seems like a decent first step at solving a very knotty problem. This is worth reading if you've given thought to a cooperative IDS system, or even if you just want to look at a specific subset of data correlation across multiple devices.
Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and im- munization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently.Source: Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation, K. Anagnostakis, S. Ioannidis, A. D. Keromytis, and M. B. Greenwald.In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to bal- ance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.
October 23, 2006 in detection, papers | Permalink | Comments (1)
Worms: Taxonomy and Detection
More slides ... fitting, given that I'm at VBCon.
I like this slide deck, Worms: Taxonomy and Detection by Mark Shaneck (PPT, 2004), because it's a clean, well organized summary of the problem space. It also introduces you to the Kalman Filter and Hidden Markov Models in detecting worms, not something you see very often.
Happy Friday the 13th, by the way.
October 13, 2006 in detection, slides | Permalink | Comments (0)
On the Design and Use of Internet Sinks for Network Abuse Monitoring
Work's been busy again, I didn't have much of a chance to stack up some posts last week. This week I head to Virus Bulletin in Montreal (ping me if you're there), so I'll stack up some posts and keep it on auto-pilot.The iSink architecture paper is a worthwhile read to study large-scale collection and analysis methods. Such methods are usually used to detect new worms.
Monitoring unused or dark IP addresses offers opportunities to significantly improve and expand knowledge of abuse activity without many of the problems associated with typical network intrusion detection and firewall systems. In this paper, we address the problem of designing and deploying a system for monitoring large unused address spaces such as class A telescopes with 16M IP addresses. We describe the architecture and implementation of the Internet Sink (iSink) system which measures packet traffic on unused IP addresses in an efficient, extensible and scalable fashion. In contrast to traditional intrusion detection systems or firewalls, iSink includes an active component that generates response packets to incoming traffic. This gives the iSink an important advantage in discriminating between different types of attacks (through examination of the response payloads). The key feature of iSink’s design that distinguishes it from other unused address space monitors is that its active response component is stateless and thus highly scalable. We report performance results of our iSink implementation in both controlled laboratory experiments and from a case study of a live deployment. Our results demonstrate the efficiency and scalability of our implementation as well as the important perspective on abuse activity that is afforded by its use.Source: On the Design and Use of Internet Sinks for Network Abuse Monitoring, Vinod Yegneswaran, Paul Barford, and Dave Plonka.
October 9, 2006 in detection, papers | Permalink | Comments (1)
Early Detection Of Active Internet Worms
This is a paper from a few years ago that looks at the detection of a worm through failed reply traffic.
An active Internet worm is malicious software that autonomously searches for and infects vulnerable hosts, copying itself from one host to another and spreading through the susceptible population. Most recent worms find vulnerable hosts by generating random IP addresses and then probing those addresses to see which are running the desired vulnerable services. Detection of such worms is a manual process in which security analysts must observe and analyze unusual network or host activity, and the worm might not be positively identified until it already has spread to most of the Internet. In this chapter, we present an automated system that can identify active scanning worms soon after they begin to spread, a necessary precursor to halting or slowing the spread of the worm. Our implemented system collects ICMP Destination Unreachable messages from instrumented routers, identifies message patterns that indicate malicious scanning activity, and then identifies scan patterns that indicate a propagating worm. We examine an epidemic model for worm propagation, describe our ICMP-based detection system, and present simulation results that illustrate its detection capabilities.
Early Detection Of Active Internet Worms, Vincent H. Berk, George V. Cybenko and Robert S. Gray. You may remember that Berk has done a low of work on using ICMP unreachable messages to detect worm activity.
Work's been very busy, so I haven't had a lot of time to post.
October 3, 2006 in detection, papers | Permalink | Comments (0)
Experiences Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities
Time got away from me the past few days, better late than never. This is an interesting paper mixing host-level behaviors with detecting new worm activity.
We present a honeypot technique based on an emulated environment of the Minos architecture and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control ow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit. Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of "buffer overflow exploits" prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π); but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work.
Source: Experiences Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities, Jedidiah R. Crandall, S. Felix Wu, and Frederic T. Chong.
September 26, 2006 in detection, papers | Permalink | Comments (0)
A FastWorm Scan Detection Tool for VPN Congestion Avoidance
Speaking of DIMVA, here's a set of slides from last year's conference that describe a scanning worm detection system. While none of the foundations are new (detect scanning by looking for failed connection requests and unanswered packets), this is a real- world demonstration of it's efficacy. Not surprisingly, P2P apps tend to give false positives. From a slide deck, A FastWorm Scan Detection Tool for VPN Congestion Avoidance, by Arno Wagner,Thomas Dubendorfer, Roman Hiestand, Christoph Goldi, and Bernhard Plattner, from DIMVA 2006.
September 23, 2006 in detection, tools | Permalink | Comments (0)
Collaborative Online Passive Monitoring for Internet Quarantine
Similar to yesterday's paper on collaborative host-based worm detection, here's more hosts communicating to determine if a worm is on the loose. The idea is simple, if more than one or two trustworthy hosts begin acting odd, compare notes between hosts and see if they're similar. If they start to match a wormy pattern, voila, a worm is loose. You can read about this in Collaborative Online Passive Monitoring for Internet Quarantine, from a slide deck by Weidong Cui from 2004.September 18, 2006 in detection, slides | Permalink | Comments (0)
A Distributed Host-based Worm Detection System
Not a new idea, but this paper does a pretty good job of explaining the algorithms in use.
We present a method for detecting large-scale worm attacks using only end-host detectors. These detectors propagate and aggregate alerts to cooperating partners to detect largescale distributed attacks in progress. The properties of the host-based detectors may in fact be relatively poor in isolation but when taken collectively result in a high-quality distributed worm detector. We implement a cooperative alert sharing protocol coupled with distributed sequential hypothesis testing to generate global alarms about distributed attacks. We evaluate the system's response in the presence of a variety of false alarm conditions and in the presence of an Internet worm attack. Our evaluation is conducted with agents on the Emulab and DETER emulated testbeds using real operating systems and computing platforms.
Source: A Distributed Host-based Worm Detection System, Senthilkumar G. Cheetancheri, John Mark Agosta, Denver H. Dash, Karl N. Levitt, Jeff Rowe, Eve M. Schooler.
September 16, 2006 in detection, modeling, papers | Permalink | Comments (0)
