Advanced Polymorphic Worms: Evading IDS by Blending in with Normal TrafficI like this paper a lot, it provides a rigorous treatment of a theoretical future many "worst case scenario" worm paper authors have proposed.
Normal traffic can provide worms with a very good source of information to camouflage themselves. In this paper, we explore the concept of polymorphic worms that mutate based on normal traffic. We assume that a worm has already penetrated a system and is trying to hide its presence and propagation attempts from an IDS.We focus on stealthy worms that cannot be reliably detected by increases in traffic because of their low propagation factor.We first give an example of a simple polymorphic worm. Such worms can evade a signature-based IDS but not necessarily an anomaly-based IDS. We then show that it is feasible for an advanced polymorphic worm to gather a normal traffic profile and use it to evade an anomaly-based IDS.We tested the advanced worm implementation with three anomaly IDS approaches: NETAD, PAYL and Service-specific IDS. None of the three IDS approaches were able to detect the worm reliably. We found that the mutated worm can also evade other detection methods, such as the Abstract Payload Execution.Source: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, Oleg Kolesnikov, and Wenke Lee.
The goal of this paper is to advance the science of IDS by analyzing techniques polymorphic worms can use to hide themselves. While future work is needed to present a complete solution, our analysis can be used in designing possible defenses. By showing that polymorphic worms are a practical threat, we hope to stimulate further research to improve existing IDS.
CARDS: A distributed system for detecting coordinated attacksAnother paper on a distributed data collection and analysis platform. Because worm outbreaks move so quickly and often semi-randomly, a distributed system makes sense: if you can aggregate the information from various disparate sensors, you may be able to detect the worm before it infects all networks.
A major research problem in intrusion detection is the efficient Detection of coordinated attacks over large networks. Issues to be resolved include determining what data should be collected, which portion of the data should be analyzed, where the analysis of the data should take place, and howto correlate multi-source information. This paper proposes the architecture of a Coordinated Attack Response & Detection System (CARDS). CARDS uses a signature-based model for resolving these issues. It consists of signature managers, monitors, and directory services. The system collects data in a flexible, distributed manner, and the detection process is decentralized among various monitors and is event-driven. The paper also discusses related implementation issues.Source : CARDS: A distributed system for detecting coordinated attacks, Jiahai Yang, Peng Ning, X. Sean Wang, and Sushil Jajodia.
Correlation between NetFlow System and Network Views for Intrusion DetectionThis approach, marrying network data from NetFlow, together with system alerts is becoming a reality in the security marketplace. It is the marriage of a traffic monitoring tool and a SEM (or SIM) platform.
We present several ways to correlate security events from two applications that visualize the same underlying data with two distinct views: system and network. Correlation of security events provide Security Engineers a better understanding of what is happening for enhanced security situational awareness. Visualization leverages human cognitive abilities and promotes quick mental connections between events that otherwise may be obscured in the volume of IDS alert messages.Source: Correlation between NetFlow System and Network Views for Intrusion Detection, Cristina Abad, Yifan Li, Kiran Lakkaraju, Xiaoxin Yin, and William Yurcik.
Connection-history based anomaly detectionOne of the things I studied for a few years was intrusion detection research and technologies. While it may seem obvious to some that signature-based methods are effective and popular, that doesn't mean that IDS techniques can't be improved upon. This approach seems especially suited to worm detection.
In the past few years, many vulnerabilities of wide-spread software services, often running on of publicly accessible hosts, have been discovered. These vulnerabilities allow hackers to gain access to those machines, thereby compromising their security. When a vulnerable service is deployed on large numbers of publicly accessible hosts, software tools (called worms) can automate the task of intruding a machine and spreading to new locations. These worms consume a large amount of bandwidth by attempting to find and infect other vulnerable machines and compromise the security and confidentiality of these hosts. Because of the fact that worms are most of the time implemented as directly executable code, they are processed at very high speed. This allows a worm to quickly spread over a network. Usually, it is too late when one manually detects the presence of a worm - in most cases the whole network has already been infected. This makes an automated response mechanism imperative. In this paper, we present an approach to automatically identify worms and perform damage limitation by firewall rule modification.Source: Connection-history based anomaly detection, Thomas Toth and Christopher Kruegel.
Polygraph: Automatically Generating Signatures for Polymorphic WormsI've posted about polymorphic worms before, and this paper seeks to address some of the problems facing intrusion detection systems in the face of continually changing payloads and specifically in light of worm attacks, where the pace of the attacks is dramatic.
It is widely believed that content-signature-based intrusion detection systems (IDSes) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives.Source: Polygraph: Automatically Generating Signatures for Polymorphic Worms, James Newsome, Brad Karp, and Dawn Song.
PISA: Automatic Extraction of Traffic Signatures
Automatic worm signature generation in the face of a worm outbreak is a research goal of several groups. What they seek to do is to detect the presence of a threat and characterize it automatically so that additional systems, such as an IDS, can measure and disrupt the worm's progress. This paper is another one of those which shows a direct method to characterize attack traffic, including worm and DDoS traffic. The authors used real captured data to evaluate their system and report on the efficacy of the detection of the Blaster worm.
Analysis of security attacks shows that an attack leaves its imprint or signature in the attack packets. Traffic from Distributed Denial of Service attacks and rapid worm spreads has the potential to yield signatures. While all signatures may not be indicative of attacks, it is useful to extract non-transient signatures that are carried by a sufficient number of flows/packets/bytes. The number of packets/bytes in the flows carrying the signature may be used for rate-limiting the flows, providing for timely and automated response to both known and unknown attacks. This paper proposes an efficient algorithm, PISA, which clusters flows based on similarity in packet information and extracts signatures from highbandwidth clusters. Extensive experiments on two weeks of real attack data of 100 million packets yield about 1744 signatures. Additionally, PISA extracted the signature for the Blaster worm connection attempts in a mix of traffic from a trans- Pacific backbone link.
Anti-Malware Tools: Intrusion Detection SystemsMartin Overton, from IBM in the UK, is back with another interesting malware paper. He's got an outline of how to use Snort to detect malware in transit on the wire.
When most people think of tools to combat malware, very few will give a passing thought to Intrusion Detection Systems, why?Anti-Malware Tools: Intrusion Detection Systems, Martin Overton, IBM, UK. Presented at the 2005 EICAR conference.
Common reasons include:
This paper will investigate the use of IDS systems, specifically to counter/block/detect malware. What’s more, this paper will focus on SNORT (which is a free IDS system available for both UNIX and Windows).
- They don’t realise that IDS systems can be used against malware (viruses, Trojans, worms, etc.)
- They are too difficult to setup, maintain and use.
- That they are too prone to false alarms.
This paper will include instructions and guidance on the setup of such a system, numerous examples of suitable rules to detect and block malware and useful tools that can make the sifting of logs easier and more palatable as well as configuration and other tools and utilities that may be useful in managing and maintaining SNORT.
The use of an IDS system can be extremely useful in cases of fast burning or very complex malware outbreaks as a stop-gap until the anti-virus vendors manage to get reliable updates out to their customers.
An IDS is also useful in identifying infected systems in your organization that need remedial action before the ‘trickle’ of infections become a ‘torrent’ and you are left fighting to keep your head above the rising waters.
This paper is based on the recent two-part article written for Virus Bulletin [October and November 2004] and parts of that article have been used with their permission.
Honeycomb - Creating Intrusion Detection Signatures Using Honeypots
This is one of my favorite methods to emerge from honeypot data analysis. Christian Kreibich, a graduate student at the University of Cambridge in the UK, has created two tools, a library (libstree) and a tool (honeycomb) which can be used to generate IDS signatures automatically.
This paper describes a system for automated generation of attack signatures for network intrusion detection systems. Our system applies pattern-matching techniques and protocol conformance checks on multiple levels in the protocol hierarchy to network traffic captured a honeypot system. We present results of running the system on an unprotected cable modem connection for 24 hours. The system successfully created precise traffic signatures that otherwise would have required the skills and time of a security officer to inspect the traffic manually.