vEye: behavioral footprinting for self-propagating worm detection and profiling

With unprecedented speed, virulence, and sophistication, self-propagating worms remain as one of the most severe threats to information systems and Internet in general. In order to mitigate the threat, efficient mechanisms are needed to accurately profile and detect the worms before or during their outbreaks. Particularly, deriving a worm’s unique signatures, or fingerprints, is of the first priority to achieve this goal. One of the most popular approaches is to use content-based signatures, which characterize a worm by extracting its unique information payload. In practice, such content-based signatures, unfortunately, suffer from numerous disadvantages, such as vulnerable to content mutation attacks or not applicable for polymorphic worms. In this paper, we propose a new behavioral footprinting (BF) approach that nicely complements the state-of-the-art content-based signature approaches and allows users to detect and profile self-propagating worms from the unique worm behavioral perspective. More specifically, our behavioral footprinting method uniquely captures a worm’s dynamic infection sequences (e.g., probing, exploitation, and replication) by modeling each interaction step as a behavior phenotype and denoting a complete infection process as a chained sequence. We argue that a self-propagating worm’s inherent behaviors or infection patterns can be detected and characterized by using sequence alignment tools, where patterns shared by the infection sequences will imply the behavioral footprints of the worm. A systematic platform called vEye has been built to validate the proposed design with either “live” or historical worms, where a number of real-world infection sequences are used to build worm behavioral footprints. Experimental comparisons with existing content-based fingerprints will demonstrate the uniqueness and effectiveness of the proposed behavior footprints in self-propagating worm detection and profiling.

[1]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[2]  Niels Provos,et al.  A Hybrid Honeypot Architecture for Scalable Network Monitoring , 2004 .

[3]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[4]  Peter A. Dinda,et al.  Towards Virtual Networks for Virtual Machine Grid Computing , 2004, Virtual Machine Research and Technology Symposium.

[5]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[6]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[7]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[8]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[9]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[10]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[11]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[12]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[13]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[14]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[15]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[16]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[17]  Wenke Lee,et al.  Misleading worm signature generators using deliberate noise injection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[18]  Dawn Xiaodong Song,et al.  Limits of Learning-based Signature Generation with Adversaries , 2008, NDSS.

[19]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[20]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[21]  W. Nyhan,et al.  Behavioral Phenotypes in Organic Genetic Disease: Presidential Address to the Society for Pediatric Research, May 1, 1971 , 1972, Pediatric Research.

[22]  John F. Morar,et al.  An environment for controlled worm replication and analysis , 2000 .

[23]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[24]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[25]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[26]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[27]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[28]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[29]  Xindong Wu,et al.  Mining Complex Patterns across Sequences with Gap Requirements , 2007, IJCAI.

[30]  Chen Bo,et al.  A new approach for early detection of Internet worms based on connection degree , 2005, 2005 International Conference on Machine Learning and Cybernetics.

[31]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[32]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[33]  James Newsome,et al.  Paragraph: Thwarting Signature Learning by Training Maliciously , 2006, RAID.

[34]  Sushil Jajodia,et al.  Applications of Data Mining in Computer Security , 2002, Advances in Information Security.

[35]  Peter Szor,et al.  An Analysis of the Slapper Worm Ex-ploit , 2003 .

[36]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[37]  George Varghese,et al.  Automatically inferring patterns of resource consumption in network traffic , 2003, SIGCOMM '03.

[38]  Sergio M. Savaresi,et al.  Unsupervised learning techniques for an intrusion detection system , 2004, SAC '04.

[39]  Joseph D. Touch,et al.  Dynamic Internet overlay deployment and management using the X-Bone , 2000, Proceedings 2000 International Conference on Network Protocols.

[40]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[41]  Venu Govindaraju,et al.  Data mining for intrusion detection: techniques, applications and systems , 2004, Proceedings. 20th International Conference on Data Engineering.

[42]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[43]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[44]  Srinivasan Parthasarathy,et al.  Towards NIC-based intrusion detection , 2003, KDD '03.

[45]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM.

[46]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[47]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[48]  T. Speed,et al.  Biological Sequence Analysis , 1998 .

[49]  rey O. Kephart,et al.  Automatic Extraction of Computer Virus SignaturesJe , 2006 .