Automated Worm Fingerprinting

Network worms are a clear and growing threat to the security of today's Internet-connected hosts and networks. The combination of the Internet's unrestricted connectivity and widespread software homogeneity allows network pathogens to exploit tremendous parallelism in their propagation. In fact, modern worms can spread so quickly, and so widely, that no human-mediated reaction can hope to contain an outbreak. In this paper, we propose an automated approach for quickly detecting previously unknown worms and viruses based on two key behavioral characteristics - a common exploit sequence together with a range of unique sources generating infections and destinations being targeted. More importantly, our approach - called "content sifting" - automatically generates precise signatures that can then be used to filter or moderate the spread of the worm elsewhere in the network. Using a combination of existing and novel algorithms we have developed a scalable content sifting implementation with low memory and CPU requirements. Over months of active use at UCSD, our Earlybird prototype system has automatically detected and generated signatures for all pathogens known to be active on our network as well as for several new worms and viruses which were unknown at the time our system identified them. Our initial experience suggests that, for a wide range of network pathogens, it may be practical to construct fully automated defenses - even against so-called "zero-day" epidemics.

[1]  Philippe Flajolet,et al.  Probabilistic Counting Algorithms for Data Base Applications , 1985, J. Comput. Syst. Sci..

[2]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[3]  Jon A. Rochlis,et al.  With microscope and tweezers: the worm from MIT's perspective , 1989, Commun. ACM.

[4]  Eugene H. Spafford,et al.  The internet worm: crisis and aftermath , 1989 .

[5]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[6]  Kyu-Young Whang,et al.  A linear-time probabilistic counting algorithm for database applications , 1990, TODS.

[7]  Udi Manber,et al.  Finding Similar Files in a Large File System , 1994, USENIX Winter.

[8]  Yossi Matias,et al.  New sampling-based summary statistics for improving approximate query answers , 1998, SIGMOD '98.

[9]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[10]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[11]  David Wetherall,et al.  A protocol-independent technique for eliminating redundant network traffic , 2000, SIGCOMM.

[12]  Nick G. Duffield,et al.  Trajectory sampling for direct traffic observation , 2001, TNET.

[13]  MaziéresDavid,et al.  A low-bandwidth network file system , 2001 .

[14]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[15]  Christine E. Jones,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[16]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[17]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[18]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[19]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[20]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[21]  Matthew M. Williamson,et al.  Implementing and Testing a Virus Throttle , 2003, USENIX Security Symposium.

[22]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[23]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[24]  Jesse C. Rabek,et al.  Detection of injected, dynamically generated, and obfuscated malicious code , 2003, WORM '03.

[25]  George Varghese,et al.  Automatically inferring patterns of resource consumption in network traffic , 2003, SIGCOMM '03.

[26]  John W. Lockwood,et al.  Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware , 2003 .

[27]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[28]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[29]  J. Crowcroft,et al.  Honeycomb: creating intrusion detection signatures using honeypots , 2004, Comput. Commun. Rev..

[30]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM '04.

[31]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .

[32]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[33]  George Varghese,et al.  Bitmap algorithms for counting active flows on high speed links , 2003, IMC '03.

[34]  rey O. Kephart,et al.  Automatic Extraction of Computer Virus SignaturesJe , 2006 .