Behavioral Footprinting: A New Dimension to Characterize Self-Propagating Worms

With increasing speed, virulence, and sophistication, self-propagating worms continue to pose a serious threat to the safety of the Internet. To effectively identify and defend against self-propagating worms, a critical task is to characterize a worm along multiple dimensions. Content-based fingerprinting is a well-established dimension for worm characterization by deriving the most representative content sequence as a worm’s signature. However, this dimension alone does not capture all aspects of a worm and may therefore lead to incomplete or inaccurate worm characterization. To expand the space of worm characterization, this paper proposes and justifies a new dimension, behavioral footprinting. Orthogonal and complementary to content-based fingerprinting, behavioral footprinting characterizes a worm’s unique behavior during each infection session, which covers the probing, exploitation, and replication phases of the infection session. By modeling each infection step as a behavior phenotype and the entire infection session as a sequential behavioral footprint, we show that behavioral footprinting captures worm-specific behavior which is inherently different from a normal access to the vulnerable service. We present advanced sequence analysis techniques to extract a worm’s behavioral footprint from its infection traces. Our evaluation with a number of realworld worms clearly demonstrates its feasibility and effectiveness in successfully extracting worm-characterizing behavioral footprints for all experimented worms. Furthermore, by comparing with content-based fingerprinting, our experiments demonstrate the uniqueness and robustness of behavioral footprinting in worm recognition and identification.

[1]  Svetlana Radosavac Detection and Classification of Network Intrusions Using Hidden Markov Models , 2003 .

[2]  Daniel M. Roy,et al.  A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors) , 2004, 20th Annual Computer Security Applications Conference.

[3]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[4]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[5]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[6]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[7]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[8]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[9]  Bruno Latour,et al.  Not the Question , 1996 .

[10]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[11]  M.E. Locasto,et al.  Towards collaborative security and P2P intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[12]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[13]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[14]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[15]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[16]  Dino Farinacci,et al.  Generic Routing Encapsulation over IPv4 networks , 1994, RFC.

[17]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[18]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[19]  Miguel Castro,et al.  Can we contain Internet worms , 2004 .

[20]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[21]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[22]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[23]  T. Speed,et al.  Biological Sequence Analysis , 1998 .

[24]  Iván Arce,et al.  An Analysis of the Slapper Worm , 2003, IEEE Secur. Priv..

[25]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[26]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[27]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[28]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM.

[29]  W. Nyhan,et al.  Behavioral Phenotypes in Organic Genetic Disease: Presidential Address to the Society for Pediatric Research, May 1, 1971 , 1972, Pediatric Research.

[30]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[31]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[32]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[33]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[34]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[35]  Peter Szor,et al.  An Analysis of the Slapper Worm Ex-ploit , 2003 .

[36]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.