A hardware platform for efficient worm outbreak detection

Network Intrusion Detection Systems (NIDS) monitor network traffic to detect attacks or unauthorized activities. Traditional NIDSes search for patterns that match typical network compromise or remote hacking attempts. However, newer networking applications require finding the frequently repeated strings in a packet stream for further investigation of potential attack attempts. Finding frequently repeated strings within a given time frame of the packet stream has been quite efficient to detect polymorphic worm outbreaks. A novel real-time worm outbreak detection system using two-phase hashing and monitoring repeated common substrings is proposed in this article. We use the concept of shared counters to minimize the memory cost while efficiently sifting through suspicious strings. The worm outbreak system has been prototyped on Altera Stratix FPGA. We have tested the system for various settings and packet stream sizes. Experimental results verify that our system can support line speed of gigabit-rates with negligible false positive and negative rates.

[1]  George Varghese,et al.  On Scalable Attack Detection in the Network , 2004, IEEE/ACM Transactions on Networking.

[2]  Hai Zhou,et al.  Parallel CAD: Algorithm Design and Programming Special Section Call for Papers TODAES: ACM Transactions on Design Automation of Electronic Systems , 2010 .

[3]  George Varghese,et al.  Building a better NetFlow , 2004, SIGCOMM.

[4]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[5]  Moses Charikar,et al.  Finding frequent items in data streams , 2002, Theor. Comput. Sci..

[6]  John W. Lockwood,et al.  Design of a system for real-time worm detection , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[7]  Haoyu Song,et al.  Multi-pattern signature matching for hardware network intrusion detection systems , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[8]  Carla E. Brodley,et al.  Offloading IDS Computation to the GPU , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[9]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[10]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[11]  Robert Stone,et al.  A Snapshot of Global Internet Worm Activity , 2001 .

[12]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[13]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[14]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[15]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[16]  C.C. Zou,et al.  Adaptive Defense Against Various Network Attacks , 2005, IEEE Journal on Selected Areas in Communications.

[17]  Yossi Matias,et al.  New sampling-based summary statistics for improving approximate query answers , 1998, SIGMOD '98.

[18]  Moses Charikar,et al.  Finding frequent items in data streams , 2004, Theor. Comput. Sci..

[19]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[20]  Daniel Shawcross Wilkerson,et al.  Winnowing: local algorithms for document fingerprinting , 2003, SIGMOD '03.

[21]  George Varghese,et al.  Building a better NetFlow , 2004, SIGCOMM 2004.

[22]  Zhendong Su,et al.  On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits , 2005, CCS '05.

[23]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[24]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[25]  Miad Faezipour,et al.  A Real-Time Worm Outbreak Detection System Using Shared Counters , 2007, 15th Annual IEEE Symposium on High-Performance Interconnects (HOTI 2007).

[26]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[27]  Jens Myrup Pedersen,et al.  of Network Traffic , 2011 .

[28]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[29]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[30]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[31]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[32]  Evangelos P. Markatos,et al.  Efficient content-based detection of zero-day worms , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[33]  S. Muthukrishnan,et al.  Detecting malicious network traffic using inverse distributions of packet contents , 2005, MineNet '05.