Article

Autograph: toward automated, distributed worm signature detection

Authors:

Brad KarpAuthors Info & Claims

SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

Page 19

Published: 13 August 2004 Publication History

Abstract

Today's Internet intrusion detection systems (IDSes) monitor edge networks' DMZs to identify and/or filter malicious flows. While an IDS helps protect the hosts on its local edge network from compromise and denial of service, it cannot alone effectively intervene to halt and reverse the spreading of novel Internet worms. Generation of the worm signatures required by an IDS--the byte patterns sought in monitored traffic to identify worms--today entails non-trivial human labor, and thus significant delay: as network operators detect anomalous behavior, they communicate with one another and manually study packet traces to produce a worm signature. Yet intervention must occur early in an epidemic to halt a worm's spread. In this paper, we describe Autograph, a system that automatically generates signatures for novel Internet worms that propagate using TCP transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level. It is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives); our evaluation of the system on real DMZ traces validates that it achieves these goals. We extend Autograph to share port scan reports among distributed monitor instances, and using trace-driven simulation, demonstrate the value of this technique in speeding the generation of signatures for novel worms. Our results elucidate the fundamental trade-off between early generation of signatures for novel worms and the specificity of these generated signatures.

References

[1]

{1} CASTRO, M., DRUSCHEL, P., KERMARREC, A.-M., AND ROWSTRON, A. Scribe: A Large-scale and Decentralized Application-level Multicast Infrastructure. IEEE Journal on Selected Areas in Communication (JSAC) 20, 8 (Oct. 2002).

Digital Library

[2]

{2} CHRISTODORESCU, M., AND JHA, S. Static Analysis of Executables to Detect Malicious Patterns. In Proceedings of the 12th USENIX Security Symposium (Aug. 2003).

Digital Library

[3]

{3} CISCO SYSTEMS. Network-Based Application Recognition. http://www.cisco.com/univercd/cc/td/doc/ product/software/ios122/122newf%t/122t/122t8/ dtnbarad.htm.

[4]

{4} DSHIELD.ORG. DShield - Distributed Intrusion Detection System. http://dshield.org.

[5]

{5} JUNG, J., PAXSON, V., BERGER, A. W., AND BALAKRISHNAN, H. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proceedings of the IEEE Symposium on Security and Privacy (May 2004).

[6]

{6} KREIBICH, C., AND CROWCROFT, J. Honeycomb-Creating Intrusion Detection Signatures Using Honeypots. In Proceedings of the 2nd Workshop on Hot Topics in Networks (HotNets-II) (Nov. 2003).

[7]

{7} LEMOS, R. Counting the Cost of Slammer. CNET news.com. http: //news.com.com/2100-1001-982955.html, Jan. 2003.

[8]

{8} MOORE, D., AND SHANNON, C. Code-Red: A Case Study on the Spread and Victims of an Internet Worm. In Proceedings of the 2002 ACM SIGCOMM Internet Measurement Workshop (IMW 2002) (Nov. 2002).

Digital Library

[9]

{9} MOORE, D., SHANNON, C., VOELKER, G. M., AND SAVAGE, S. Internet Quarantine: Requirements for Containing Self-Propagating Code. In Proceedings of IEEE INFOCOM 2003 (Mar. 2003).

[10]

{10} MUTHITACHAROEN, A., CHEN, B., AND MAZIÈRES, D. A Low-bandwidth Network File System. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP 2001) (Oct. 2001).

Digital Library

[11]

{11} PAXSON, V. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31, 23-24 (Dec. 1999).

Digital Library

[12]

{12} PROVOS, N. A Virtual Honeypot Framework. Tech. Rep. 03-1, CITI (University of Michigan), Oct. 2003.

[13]

{13} RABIN, M. O. Fingerprinting by Random Polynomials. Tech. Rep. TR-15-81, Center for Research in Computing Technology, Harvard University, 1981.

[14]

{14} SCHULZRINNE, H., CASNER, S., FREDERICK, R., AND JACOBSON, V. RFC 1889 - RTP: A Transport Protocol for Real-Time Applications, Jan. 1996.

Digital Library

[15]

{15} SINGH, S., ESTAN, C., VARGHESE, G., AND SAVAGE, S. The Early-Bird System for Real-time Detection of Unknown Worms. Tech. Rep. CS2003-0761, UCSD, Aug. 2003.

[16]

{16} SINGH, S., ESTAN, C., VARGHESE, G., AND SAVAGE, S. Automated Worm Fingerprinting. Unpublished draft, received May 2004.

Digital Library

[17]

{17} STANIFORD, S., HOAGLAND, J. A., AND MCALERNEY, J. M. Practical Automated Detection of Stealthy Portscans. Journal of Computer Security 10, 1-2 (Jan. 2002).

Digital Library

[18]

{18} STANIFORD, S., PAXSON, V., AND WEAVER, N. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium (Aug. 2002).

Digital Library

[19]

{19} THE SNORT PROJECT. Snort, The Open-Source Network Intrusion Detection System. http://www.snort.org/.

[20]

{20} UNIVERSITY OF OREGON. University of Oregon Route Views Project. http://www.routeviews.org/.

[21]

{21} WEAVER, N. C. Warhol Worms: The Potential for Very Fast Internet Plagues. http://www.cs.berkeley.edu/~nweaver/ warhol.html.

[22]

{22} WU, J., VANGALA, S., GAO, L., AND KWIAT, K. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the Network and Distributed System Security Symposium 2004 (NDSS 2004) (Feb. 2004).

[23]

{23} YEGNESWARAN, V., BARFORD, P., AND JHA, S. Global Intrusion Detection in the DOMINO Overlay System. In Proceedings of Network and Distributed System Security Symposium (NDSS 2004) (Feb. 2004).

Cited By

Seo HYoon MCalandrino JTroncoso C(2023)Generative intrusion detection and prevention on data streamProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620479(4319-4335)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620479
Du MHu WHewlett WDemartini GZuccon GCulpepper JHuang ZTong H(2021)AutoComboProceedings of the 30th ACM International Conference on Information & Knowledge Management10.1145/3459637.3481896(3777-3786)Online publication date: 26-Oct-2021
https://dl.acm.org/doi/10.1145/3459637.3481896
Arzani BCiraci SSaroiu SWolman AStokes JOuthred GDiwu LBhagwan RPorter G(2020)PrivateEyeProceedings of the 17th Usenix Conference on Networked Systems Design and Implementation10.5555/3388242.3388300(797-816)Online publication date: 25-Feb-2020
https://dl.acm.org/doi/10.5555/3388242.3388300
Show More Cited By

Index Terms

Autograph: toward automated, distributed worm signature detection

Recommendations

Autograph: automatically extracting workflow file signatures

Storage management activities, such as reporting, file placement, migration and archiving, require the ability to discover files that belong to an application workflow by relying only on information from the file server. Some classes of application ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

August 2004

352 pages

Publisher

USENIX Association

United States

Publication History

Published: 13 August 2004

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

180
Total Citations
View Citations
21
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Seo HYoon MCalandrino JTroncoso C(2023)Generative intrusion detection and prevention on data streamProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620479(4319-4335)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620479
Du MHu WHewlett WDemartini GZuccon GCulpepper JHuang ZTong H(2021)AutoComboProceedings of the 30th ACM International Conference on Information & Knowledge Management10.1145/3459637.3481896(3777-3786)Online publication date: 26-Oct-2021
https://dl.acm.org/doi/10.1145/3459637.3481896
Arzani BCiraci SSaroiu SWolman AStokes JOuthred GDiwu LBhagwan RPorter G(2020)PrivateEyeProceedings of the 17th Usenix Conference on Networked Systems Design and Implementation10.5555/3388242.3388300(797-816)Online publication date: 25-Feb-2020
https://dl.acm.org/doi/10.5555/3388242.3388300
G SDarki AFaloutsos MAbu-Ghazaleh NSridharan MJansen RPeterson P(2019)IDAPro for IoT malware analysis?Proceedings of the 12th USENIX Conference on Cyber Security Experimentation and Test10.5555/3359012.3359027(15-15)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3359012.3359027
Singh TAksanli BMin GMostefaoui A(2019)Real-time Traffic Monitoring and SQL Injection Attack Detection for Edge NetworksProceedings of the 15th ACM International Symposium on QoS and Security for Wireless and Mobile Networks10.1145/3345837.3355952(29-36)Online publication date: 25-Nov-2019
https://dl.acm.org/doi/10.1145/3345837.3355952
Lyu QLu X(2019)Effective Media Traffic Classification Using Deep LearningProceedings of the 2019 3rd International Conference on Compute and Data Analysis10.1145/3314545.3316278(139-146)Online publication date: 14-Mar-2019
https://dl.acm.org/doi/10.1145/3314545.3316278
Afek YBremler-Barr AFeibish S(2019)Zero-Day Signature Extraction for High-Volume AttacksIEEE/ACM Transactions on Networking10.1109/TNET.2019.289912427:2(691-706)Online publication date: 1-Apr-2019
https://dl.acm.org/doi/10.1109/TNET.2019.2899124
Sykosch AOhm MMeier M(2018)Hunting Observable Objects for Indication of CompromiseProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3233282(1-8)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3233282
Lee IOh SGrygiel KCerny TKim SWang W(2017)Mining intrusion detection rules with longest increasing subsequences of q-gramsProceedings of the International Conference on Research in Adaptive and Convergent Systems10.1145/3129676.3129724(25-29)Online publication date: 20-Sep-2017
https://dl.acm.org/doi/10.1145/3129676.3129724
Rodriguez RMostafa SWang XBertino ESandhu RWeippl E(2017)NTAppsProceedings of the 22nd ACM on Symposium on Access Control Models and Technologies10.1145/3078861.3084175(199-206)Online publication date: 7-Jun-2017
https://dl.acm.org/doi/10.1145/3078861.3084175
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten