 |
|
|
|
|
|
Today's Internet intrusion detection systems (IDSes) monitor edge networks' DMZs to identify and/or filter malicious flows. While an IDS helps protect the hosts on its local edge network from compromise and denial of service, it cannot alone effectively intervene to halt and reverse the spreading of novel Internet worms. Generation of the worm signatures required by an IDS--the byte patterns sought in monitored traffic to identify worms--today entails non-trivial human labor, and thus significant delay: as network operators detect anomalous behavior, they communicate with one another and manually study packet traces to produce a worm signature. Yet intervention must occur early in an epidemic to halt a worm's spread.
The Autograph project is motivated by the desire to minimize human intervention in the signature generation process and enable fully automated, opportune defense against novel Internet worms. Autograph is a system that automatically generates worm signatures. It does so by analyzing the prevalence of portions of flow payloads, and chooses the most frequently occuring byte patterns as signatures. Two properties of worms suggest that this content-prevalence analysis is fruitful. First, all flows over which a worm spreads contain an identical, invariant portion of payload if the worm exploits a specific vulnerability. Second, a worm generates voluminous network traffic as it spreads, because of its self-propagating nature.
Automated Signature Generation: A single Autograph monitor has three main stages for signature detection. A signature generation stage performs content-prevalence analysis on all the capture, reassembled flows, and extracts a set of candidate signatures. Content-prevalence analysis is computationaly expensive, and performs better as more worm flows than legitimate flows are included in the analysis. So, Autograph has a preceding suspicious flow selection stage to select worm-like traffic and reduce the volume of traffic to be examined. Autograph currently detects port scanners and selects traffic from them; this approach is effective for detecting scanning worms. Finally, Autograph examines whether signature candidates satisfy certain quality criteria; a signature must not incur significant false positives or false negative. For example, Autograph maintains a short list of bad signatures to prevent from selecting similar patterns as signatures. The candidate signatures that pass a final signature verification stage are published as worm signatures. This system is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives).
Distributed Monitoring: Autograph shares the port scan reports among distributed monitor instances. Tattler is an adaptation of the RTP Control Protocol (RTCP), designed to allow such information exchange over multicast while limiting bandwidth consumption. Using trace-driven simulation of a worm outbreak, we've demonstrated the value of distributed monitoring in speeding the generation of signatures for novel worms. Our results elucidate the fundamental trade-off between early generation of signatures for novel worms and the specificity of these generated signatures.
To learn more about Autograph, please take a look at our Download and Publications. You can find a beta version of Autograph source code at Download page. Please play with it. Feedback is more than welcome!
| Last modified Tuesday, 30-Aug-2005 03:33:53 EDT |
|