Autograph: toward automated, distributed worm signature detection
作者: Brad Karp , Hyang-Ah Kim
DOI:
关键词:
摘要: Today's Internet intrusion detection systems (IDSes) monitor edge networks' DMZs to identify and/or filter malicious flows. While an IDS helps protect the hosts on its local network from compromise and denial of service, it cannot alone effectively intervene halt reverse spreading novel worms. Generation worm signatures required by IDS--the byte patterns sought in monitored traffic worms--today entails non-trivial human labor, thus significant delay: as operators detect anomalous behavior, they communicate with one another manually study packet traces produce a signature. Yet intervention must occur early epidemic worm's spread. In this paper, we describe Autograph, system that automatically generates for worms propagate using TCP transport. Autograph analyzing prevalence portions flow payloads, uses no knowledge protocol semantics above level. It is designed exhibit high sensitivity (high true positives) specificity (low false positives); our evaluation real DMZ validates achieves these goals. We extend share port scan reports among distributed instances, trace-driven simulation, demonstrate value technique speeding generation Our results elucidate fundamental trade-off between generated signatures.
stanford.edu 参考文章(16)
Vern Paxson, Stuart Staniford, Nicholas Weaver, How to Own the Internet in Your Spare Time usenix security symposium. pp. 149- 167 ,(2002)
Niels Provos, A virtual honeypot framework usenix security symposium. pp. 1- 1 ,(2004)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, The EarlyBird System for Real-time Detection of Unknown Worms ,(2005)
Sarma Vangala, Kevin Kwiat, Lixin Gao, Jiang Wu, An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques ,(2003)
Mihai Christodorescu, Somesh Jha, Static analysis of executables to detect malicious patterns usenix security symposium. pp. 12- 12 ,(2003) , 10.21236/ADA449067
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, Automated worm fingerprinting operating systems design and implementation. pp. 4- 4 ,(2004)
Vinod Yegneswaran, Paul Barford, Somesh Jha, Global Intrusion Detection in the DOMINO Overlay System. network and distributed system security symposium. ,(2004)
Stuart Staniford, James A. Hoagland, Joseph M. McAlerney, Practical automated detection of stealthy portscans Journal of Computer Security. ,vol. 10, pp. 105- 136 ,(2002) , 10.3233/JCS-2002-101-205
Jaeyeon Jung, V. Paxson, A.W. Berger, H. Balakrishnan, Fast portscan detection using sequential hypothesis testing ieee symposium on security and privacy. pp. 211- 225 ,(2004) , 10.1109/SECPRI.2004.1301325