Knowledge and Information Systems

, Volume 18, Issue 2, pp 231–262 | Cite as

vEye: behavioral footprinting for self-propagating worm detection and profiling

Regular Paper

Abstract

With unprecedented speed, virulence, and sophistication, self-propagating worms remain as one of the most severe threats to information systems and Internet in general. In order to mitigate the threat, efficient mechanisms are needed to accurately profile and detect the worms before or during their outbreaks. Particularly, deriving a worm’s unique signatures, or fingerprints, is of the first priority to achieve this goal. One of the most popular approaches is to use content-based signatures, which characterize a worm by extracting its unique information payload. In practice, such content-based signatures, unfortunately, suffer from numerous disadvantages, such as vulnerable to content mutation attacks or not applicable for polymorphic worms. In this paper, we propose a new behavioral footprinting (BF) approach that nicely complements the state-of-the-art content-based signature approaches and allows users to detect and profile self-propagating worms from the unique worm behavioral perspective. More specifically, our behavioral footprinting method uniquely captures a worm’s dynamic infection sequences (e.g., probing, exploitation, and replication) by modeling each interaction step as a behavior phenotype and denoting a complete infection process as a chained sequence. We argue that a self-propagating worm’s inherent behaviors or infection patterns can be detected and characterized by using sequence alignment tools, where patterns shared by the infection sequences will imply the behavioral footprints of the worm. A systematic platform called vEye has been built to validate the proposed design with either “live” or historical worms, where a number of real-world infection sequences are used to build worm behavioral footprints. Experimental comparisons with existing content-based fingerprints will demonstrate the uniqueness and effectiveness of the proposed behavior footprints in self-propagating worm detection and profiling.

Keywords

Information systems Network security Worm detection Behavioral footprinting Sequence alignment 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
    Arbor Networks: PeakFlow X. http://www.arbornetworks.com/products_x.php
  3. 3.
    Bailey M, Cooke E, Jahanian F, Nazario J, Watson D (2005) The Internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of the 12th network and distributed system security symposium (NDSS), San Diego, CA, February 2005Google Scholar
  4. 4.
    Bailey M, Cooke E, Watson D, Jahanian F, Provos N (2004) A hybrid honeypot architecture for scalable network monitoring. CSE Technical Report CSE-TR-499-04. University of Michigan, Ann ArborGoogle Scholar
  5. 5.
    Barbara D, Jajodia S (2005) Applications of data mining in computer sceurity. Springer, New YorkGoogle Scholar
  6. 6.
    Bo C, Fang B-X, Yun X-C (2005) A new approach for early detection of internet worms based on connection degree. In: Proceedings of 2005 international conference on machine learning and cybernetics, August 2005Google Scholar
  7. 7.
    Brodley CE, Chan P (2003) Tutorial: Data mining for computer security. In: Proceedings of the ACM SIGKDD Conference, August 2003Google Scholar
  8. 8.
    Dagon D, Qin X, Gu G, Lee W, Grizzard J, Levine J, Owen H (2004) HoneyStat: local worm detection using honeypots. In: Proceedings of the 7th international symposium on recent advances in intrusion detection (RAID 2004), Sophia Antipolis, French Riviera, France, September 2004Google Scholar
  9. 9.
  10. 10.
    Durbin R, Eddy S, Krogh A (1998) Biological sequence analysis. Cambridge University Press, London. ISBN: 0521629713, 1998Google Scholar
  11. 11.
    Ellis DR, Aiken JG, Attwood KS, Tenaglia SD (2004) A behavioral approach to worm detection. In: Proceedings of the 2004 ACM workshop on Rapid malcode, October 2004Google Scholar
  12. 12.
    Estan C, Savage S, Varghese G (2003) Automatically inferring patterns of resource consumption in network traffic. In: Proceedings of the ACM SIGCOMM conference, Karlsruhe, Germany, August 2003Google Scholar
  13. 13.
    Gu G, Sharif M, Qin X, Dagon D, Lee W, Riley G (2004) Worm detection, early warning and response based on local victim information. In: Proceedings of the 20th annual computer security applications conference (ACSAC’04), December 2004Google Scholar
  14. 14.
    Jiang X, Xu D (2004) Collapsar: a VM-based architecture for network attack detention center. In: Proceedings of the 13th USENIX security symposium, August 2004Google Scholar
  15. 15.
    Jiang X, Xu D, Wang HJ, Spafford EH (2005) Virtual playgrounds for worm behavior investigation. In: Proceedings of the 8th RAID, Seattle, USA, September 2005Google Scholar
  16. 16.
    Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Proceedings of IEEE symposium on security and privacy, Oakland, CA, May 2004Google Scholar
  17. 17.
    Kephart JO, Arnold WC (1994) Automatic extraction of computer virus signatures. In: Proceedings of the 4th international virus bulletin conference, September 1994Google Scholar
  18. 18.
    Kim HA, Karp B (2004) Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th usenix security symposium (Security 2004), San Diego, CA, August 2004Google Scholar
  19. 19.
    Kolesnikov O, Lee W Advanced polymorphic worms: evading IDS by blending in with normal traffic. http://www.cc.gatech.edu/~ok/w/ok_pw.pdf
  20. 20.
    Kreibich C, Crowcroft J (2004) Honeycomb: creating intrusion detection signatures using honeypots. In: ACM SIGCOMM computer communication reviewGoogle Scholar
  21. 21.
    Lee W, Stolfo SJ, Mok K (1999) A data mining framework for building intrusion detection models. In: Proceedings of the IEEE symposium on security and privacy, 1999Google Scholar
  22. 22.
    Linux Lion Worms. http://www.whitehats.com/library/worms/lion. Accessed 2001
  23. 23.
    MSBlaster Worms. CERT advisory CA-2003-20 W32/Blaster worms. http://www.cert.org/advisories/CA-2003-20.htm. Accessed August 2003
  24. 24.
    Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) The spread of the Sapphire/Slammer worm. IEEE Secur Priv 1(4): 33–CrossRefGoogle Scholar
  25. 25.
    Moore D, Shannon C, Brown J (2002) Code-Red: a case study on the spread and victims of an internet worm. In: Proceedings of the ACM internet measurement workshop, November 2002Google Scholar
  26. 26.
    Moore D, Voelker G, Savage S (2001) Inferring Internet denial-of-service activity. In: Proceedings of the 10th USENIX security symposium, August 2001Google Scholar
  27. 27.
    Moore D (2002) Network telescopes: observing small or distant security events. In: Proceedings of the 11th USENIX security symposium, August 2002Google Scholar
  28. 28.
    Mukkamala S, Janoski G, Sung A (2002) Intrusion detection using neural networks and support vector machines. In: Proceedings of IEEE international joint conference on neural networks, May 2002Google Scholar
  29. 29.
    Newsome J, Karp B, Song D (2005) Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE symposium on security and privacy, May 2005Google Scholar
  30. 30.
    Newsome J, Karp B, Song D (2006) Paragraph: thwarting signature learning by training maliciously. In: Proceedings of the 9th international symposium on recent advances in intrusion detection (RAID 2006), Hamburg, Germany, September 2006Google Scholar
  31. 31.
    Nyhan WL (1972) Behavioral phenotypes in organic genetic disease. Pediatr Res 6: 1–CrossRefGoogle Scholar
  32. 32.
    Otey M, Parthasarathy S, Ghoting A, Li G, Narravula S, Panda D (2003) Towards NIC-based intrusion detection. In: Proceedings of the 2004 ACM KDD conference, 2003Google Scholar
  33. 33.
    Pei J, Upadhyaya S (2004) Tutorial: data mining for intrusion detection, techniques, applications, and systems. In: Proceedings of the IEEE international conference on data engineering, March 2004Google Scholar
  34. 34.
    Perdisci R, Dagon D, Lee W, Fogla P, Sharif M (2006) Misleading worm signature generators using deliberate noise injection. In: Proceedings of the 2006 IEEE symposium on security and privacy, May 2006Google Scholar
  35. 35.
    Perriot F, Szor P An analysis of the Slapper worm exploit. Symantec White Paper. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf
  36. 36.
    Provos N (2004) A virtual honeypot framework. In: Proceedings of the 13th USENIX security symposium, August 2004Google Scholar
  37. 37.
    Rajab MA, Monrose F, Terzis A (2005) A behavioral approach to worm detection. In: Proceedings of the 2005 ACM workshop on rapid malcode, November 2005Google Scholar
  38. 38.
    Sekar R, Gupta A, Frullo J, Shanbhag T, Tiwari A, Yang H, Zhou S (2002) Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of 9th ACM conference on computer and communications security, October 2002Google Scholar
  39. 39.
    Singh S, Estan C, Varghese G, Savage S (2004) Automated worm fingerprinting. In: Proceedings of the ACM/USENIX symposium on operating system design and implementation, San Francisco, CA, December 2004Google Scholar
  40. 40.
    Sommer R, Paxson V (2003) Enhancing byte-level network intrusion detection signatures with context. In: Proceedings of 9th ACM conference on computer and communications security, October 2003Google Scholar
  41. 41.
    Spitzner L (2003) Honeytokens: the other honeypot. http://www.securityfocus.com/infocus/171. Accessed July 2003
  42. 42.
    Sundararaj A, Dinda P (2004) Towards virtual networks for virtual machine grid computing. In: Proceedings of the third USENIX virtual machine technology symposium (VM 2004), August 2004Google Scholar
  43. 43.
  44. 44.
  45. 45.
    The DETER Project. http://www.isi.edu/deter/
  46. 46.
    The Honeynet Project. http://www.honeynet.org
  47. 47.
    Touch J (2000) Dynamic Internet overlay deployment and management Using the X-Bone. In: Procedings of IEEE ICNP 2000, November 2000Google Scholar
  48. 48.
    Venkataraman S, Blum A, Song D (2008) Limits of learning-based signature generation with adversaries. In: Proceedings of the 15th network and distributed security symposium (NDSS 2008), San Diego, February 2008Google Scholar
  49. 49.
    Vigna G, Robertson W, Balzarotti D (2004) Testing intrusion detection signatures using mutant exploits. In: Proceedings of the ACM conference on computer and communication security (ACM CCS) 21–30 Washington, DC, October 2004Google Scholar
  50. 50.
    Vrable M, Ma J, Chen J, Moore D, Vandekieft E, Snoeren AC, Voelker GM, Savage S (2005) Scalability, fidelity and containment in the potemkin virtual honeyfarm. In: Proceedings of the 20th ACM symposium on operating systems principles, October 2005Google Scholar
  51. 51.
  52. 52.
  53. 53.
    Wang HJ, Guo C, Simon DR, Zugenmaier A (2004) Shield: vulnerability-driven network filters for preventing known vulnerability exploits. SIGCOMM 2004, September 2004Google Scholar
  54. 54.
    Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Proceedings of the 7th international symposium on recent advances in intrusion detection (RAID 2004), Sophia Antipolis, French Riviera, France, September 2004Google Scholar
  55. 55.
    Whalley I, Arnold B, Chess D, Morar J, Segal A (2000) An environment for controlled worm replication and analysis (Internet-inna-Box). In: Proceedings of virus bulletin conference, September 2000Google Scholar
  56. 56.
    Yegneswaran V, Barford P, Jha S (2004) Global intrusion detection in the DOMINO overlay system. In: Proceedings of network and distributed security symposium (NDSS), San Diego, February 2004Google Scholar
  57. 57.
    Yegneswaran V, Barford P, Plonka D (2004) On the design and use of internet sinks for network abuse monitoring. In: Proceedings of 7th international symposium on recent advances in intrusion detection, September 2004Google Scholar
  58. 58.
    Zanero S, Savaresi SM (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on applied computing, March 2004Google Scholar
  59. 59.
    Zeltser L (2001) Reverse-Engineering Malware. http://www.zeltser.com/reverse-malware-paper
  60. 60.
    Zhu X, Wu X (2007) Mining complex patterns across sequences with gap requirements. In: Proceedings of the twentieth international joint conference on artificial intelligence, January 2007Google Scholar
  61. 61.
    Zou CC, Gong W, Towsley D (2002) Code red worm propagation modeling and analysis. In: Proceedings of 9th ACM conference on computer and communications security, October 2002Google Scholar

Copyright information

© Springer-Verlag London Limited 2008

Authors and Affiliations

  1. 1.Department of Computer ScienceGeorge Mason UniversityFairfaxUSA
  2. 2.Department of Computer Science and EngineeringFlorida Atlantic UniversityBoca RatonUSA

Personalised recommendations