Skip to main content
SpringerLink
Log in

Anagram: A Content Anomaly Detector Resistant to Mimicry Attack

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2006)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4219))

Included in the following conference series:

Abstract

In this paper, we present Anagram, a content anomaly detector that models a mixture ofhigh-order n-grams (n > 1) designed to detect anomalous and “suspicious” network packet payloads. By using higher-order n-grams, Anagram can detect significant anomalous byte sequences and generate robust signatures of validated malicious packet content. The Anagram content models are implemented using highly efficient Bloom filters, reducing space requirements and enabling privacy-preserving cross-site correlation. The sensor models the distinct content flow of a network or host using a semi-supervised training regimen. Previously known exploits, extracted from the signatures of an IDS, are likewise modeled in a Bloom filter and are used during training as well as detection time. We demonstrate that Anagram can identify anomalous traffic with high accuracy and low false positive rates. Anagram’s high-order n-gram analysis technique is also resilient against simple mimicry attacks that blend exploits with “normal” appearing byte padding, such as the blended polymorphic attack recently demonstrated in [1]. We discuss randomized n-gram models, which further raises the bar and makes it more difficult for attackers to build precise packet structures to evade Anagram even if they know the distribution of the local site content flow. Finally, Anagram’s speed and high detection rate makes it valuable not only as a standalone sensor, but also as a network anomaly flow classifier in an instrumented fault-tolerant host-based environment; this enables significant cost amortization and the possibility of a “symbiotic” feedback loop that can improve accuracy and reduce false positive rates over time.

This work has been partially supported by a grant with the Army Research Office, No. DA W911NF-04-1-0442.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kolesnikov, O., Dagon, D., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. In: USENIX Security Symposium, Vancouver, BC, Canada (2006)

    Google Scholar 

  2. Moore, D., et al.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: INFOCOM (2003)

    Google Scholar 

  3. Staniford-Chen, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: USENIX Security (2002)

    Google Scholar 

  4. Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: USENIX Security Symposium, Washington, D.C. (2003)

    Google Scholar 

  5. Vargiya, R., Chan, P.: Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection. In: ICDM Workshop on Data Mining for Computer Security (DMSEC), Melbourne, FL (2003)

    Google Scholar 

  6. Kruegel, C., et al.: Polymorphic Worm Detection Using Structural Information of Executables. In: Symposium on Recent Advances in Intrusion Detection, Seattle, WA (2005)

    Google Scholar 

  7. Sekar, R., et al.: Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions. In: ACM Conference on Computer and Communications Security, Washington, D.C (2002)

    Google Scholar 

  8. Kruegel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Symposium on Applied Computing (SAC), Madrid, Spain (2002)

    Google Scholar 

  9. Wang, X., et al.: SigFree: A Signature-free Buffer Overflow Attack Blocker. In: USENIX Security, Boston, MA (2006)

    Google Scholar 

  10. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  11. Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  12. SourceFire Inc. Snort rulesets (2006), [cited April 4, 2006 ], Available from: http://www.snort.org/pub-bin/downloads.cgi

  13. Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Application Communities: Using Monoculture for Dependability. In: HotDep (2005)

    Google Scholar 

  14. Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Software Self-Healing Using Collaborative Application Communities. In: Internet Society (ISOC) Symposium on Network and Distributed Systems Security, San Diego, CA (2006)

    Google Scholar 

  15. Marceau, C.: Characterizing the Behavior of a Program Using Multiple-Length N-grams. In: New Security Paradigms Workshop, Cork, Ireland (2000)

    Google Scholar 

  16. Forrest, S., et al.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy (1996)

    Google Scholar 

  17. Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. In: IEEE Symposium on Security and Privacy, Berkeley, CA (2002)

    Google Scholar 

  18. Crandall, J.R., et al.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In: ACM Conference on Computer and Communications Security, Alexandria, VA (2005)

    Google Scholar 

  19. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. IEEE Security and Privacy, Oakland, CA (2005)

    Google Scholar 

  20. Singh, S., et al.: Automated Worm Fingerprinting. In: 6th Symposium on Operating Systems Design and Implementation (OSDI 2004), San Francisco, CA (2004)

    Google Scholar 

  21. Bloom, B.H.: Space/time trade-offs in Hash Coding with Allowable Errors. Communications of the ACM 13(7), 422–426 (1970)

    Article  MATH  Google Scholar 

  22. Naor, M., Yung, M.: Universal One-Way Hash Functions and their Cryptographic Applications. In: ACM Symposium on Theory of Computing, Seattle, WA (1989)

    Google Scholar 

  23. Parekh, J.J., Wang, K., Stolfo, S.J.: Privacy-Preserving Payload-Based Correlation for Accurate Malicious Traffic Detection. In: Large-Scale Attack Detection, Workshop at SIGCOMM, Pisa, Italy (2006)

    Google Scholar 

  24. Detristan, T., et al.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack (2003), [cited March 28, 2006 ], Available from: http://www.phrack.org/show.php?p=61&a=9

  25. Barreno, M., et al.: Can Machine Learning Be Secure? In: ASIACCS (2006)

    Google Scholar 

  26. Cowan, C., et al.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: USENIX Security Symposium, San Antonio, TX (1998)

    Google Scholar 

  27. Sidiroglou, S., et al.: Building a Reactive Immune System for Software Services. In: USENIX, Anaheim, CA (2005)

    Google Scholar 

  28. Sidiroglou, S., Giovanidis, G., Keromytis, A.D.: A Dynamic Mechanism for Recovering from Buffer Overflow Attacks. In: 8th Information Security Conference, Singapore (2005)

    Google Scholar 

  29. Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J.: FLIPS: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 82–101. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  30. Locasto, M.E., Burnside, M., Keromytis, A.D.: Bloodhound: Searching Out Malicious Input in Network Flows for Automatic Repair Validation. Columbia University Department of Computer Science, New York, NY (2006)

    Google Scholar 

  31. Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: ACM Workshop on Hot Topics in Networks, Boston, MA (2003)

    Google Scholar 

  32. Singh, S., et al.: The EarlyBird System for Real-Time Detection of Unknown Worms. In: ACM Workshop on Hot Topics in Networks, Boston, MA (2003)

    Google Scholar 

  33. Kim, H.-A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: USENIX Security Symposium, San Diego, CA (2004)

    Google Scholar 

  34. Wang, H.J., et al.: Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In: ACM SIGCOMM (2004)

    Google Scholar 

  35. Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecing Servers. In: ACM Conference on Computer and Communications Security, Alexandria, VA (2005)

    Google Scholar 

  36. K2. ADMmutate (2001), [cited March 29, 2006 ], Available from: http://www.ktwo.ca/security.html

  37. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. IEEE Security and Privacy, Oakland, CA (2001)

    Google Scholar 

  38. Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: ACM CCS (2002)

    Google Scholar 

  39. Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 54. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Columbia University, 500 West 120th Street, New York, NY, 10027

    Ke Wang, Janak J. Parekh & Salvatore J. Stolfo

Authors
  1. Ke Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Janak J. Parekh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wang, K., Parekh, J.J., Stolfo, S.J. (2006). Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_12

Download citation

  • DOI: https://doi.org/10.1007/11856214_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-39723-6

  • Online ISBN: 978-3-540-39725-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation