Abstract
In this paper, we present Anagram, a content anomaly detector that models a mixture ofhigh-order n-grams (n > 1) designed to detect anomalous and “suspicious” network packet payloads. By using higher-order n-grams, Anagram can detect significant anomalous byte sequences and generate robust signatures of validated malicious packet content. The Anagram content models are implemented using highly efficient Bloom filters, reducing space requirements and enabling privacy-preserving cross-site correlation. The sensor models the distinct content flow of a network or host using a semi-supervised training regimen. Previously known exploits, extracted from the signatures of an IDS, are likewise modeled in a Bloom filter and are used during training as well as detection time. We demonstrate that Anagram can identify anomalous traffic with high accuracy and low false positive rates. Anagram’s high-order n-gram analysis technique is also resilient against simple mimicry attacks that blend exploits with “normal” appearing byte padding, such as the blended polymorphic attack recently demonstrated in [1]. We discuss randomized n-gram models, which further raises the bar and makes it more difficult for attackers to build precise packet structures to evade Anagram even if they know the distribution of the local site content flow. Finally, Anagram’s speed and high detection rate makes it valuable not only as a standalone sensor, but also as a network anomaly flow classifier in an instrumented fault-tolerant host-based environment; this enables significant cost amortization and the possibility of a “symbiotic” feedback loop that can improve accuracy and reduce false positive rates over time.
This work has been partially supported by a grant with the Army Research Office, No. DA W911NF-04-1-0442.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Kolesnikov, O., Dagon, D., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. In: USENIX Security Symposium, Vancouver, BC, Canada (2006)
Moore, D., et al.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: INFOCOM (2003)
Staniford-Chen, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: USENIX Security (2002)
Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: USENIX Security Symposium, Washington, D.C. (2003)
Vargiya, R., Chan, P.: Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection. In: ICDM Workshop on Data Mining for Computer Security (DMSEC), Melbourne, FL (2003)
Kruegel, C., et al.: Polymorphic Worm Detection Using Structural Information of Executables. In: Symposium on Recent Advances in Intrusion Detection, Seattle, WA (2005)
Sekar, R., et al.: Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions. In: ACM Conference on Computer and Communications Security, Washington, D.C (2002)
Kruegel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Symposium on Applied Computing (SAC), Madrid, Spain (2002)
Wang, X., et al.: SigFree: A Signature-free Buffer Overflow Attack Blocker. In: USENIX Security, Boston, MA (2006)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)
SourceFire Inc. Snort rulesets (2006), [cited April 4, 2006 ], Available from: http://www.snort.org/pub-bin/downloads.cgi
Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Application Communities: Using Monoculture for Dependability. In: HotDep (2005)
Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Software Self-Healing Using Collaborative Application Communities. In: Internet Society (ISOC) Symposium on Network and Distributed Systems Security, San Diego, CA (2006)
Marceau, C.: Characterizing the Behavior of a Program Using Multiple-Length N-grams. In: New Security Paradigms Workshop, Cork, Ireland (2000)
Forrest, S., et al.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy (1996)
Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. In: IEEE Symposium on Security and Privacy, Berkeley, CA (2002)
Crandall, J.R., et al.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In: ACM Conference on Computer and Communications Security, Alexandria, VA (2005)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. IEEE Security and Privacy, Oakland, CA (2005)
Singh, S., et al.: Automated Worm Fingerprinting. In: 6th Symposium on Operating Systems Design and Implementation (OSDI 2004), San Francisco, CA (2004)
Bloom, B.H.: Space/time trade-offs in Hash Coding with Allowable Errors. Communications of the ACM 13(7), 422–426 (1970)
Naor, M., Yung, M.: Universal One-Way Hash Functions and their Cryptographic Applications. In: ACM Symposium on Theory of Computing, Seattle, WA (1989)
Parekh, J.J., Wang, K., Stolfo, S.J.: Privacy-Preserving Payload-Based Correlation for Accurate Malicious Traffic Detection. In: Large-Scale Attack Detection, Workshop at SIGCOMM, Pisa, Italy (2006)
Detristan, T., et al.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack (2003), [cited March 28, 2006 ], Available from: http://www.phrack.org/show.php?p=61&a=9
Barreno, M., et al.: Can Machine Learning Be Secure? In: ASIACCS (2006)
Cowan, C., et al.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: USENIX Security Symposium, San Antonio, TX (1998)
Sidiroglou, S., et al.: Building a Reactive Immune System for Software Services. In: USENIX, Anaheim, CA (2005)
Sidiroglou, S., Giovanidis, G., Keromytis, A.D.: A Dynamic Mechanism for Recovering from Buffer Overflow Attacks. In: 8th Information Security Conference, Singapore (2005)
Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J.: FLIPS: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 82–101. Springer, Heidelberg (2006)
Locasto, M.E., Burnside, M., Keromytis, A.D.: Bloodhound: Searching Out Malicious Input in Network Flows for Automatic Repair Validation. Columbia University Department of Computer Science, New York, NY (2006)
Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: ACM Workshop on Hot Topics in Networks, Boston, MA (2003)
Singh, S., et al.: The EarlyBird System for Real-Time Detection of Unknown Worms. In: ACM Workshop on Hot Topics in Networks, Boston, MA (2003)
Kim, H.-A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: USENIX Security Symposium, San Diego, CA (2004)
Wang, H.J., et al.: Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In: ACM SIGCOMM (2004)
Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecing Servers. In: ACM Conference on Computer and Communications Security, Alexandria, VA (2005)
K2. ADMmutate (2001), [cited March 29, 2006 ], Available from: http://www.ktwo.ca/security.html
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. IEEE Security and Privacy, Oakland, CA (2001)
Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: ACM CCS (2002)
Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 54. Springer, Heidelberg (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, K., Parekh, J.J., Stolfo, S.J. (2006). Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_12
Download citation
DOI: https://doi.org/10.1007/11856214_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-39723-6
Online ISBN: 978-3-540-39725-0
eBook Packages: Computer ScienceComputer Science (R0)