Autograph: Toward Automated, Distributed Worm Signature Detection
Brad Karp
Today's Internet intrusion detection systems (IDSes) monitor edge
networks' DMZs to identify and/or filter malicious flows. While an IDS
helps protect the hosts on its local edge network from compromise and
denial of service, it cannot alone effectively intervene to halt and
reverse the spreading of novel Internet worms. Generation of the worm
signatures required by an IDS--the byte patterns sought in monitored
traffic to identify worms--today entails non-trivial human labor, and
thus significant delay: as network operators detect anomalous
behavior, they communicate with one another and manually study packet
traces to produce a worm signature. Yet intervention must occur early
in an epidemic to halt a worm's spread. In this paper, we describe
Autograph, a system that automatically generates signatures for novel
Internet worms that propagate using TCP transport. Autograph generates
signatures by analyzing the prevalence of portions of flow payloads,
and thus uses no knowledge of protocol semantics above the TCP
level. It is designed to produce signatures that exhibit high
sensitivity (high true positives) and high specificity (low false
positives); our evaluation of the system on real DMZ traces validates
that it achieves these goals. We extend Autograph to share port scan
reports among distributed monitor instances, and using trace-driven
simulation, demonstrate the value of this technique in speeding the
generation of signatures for novel worms. Our results elucidate the
fundamental trade-off between early generation of signatures for novel
worms and the specificity of these generated signatures.
http://www.usenix.org/events/sec04/tech/kim.html
|