Skip to main content

2012 | Buch

Research in Attacks, Intrusions, and Defenses

15th International Symposium, RAID 2012, Amsterdam, The Netherlands, September 12-14, 2012. Proceedings

herausgegeben von: Davide Balzarotti, Salvatore J. Stolfo, Marco Cova

Verlag: Springer Berlin Heidelberg

Buchreihe : Lecture Notes in Computer Science

insite
SUCHEN

Über dieses Buch

This book constitutes the proceedings of the 15th International Symposium on Research in Attacks, Intrusions and Defenses, former Recent Advances in Intrusion Detection, RAID 2012, held in Amsterdam, The Netherlands in September 2012. The 18 full and 12 poster papers presented were carefully reviewed and selected from 84 submissions. The papers address all current topics in virtualization, attacks and defenses, host and network security, fraud detection and underground economy, web security, intrusion detection.

Inhaltsverzeichnis

Frontmatter

Virtualization

Trusted VM Snapshots in Untrusted Cloud Infrastructures
Abstract
A cloud customer’s inability to verifiably trust an infrastructure provider with the security of its data inhibits adoption of cloud computing. Customers could establish trust with secure runtime integrity measurements of their virtual machines (VMs). The runtime state of a VM, captured via a snapshot, is used for integrity measurement, migration, malware detection, correctness validation, and other purposes. However, commodity virtualized environments operate the snapshot service from a privileged VM. In public cloud environments, a compromised privileged VM or its potentially malicious administrators can easily subvert the integrity of a customer VMs snapshot. To this end, we present HyperShot, a hypervisor-based system that captures VM snapshots whose integrity cannot be compromised by a rogue privileged VM or its administrators. HyperShot additionally generates trusted snapshots of the privileged VM itself, thus contributing to the increased security and trustworthiness of the entire cloud infrastructure.
Abhinav Srivastava, Himanshu Raj, Jonathon Giffin, Paul England
Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection
Abstract
Current monitoring solutions for virtual machines do not incorporate both security and robustness. Out-of-guest applications achieve security by using virtual machine introspection and not relying on in-guest components, but do not achieve robustness due to the semantic gap. In-guest applications achieve robustness by utilizing guest OS code for monitoring, but not security, since an attacker can tamper with this code and the application itself. In this paper we propose SYRINGE, a secure and robust infrastructure for monitoring virtual machines. SYRINGE protects the monitoring application by placing it in a separate virtual machine (as with the out-of-guest approach) but at the same time allowing it to invoke guest functions (as with the in-guest approach), using a technique known as function-call injection. SYRINGE verifies the secure execution of the invoked guest OS code by using another technique, localized shepherding. The combination of these two techniques allows SYRINGE to incorporate the best of out-of-guest monitoring with that of in-guest monitoring. We implemented a prototype of SYRINGE as a Linux application to monitor a guest running Windows XP and have evaluated its performance and security. We also implemented a monitoring application built on top of SYRINGE to demonstrate its usefulness. Our results show that for a calling period of 1 second, the performance overhead created in the guest by this application is 8%.
Martim Carbone, Matthew Conover, Bruce Montague, Wenke Lee
Assessing the Trustworthiness of Drivers
Abstract
Drivers, especially third party drivers, could contain malicious code (e.g., logic bombs) or carefully designed-in vulnerabilities. Generally, it is extremely difficult for static analysis to identify these code and vulnerabilities. Without knowing the exact triggers that cause the execution/exploitation of these code/vulnerabilities, dynamic taint analysis cannot help either. In this paper, we propose a novel cross-brand comparison approach to assess the drivers in a honeypot or testing environment. Through hardware virtualization, we design and deploy diverse-drivers based replicas to compare the runtime behaviour of the drivers developed by different vendors. Whenever the malicious code is executed or vulnerability is exploited, our analysis can capture the evidence of malicious driver behaviour through comparison and difference telling. Evaluation shows that it can faithfully reveal various kernel integrity/confidentiality manipulation and resource starvation attacks launched by compromised drivers, thus to assess the trustworthiness of the evaluated drivers.
Shengzhi Zhang, Peng Liu

Attacks and Defenses

Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat
Abstract
Recent high-profile attacks against governments and large industry demonstrate that malware can be used for effective industrial espionage. Most previous incident reports have focused on describing the anatomy of specific incidents and data breaches. In this paper, we provide an in-depth analysis of a large corpus of targeted attacks identified by Symantec during the year 2011. Using advanced triage data analytics, we are able to attribute series of targeted attacks to attack campaigns quite likely performed by the same individuals. By analyzing the characteristics and dynamics of those campaigns, we provide new insights into the modus operandi of attackers involved in those campaigns. Finally, we evaluate the prevalence and sophistication level of those targeted attacks by analyzing the malicious attachments used as droppers. While a majority of the observed attacks rely mostly on social engineering, have a low level of malware sophistication and use little obfuscation, our malware analysis also shows that at least eight attack campaigns started about two weeks before the disclosure date of the exploited vulnerabilities, and therefore were probably using zero-day attacks at that time.
Olivier Thonnard, Leyla Bilge, Gavin O’Gorman, Seán Kiernan, Martin Lee
Memory Errors: The Past, the Present, and the Future
Abstract
Memory error exploitations have been around for over 25 years and still rank among the top 3 most dangerous software errors. Why haven’t we been able to stop them? Given the host of security measures on modern machines, are we less vulnerable than before, and can we expect to eradicate memory error problems in the near future? In this paper, we present a quarter century worth of memory errors: attacks, defenses, and statistics. A historical overview provides insights in past trends and developments, while an investigation of real-world vulnerabilities and exploits allows us to answer on the significance of memory errors in the foreseeable future.
Victor van der Veen, Nitish dutt-Sharma, Lorenzo Cavallaro, Herbert Bos
A Memory Access Validation Scheme against Payload Injection Attacks
Abstract
The authenticity of a piece of data or an instruction is crucial in mitigating threats from various forms of software attacks. In spite of various features against malicious attacks exploiting spurious data, adversaries have been successful in circumventing such protections. This paper proposes a memory access validation scheme that manages information on spurious data at the granularity of cache line size. A validation unit based on the proposed scheme answers queries from other components in the processor so that spurious data can be blocked before control flow diversion. We describe the design of this validation unit as well as its integration into the memory hierarchy of a modern processor and assess its memory requirement and performance impact with two simulators. The experimental results show that our scheme is able to detect the synthesized payload injection attacks and to manage taint information with moderate memory overhead under acceptable performance impact.
Dongkyun Ahn, Gyungho Lee

Host and Network Security

Dione: A Flexible Disk Monitoring and Analysis Framework
Abstract
The proliferation of malware in recent years has motivated the need for tools to detect, analyze, and understand intrusions. Though analysis and detection can be difficult, malware fortunately leaves artifacts of its presence on disk. In this paper, we present Dione, a flexible policy-based disk I/O monitoring and analysis infrastructure that can be used to analyze and understand malware behavior. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing a high-level semantic view of the disk and all operations on it. Since Dione resides outside the host it is analyzing, it is resilient to attacks and misdirections by malware that attempts to mislead or hide from analyzers. By performing on-the-fly reconstruction of every operation, Dione maintains a ground truth of the state of the file system which is always up-to-date—even as new files are created, deleted, moved, or altered.
Dione is the first disk monitoring infrastructure to provide rich, up-to-date, low-level monitoring and analysis for NTFS: the notoriously complex, closed-source file system used by modern Microsoft Windows computing systems. By comparing a snapshot obtained by Dione’s live-updating capability to a static disk scan, we demonstrate that Dione provides 100% accuracy in reconstructing file system operations. Despite this powerful instrumentation capability, Dione has a minimal effect on the performance of the system. For most tests, Dione results in a performance overhead of less than 10%—in many cases less than 3%—even when processing complex sequences of file system operations.
Jennifer Mankin, David Kaeli
AK-PPM: An Authenticated Packet Attribution Scheme for Mobile Ad Hoc Networks
Abstract
Packet traceback in mobile ad hoc networks (MANETs) is a technique for identifying the source and intermediaries of a packet forwarding path. While many IP traceback techniques have been introduced for packet attribution in the Internet, they are not directly applicable in MANETs due to unique challenges of MANET environments.
In this work, we make the first effort to quantitatively analyze the impacts of node mobility, attack packet rate, and path length on the traceability of two types of well-known IP traceback schemes: probabilistic packet marking (PPM) and hash-based logging. We then present the design of an authenticated K-sized Probabilistic Packet Marking (AK-PPM) scheme, which not only improves the effectiveness of source traceback in the MANET environment, but also provides authentication for forwarding paths. We prove that AK-PPM can achieve asymptotically one-hop precise, and present the performance measurement of AK-PPM in MANETs with both analytical models and simulations.
Zhi Xu, Hungyuan Hsu, Xin Chen, Sencun Zhu, Ali R. Hurson

Fraud Detection and Underground Economy

Paying for Piracy? An Analysis of One-Click Hosters’ Controversial Reward Schemes
Abstract
One-Click Hosters (OCHs) such as Rapidshare and now defunct Megaupload are popular services where users can upload and store large files. Uploaders can then share the files with friends or make them publicly available by publishing the download links in separate directories, so-called direct download or streaming sites. While OCHs have legitimate use cases, they are also frequently used to distribute pirated content. Many OCHs operate affiliate programmes to financially reward the uploaders of popular files. These affiliate programmes are controversial for allegedly financing piracy, and they were prominently cited in the criminal indictment that lead to the shutdown of Megaupload, once among the world’s 100 largest web sites. In this paper, we provide insights into how much money uploaders of pirated content could earn on a range of direct download and streaming sites. While the potential earnings of a few uploaders are non-negligible, for most uploaders these amounts are so low that they cannot rationally explain profit-oriented behaviour.
Tobias Lauinger, Engin Kirda, Pietro Michiardi
Proactive Discovery of Phishing Related Domain Names
Abstract
Phishing is an important security issue to the Internet, which has a significant economic impact. The main solution to counteract this threat is currently reactive blacklisting; however, as phishing attacks are mainly performed over short periods of time, reactive methods are too slow. As a result, new approaches to early identify malicious websites are needed. In this paper a new proactive discovery of phishing related domain names is introduced. We mainly focus on the automated detection of possible domain registrations for malicious activities. We leverage techniques coming from natural language modelling in order to build pro-active blacklists. The entries in this list are built using language models and vocabularies encountered in phishing related activities - “secure”, “banking”, brand names, etc. Once a pro-active blacklist is created, ongoing and daily monitoring of only these domains can lead to the efficient detection of phishing web sites.
Samuel Marchal, Jérôme François, Radu State, Thomas Engel
Evaluating Electricity Theft Detectors in Smart Grid Networks
Abstract
Electricity theft is estimated to cost billions of dollars per year in many countries. To reduce electricity theft, electric utilities are leveraging data collected by the new Advanced Metering Infrastructure (AMI) and using data analytics to identify abnormal consumption trends and possible fraud. In this paper, we propose the first threat model for the use of data analytics in detecting electricity theft, and a new metric that leverages this threat model in order to evaluate and compare anomaly detectors. We use real data from an AMI system to validate our approach.
Daisuke Mashima, Alvaro A. Cárdenas

Web Security

PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks
Abstract
Through injecting dynamic script codes into compromised websites, attackers have widely launched search poisoning attacks to achieve their malicious goals, such as spreading spam or scams, distributing malware and launching drive-by download attacks. While most current related work focuses on measuring or detecting specific search poisoning attacks in the crawled dataset, it is also meaningful to design an effective approach to find more compromised websites on the Internet that have been utilized by attackers to launch search poisoning attacks, because those compromised websites essentially become an important component in the search poisoning attack chain.
In this paper, we present an active and efficient approach, named PoisonAmplifier, to find compromised websites through tracking down search poisoning attacks. Particularly, starting from a small seed set of known compromised websites that are utilized to launch search poisoning attacks, PoisonAmplifier can recursively find more compromised websites by analyzing poisoned webpages’ special terms and links, and exploring compromised web sites’ vulnerabilities. Through our 1 month evaluation, PoisonAmplifier can quickly collect around 75K unique compromised websites by starting from 252 verified compromised websites within first 7 days and continue to find 827 new compromised websites on a daily basis thereafter.
Jialong Zhang, Chao Yang, Zhaoyan Xu, Guofei Gu
DEMACRO: Defense against Malicious Cross-Domain Requests
Abstract
In the constant evolution of theWeb, the simple always gives way to the more complex. Static webpages with click-through dialogues are becoming more and more obsolete and in their place, asynchronous JavaScript requests, Web mash-ups and proprietary plug-ins with the ability to conduct cross-domain requests shape the modern user experience. Three recent studies showed that a significant number ofWeb applications implement poor cross-domain policies allowing malicious domains to embed Flash and Silverlight applets which can conduct arbitrary requests to these Web applications under the identity of the visiting user. In this paper, we confirm the findings of the aforementioned studies and we design DEMACRO, a client-side defense mechanism which detects potentially malicious cross-domain requests and de-authenticates them by removing existing session credentials. Our system requires no training or user interaction and imposes minimal performance overhead on the user’s browser.
Sebastian Lekies, Nick Nikiforakis, Walter Tighzert, Frank Piessens, Martin Johns
FlashDetect: ActionScript 3 Malware Detection
Abstract
Adobe Flash is present on nearly every PC, and it is increasingly being targeted by malware authors. Despite this, research into methods for detecting malicious Flash files has been limited. Similarly, there is very little documentation available about the techniques commonly used by Flash malware. Instead, most research has focused on JavaScript malware.
This paper discusses common techniques such as heap spraying, JIT spraying, and type confusion exploitation in the context of Flash malware. Where applicable, these techniques are compared to those used in malicious JavaScript. Subsequently, FlashDetect is presented, an offline Flash file analyzer that uses both dynamic and static analysis, and that can detect malicious Flash files using ActionScript 3. FlashDetect classifies submitted files using a naive Bayesian classifier based on a set of predefined features. Our experiments show that FlashDetect has high classification accuracy, and that its efficacy is comparable with that of commercial anti-virus products.
Timon Van Overveldt, Christopher Kruegel, Giovanni Vigna

Intrusion Detection

ALERT-ID: Analyze Logs of the Network Element in Real Time for Intrusion Detection
Abstract
The security of the networking infrastructure (e.g., routers and switches) in large scale enterprise or Internet service provider (ISP) networks is mainly achieved through mechanisms such as access control lists (ACLs) at the edge of the network and deployment of centralized AAA (authentication, authorization and accounting) systems governing all access to network devices. However, a misconfigured edge router or a compromised user account may put the entire network at risk. In this paper, we propose enhancing existing security measures with an intrusion detection system overseeing all network management activities. We analyze device access logs collected via the AAA system, particularly TACACS+, in a global tier-1 ISP network and extract features that can be used to distinguish normal operational activities from rogue/anomalous ones. Based on our analyses, we develop a real-time intrusion detection system that constructs normal behavior models with respect to device access patterns and the configuration and control activities of individual accounts from their long-term historical logs and alerts in real-time when usage deviates from the models. Our evaluation shows that this system effectively identifies potential intrusions and misuses with an acceptable level of overall alarm rate.
Jie Chu, Zihui Ge, Richard Huber, Ping Ji, Jennifer Yates, Yung-Chao Yu
A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence
Abstract
For network intrusion detection systems it is becoming increasingly difficult to reliably report today’s complex attacks without having external context at hand. Unfortunately, however, today’s IDS cannot readily integrate intelligence, such as dynamic blacklists, into their operation. In this work, we introduce a fundamentally new capability into IDS processing that vastly broadens a system’s view beyond what is visible directly on the wire. We present a novel Input Framework that integrates external information in real-time into the IDS decision process, independent of specific types of data, sources, and desired analyses. We implement our design on top of an open-source IDS, and we report initial experiences from real-world deployment in a large-scale network environment. To ensure that our system meets operational constraints, we further evaluate its technical characteristics in terms of the intelligence volume it can handle under realistic workloads, and the latency with which real-time updates become available to the IDS analysis engine. The implementation is freely available as open-source software.
Johanna Amann, Robin Sommer, Aashish Sharma, Seth Hall
GPP-Grep: High-Speed Regular Expression Processing Engine on General Purpose Processors
Abstract
Deep Packet Inspection (DPI) serves as a major tool for Network Intrusion Detection Systems (NIDS) for matching datagram payloads to a set of known patterns that indicate suspicious or malicious behavior. Regular expressions offer rich context for describing these patterns. Unfortunately, large rule sets containing thousands of patterns coupled with high link-speeds leave most regular expression matching methods incapable of matching at real-time without specialized hardware.
We present GPP-grep, an NFA-based regular expression processing engine designed for maximum performance on General Purpose Processors. The primary contribution of GPP-grep is the utilization of the data-level parallelism available in modern CPUs to reduce the overhead incurred when tracking multiple states in NFA. In essence, we build and store the NFA in an architecture-friendly manner that exploits locality and then traverse the NFA maximizing the parallelism available and minimizing cache-misses and long-latency memory lookups. GPPgrep demonstrates 24–57× improvement in throughput over standard finite automata techniques on a set of up to 1200 regular-expressions culled from the NIDS Snort, and is within 1.3× of FPGA hardware-based techniques. GPP-grep achieves 2Gbps throughput on a dual-socket commodity CPU system allowing for line-speed evaluation on commodity hardware.
Victor C. Valgenti, Jatin Chhugani, Yan Sun, Nadathur Satish, Min Sik Kim, Changkyu Kim, Pradeep Dubey
N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols
Abstract
In recent years we have witnessed several complex and high-impact attacks specifically targeting “binary” protocols (RPC, Samba and, more recently, RDP). These attacks could not be detected by current – signature-based – detection solutions, while – at least in theory – they could be detected by state-of-the-art anomaly-based systems. This raises once again the still unanswered question of how effective anomaly-based systems are in practice. To contribute to answering this question, in this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Specifically, we present a thorough analysis and evaluation of several detection algorithms using variants of n-gram analysis on real-life environments. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.
Dina Hadžiosmanović, Lorenzo Simionato, Damiano Bolzoni, Emmanuele Zambon, Sandro Etalle

Poster Abstracts

Online Social Networks, a Criminals Multipurpose Toolbox (Poster Abstract)
Abstract
Text Updates and Photo Uploads. Textual updates similar to the ones shown in Table 1 can provide criminals with incentives. 154000 users on Facebook have publicly expressed the possession of a diamond while 2190 expressed losing their keys at a certain place. Any overlap between the two sets, within the geographical reach of the criminal, could give then an easy access to a valuable item. Table 1 contains limited publicly shared results. A criminal may widen their search by embedding support for their local languages and using a larger set of phrases. Similarly, uploading a photo of valuable items on social networks can also incentivize crime. Moreover, sleeping and drinking patterns identified from uploads, can help criminals in planning their crime execution hours.
Shah Mahmood, Yvo Desmedt
The Triple-Channel Model: Toward Robust and Efficient Advanced Botnets (Poster Abstract)
Abstract
Botnet robustness and efficiency are two contradictory features from a general point of view. To achieve them simultaneously, we design a command and control (C&C) channel division scheme and then propose a Botnet Triple-channel Model (BTM). BTM divides a C&C channel into three independent sub-channels, denoting as Command Download Channel, Registration Channel and Data Upload Channel, respectively. Botnets based on BTM will promise to be as robust as P2P botnets and as efficient as centralized botnets.
Cui Xiang, Shi Jinqiao, Liao Peng, Liu Chaoge
Network Security Analysis Method Taking into Account the Usage Information (Poster Abstract)
Abstract
Existing network security analysis methods such as using tools like attack graphs or attack trees to compute risk probabilities did not consider the concrete running environment of the target network, which may make the obtained results deviate from the true situation. In this paper, we propose a network security analysis method taking into account the usage information of the target network. We design usage sensors in each host to get the usage information in the network. Combining with attack graph generation tool which gets all the vulnerabilities in the network in the graph form, we evaluation the network using the usage information and the vulnerabilities information, and get more accurate evaluation results.
Wu Jinyu, Yin Lihua, Fang Binxing
Automatic Covert Channel Detection in Asbestos System (Poster Abstract)
Abstract
The detection of covert channels in an information flow model is a practical problem in determining whether the security guarantees of the operation system have been achieved. Asbestos system is a typical information confidentiality protection system. This poster introduces a formal approach to automatically detect covert channels in Asbestos systems. The approach innovatively generalizes a CSP (Communicating Sequential Process) based formal description of Asbestos system and utilizes Ray’s noninterference Equivalence in the detection of covert channels. The covert channels are automatically detected by employing a CSP based model checking tool FDR2.
Shuyuan Jin, Zhi Yang, Xiang Cui
EFA for Efficient Regular Expression Matching in NIDS (Poster Abstract)
Abstract
Regular Expression (RegEx) matching has been widely used in many network security systems. Despite much effort on this important problem, it remains a fundamentally difficult problem. DFA-based solutions are efficient in time but inefficient in memory, while NFA-based solutions are memory-efficient but time-inefficient. This poster provides a new solution named EFA (Excl-deterministic Finite Automata) to address the problem by excluding cancerogenic states from active state sets. The cancerogenic states are identified based on conflict relations. We make an evaluation of EFA with real RegExes and traffic traces. Experimental results show that EFA can dramatically reduce DFA state size at the cost of limited matching performance.
Dengke Qiao, Tingwen Liu, Yong Sun, Li Guo
Distress Detection (Poster Abstract)
Abstract
Web attacks are a major security concern as novel attacks can be easily created by exploiting different vulnerabilities, using different attack payloads, and/or encodings (obfuscation). Intrusion detection systems (IDS) aim to correctly detect attacks. There are two main approaches to intrusion detection: misuse and anomaly detection. Despite the difference in approach, they both fail to offer adequate resilience to novel attacks due to the difficulty in generalizing beyond known attack or normal behavior [1].
Mark Vella, Sotirios Terzis, Marc Roper
Trie Data Structure to Compare Traffic Payload in a Supervised Anomaly Detection System (Poster Abstract)
Abstract
Through an Anomaly Detection System, unknown attacks could be detected using a model of normal network behavior to distinguish between usual and unusual activities. Collecting representative data of normal activity and properly train the system are the deciding factors in a Supervised Intrusion Detection System. This work aims to propose a supervised anomaly detection system to detect unknown intrusions using the packet payload in the network, implementing its detection algorithm as a “dynamic pre-processor” of Snort. Critical infrastructures are exposed to a several threats which demand computer network protection. An Intrusion Detection System (IDS) provides adequate protection of process control networks. IDSs are usually classified into misuse/signature detection and anomaly detection. Signature-based IDS typically exhibit high detection accuracy because it identifies attacks based on known attack characteristics. Anomaly detection is the alternative approach to detect novel attacks tagging suspicious events. Learning a model of normal traffic and report deviations from the normal behavior is the main strength of anomaly based detection system. The major weakness is that it is susceptible to false positive alarms.
Jenny Andrea Pinto Sánchez, Luis Javier García Villalba
Towards Automated Forensic Event Reconstruction of Malicious Code (Poster Abstract)
Abstract
A call for formalizing digital forensic investigations has been proposed by academics and practitioners alike [1, 2]. Many currently proposed methods of malware analysis for forensic investigation purposes, however, are derived based on the investigators’ practical experience. This paper presents a formal approach for reconstructing the activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of a suspect executable is modeled as a finite state automaton where each state represents behavior that results in an observable modification to the victim’s system. The derived model of the malicious code allows for accurate reasoning and deduction of the occurrence of malicious activities even when anti-forensic methods are employed to disrupt the investigation process.
Ahmed F. Shosha, Joshua I. James, Chen-Ching Liu, Pavel Gladyshev
Accurate Recovery of Functions in a Retargetable Decompiler(Poster Abstract)
Abstract
Introduction. Decompilation is used for translation of executable files into a high-level language (HLL) representation. It is an important mechanism for information forensics and malware analysis. Retargetable decompilation represents a very difficult task because it must handle all the specific features of the target platform. Nevertheless, a retargetable decompiler can be used for any particular target platform and the resulting code is represented in a uniform way.
Lukáš Ďurfina, Jakub Křoustek, Petr Zemek, Břetislav Kábele
Improvement of an Anagram Based NIDS by Reducing the Storage Space of Bloom Filters (Poster Abstract)
Abstract
When optimizing our NIDS APAP [1] we started focusing our efforts on ensuring that it would work on real-time network traffic. This effort, was penalized by the excessive cost of storage of various data structures needed to meet its goals satisfactorily.
APAP is based on Anagram [2] and initially worked with small size N-gram. This allowed us to detect more attacks at the expense of a higher rate of false positives. But when we wanted to test the results obtained with larger N-gram sizes, we found that the cost of storage of the Bloom filter structures that we generated to analyze the payload of the traffic was too large.
Hugo Villanúa Vega, Jorge Maestre Vidal, Jaime Daniel Mejía Castro, Luis Javier García Villalba
Concurrency Optimization for NIDS (Poster Abstract)
Abstract
The current demand of high network speed has led NIDS to process increasing amounts of information in less time. Consequently, most part of manufacturers have opted for hardware design implementation, which in most cases increased the price of these products. The aim of this paper focus the optimization of the performance of our NIDS APAP, based on different concurrency techniques. This upgrade increases amount of traffic per unit of time that is being processed by the system without relying on a hardware implementation. It is important to clarify that despite these measures can make our NIDS perform in real time on fast networks, it cannot achieve the same performance as a hardware implementation. As the first step it is interesting to briefly highlight some of the most important features of our initial prototype of IDS, APAP [1], with the purpose of getting into context. This system was developed as a hybrid NIDS combining signature and anomaly based detection. The system simultaneously executes Snort along with its preprocessors and an anomaly based detector whose design is based on Anagram [2]. We chose to work on CPU level parallelism using OpenMP libraries. These libraries provide an API that allows us to add concurrency to the application by means of shared memory parallelism. It is based on the creation of parallel execution threads that share variables from their parent process. OpenMP consists of a set of compiler directives, library routines, and environment variables that influence run-time behavior. The first thing to take into consideration is the degree of parallelization of the algorithm. Because the optimization could be in jeopardy if the threads context changes do not take place. Therefore, we created four testing suites corresponding to four different parallelization criteria. The first suite is a total parallelization of the algorithm, the other three are relaxations of the first by means of no parallelization of: fixed loop iterations, variable loop iterations and loops iterating to a concrete variable of the code, respectively. Notice that each suite includes the relaxations made on the previous ones. Figure 1 illustrates the time it took to run the algorithm depending on the number of threads for each level respect of the execution on a single thread. This analysis was done using a Core 2 DUO CPU processor, meaning a powerful performance may be achieved using more powerful processors. The trace used for the tests was ceded by the Computer Center of the Universidad Complutense de Madrid.
Jorge Maestre Vidal, Hugo Villanúa Vega, Jaime Daniel Mejía Castro, Luis Javier García Villalba
Malware Detection System by Payload Analysis of Network Traffic (Poster Abstract)
Abstract
NIDS based on Payload Analysis detect the malicious code by analyzing the payload of packets flowing through the network. Typically consist of a training phase and another one of detection. The training phase is done with clean traffic so that it represents statistically the usual traffic of the system. Thus, a pattern of such traffic is established. On the other hand, during the detection, traffic analysis is modeled and compared these patterns to determine if it can be classified as dangerous. Then, various proposals that make analysis of the payload to detect malicious code are explicated. In general, all are variants of PAYL [1], one of the first proposals that used this technique successfully. PAYL system classifies traffic based on three characteristics: the port, packet size and flow direction (input or output). Using these three parameters, payloads are classified creating a series of patterns to define what would be normal behavior within each class. Poseidon [2] was developed to correct the errors that arise in building models in PAYL when clustering about the size of packets is applied. The combination of multiple classifiers of a class, also based on PAYL, was developed to eliminate the original system’s vulnerability in the face of mimicry attacks. PCNAD [3] appears to correct the defect PAYL that could not process large packets on fast networks with enough speed. Anagram is another evolution of PAYL, developed by the same authors to correct the deficiencies that had the original system. As in the PAYL, the system is based on n-grams to process the packets and create patterns of behavior. However, it employed Bloom Filters to divide the packets in n-grams of sizes larger than one without the cost in space and system performance will be injured.
Luis Javier García Villalba, Jaime Daniel Mejía Castro, Ana Lucila Sandoval Orozco, Javier Martínez Puentes
Backmatter
Metadaten
Titel
Research in Attacks, Intrusions, and Defenses
herausgegeben von
Davide Balzarotti
Salvatore J. Stolfo
Marco Cova
Copyright-Jahr
2012
Verlag
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-33338-5
Print ISBN
978-3-642-33337-8
DOI
https://doi.org/10.1007/978-3-642-33338-5