Fast and Evasive Attacks: Highlighting the Challenges Ahead

Similar documents
On the Effectiveness of Distributed Worm Monitoring

A Self-Learning Worm Using Importance Scanning

Tracking Global Threats with the Internet Motion Sensor

The Evolving Threat of Internet Worms

Defend Against the Unknown

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Importance-Scanning Worm Using Vulnerable-Host Distribution

Characterizing Dark DNS Behavior

Mapping Internet Sensors with Probe Response Attacks

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

Mapping Internet Sensors with Probe Response Attacks

Moderated by: Moheeb Rajab Background singers: Jay and Fabian

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Fighting Spam, Phishing and Malware With Recurrent Pattern Detection

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Chapter 7. Denial of Service Attacks

Introduction to Security. Computer Networks Term A15

Active defence through deceptive IPS

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Cisco Intrusion Prevention Solutions

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Distributed Denial of Service (DDoS)

A Multifaceted Approach to Understanding the Botnet Phenomenon

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Demystifying Service Discovery: Implementing an Internet-Wide Scanner

ANATOMY OF AN ATTACK!

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

SONICWALL SECURITY HEALTH CHECK PSO 2017

SONICWALL SECURITY HEALTH CHECK SERVICE

Intelligent and Secure Network

Comprehensive datacenter protection

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

SONICWALL SECURITY HEALTH CHECK SERVICE

Intrusion Detection by Combining and Clustering Diverse Monitor Data

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

The UCSD Network Telescope

The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery

Endpoint Protection : Last line of defense?

6 KEY SECURITY REQUIREMENTS

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

On the Effectiveness of Distributed Worm Monitoring

Yubin Li Florida International University. Zesheng Chen Florida International University. Chao Chen Indiana University Purdue University Fort Wayne

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Worm Detection, Early Warning and Response Based on Local Victim Information

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Barracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper

Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm

FP7 NEMESYS Project: Advances on Mobile Network Security

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

TREND MICRO SMART PROTECTION SUITES

NetDefend Firewall UTM Services

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

100% Endpoint Protection dank Machine Learning, EDR & Deception?

Denial of Service and Distributed Denial of Service Attacks

CSE 565 Computer Security Fall 2018

Stop Ransomware In Its Tracks. Chris Chaves Channel Sales Engineer

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Invasion of Malware Evading the Behavior-based Analysis

Security activities in Japan towards the future standardization. Cybersecurity

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Securing Your Microsoft Azure Virtual Networks

Practical Guide to Choosing a DDoS Mitigation Service WHITEPAPER

IBM Security Network Protection Solutions

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Towards Automating Analysis of Large-Scale Honeynet Events

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

ARAKIS An Early Warning and Attack Identification System

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Securing Your Amazon Web Services Virtual Networks

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

CYBER RESILIENCE & INCIDENT RESPONSE

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

Maximum Security with Minimum Impact : Going Beyond Next Gen

Darknet Traffic Monitoring using Honeypot

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Multidimensional Investigation of Source Port 0 Probing

Managed Endpoint Defense

ein wichtiger Baustein im Security Ökosystem Dr. Christian Gayda (T-SEC) und Ingo Kruckewitt (Symantec)

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Symantec Ransomware Protection

Towards a Theoretical Framework for Trustworthy Cyber Sensing

Leurré.com. a worldwide distributed platform to study Internet threats. Deployed and Managed by The Eurecom Institute

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Symantec Endpoint Protection 14

On the State of the Inter-domain and Intra-domain Routing Security

Computer Security: Principles and Practice

Arbor Solution Brief Arbor Cloud for Enterprises

Best Practical Response against Ransomware

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Transcription:

Fast and Evasive Attacks: Highlighting the Challenges Ahead Moheeb Rajab, Fabian Monrose, and Andreas Terzis Computer Science Department Johns Hopkins University

Outline Background Related Work Sampling Attacks Malware spreading scenarios Promising Countermeasures Summary 2

Network telescopes DoS Attack /8 Worm Scans DoS Attack DoS Backscatter Worm Scans Traffic monitors located in routable but unused IP space Passive vs. Active Uses Detect and characterize DDoS backscatter Malware detection, collection, and forensic analysis 3

Network Telescopes (cont.) Advantages No legitimate traffic should appear at a telescope Detect unknown (zero-day) threats Benefits multiply by deploying distributed telescopes at a large scale 4

Thinking Ahead Network telescopes are invaluable assets in defending the network Bad News: Attackers will try to diminish their utility Early indications of evolving behavior in the wild (e.g., preferential scanning worms) Botnets applying localized scanning On the Good Side: The above can be mitigated with sophisticated monitor placement strategies 5

Evasive Attacks Most popular monitoring approaches still assume that monitors can be effectively hidden from attackers merely by keeping the monitored IP space secret. Attackers could exploit the side-effects of monitor existence to locate and evade detection. Result: Evasive malware spreading with little spurious traffic 6

Related work Bethencort et al. USENIX 05, Limited to network monitors that advertise their datasets. Involves long feedback loop (reaching 24 hrs.) Requires excessive number of probes. Chen et al. WORM 05 Maximizes worm scans towards densely populated /8 prefixes. Can not detect network monitors. 7

Contributions Introduce a new lightweight sampling technique to detect dark space i.e. Unused IP space and passive network monitors. Demonstrate the virulence of evasive malware spreading strategies that exploit the sampling information. Highlight the need to take a proactive stand and rethink current monitoring practices in light of such threats and discuss promising defense measures. 8

Evasive Sampling Attack Use sampling to probe the liveliness of address blocks with high confidence TCP SYN probes, ACK probes, ICMPs, etc Can be completely innocuous, using different ports from ones employed by known exploits If response is received prefix is marked as live 9

Discovering the live IP space Requirements: Fidelity and Accuracy. Least number of probes. Evasive sampling technique. Insight: Exploit the clustered nature of the IP space to devise a hierarchical sampling process 10

Hierarchical Sampling Process Question: How many samples are necessary? 11

Estimating the sample size Challenge: Find the minimum number of samples to detect the vast majority of the dark space with high confidence while minimizing misclassification of live space. Sampling Model: P l, g = Min. Number of live hosts / prefix size Problem: we don t know the number of live hosts in each prefix. 12

Estimating the sample size (ctnd.) Ideally, direct estimation of the live hosts distribution requires large sample size (especially for the lower layers). Instead, we indirectly estimate it from its marginal distribution using a small dataset. P l, g 99% Live population L min. = P 0.99 ( total _ population) 24 P l, g = Lmin. / 2 13

Evaluation Trace based evaluation Trace Summary DShield large dataset (32 million sources) Local Darknet trace (1.2 million sources) 14

Trace Based Evaluation Finding 1: 400 samples/prefix enough to achieve classification accuracy 99.9 % of /16 prefixes Finding 2: On average sampling less than 5% of the IP space accurately located 98% of the live population and 96% of the vulnerable population (from our datasets). 15

Sampling: results from the wild One might expect firewalls would thwart the accuracy of sampling by hiding parts of the IP space. Sampling in the wild Probed 69 /8 prefixes, using 256 PlanetLab nodes 16

Sampling in the wild Detected two well known network monitors 17

Sampling in the wild Finding 1: Mean number of samples = 50 Finding 2: Detected live prefixes containing 88% of the live population in the Dshield trace. Validation: BGP tables from Routeviews show that 63% of the prefixes classified as empty were not advertised. 18

Why is this bad? Sampling knowledge can be exploited to produce evasive malware spreading. Two example scenarios: Offline Sampling Online Sampling 19

Offline Sampling Malware Sampling is done offline and knowledge is disseminated to the infected population through and encoded bitmap Each nodes scans the IP space uniformly and sends scans to live prefixes only However, choose your favorite scanning strategy 20

Offline Attack model Given: V : total vulnerable population I : total infected population P: probability of contacting a host s: average scanning rate 1 32 total _ live _ space 2 1 21

Simulation results sampling uniform 1024 /24 monitors + /8 monitors mapped with 100% accuracy. Average spurious traffic rate received at the monitors <1 % average background noise Spreads 10 times faster than classic uniform spreading worm 22

Online Spreading Combine sampling and scanning phases Forward and backward sampling progress sharing 23

Online Spreading Reduced payload (only 256 bits required) Online sampling does not hinder malware spreading speed Imperfect redundancy reduction serves to compensate for end-host failures 24

Promising Defenses Active Responders Attract malware, by luring the attack into the monitor space. However, active responders are not immune against simple variants of the sampling attacks. Responding to all ports and all addresses looks equally suspicious To be effective responder need to mimic the persona of actual operational networks Roaming the monitored Space. Use smaller monitors. 25

Summary We show the credible threat from a simple evasive strategy that undermines the effectiveness of widely adopted monitoring technique We highlight the need to be proactive and discuss promising directions to counter such threats. 26

Acknowledgements DShield. Hopkins Information Technology Services (HITS). We thank the anonymous reviewers. 27

THANK YOU! 28

Defenses: What does not work 1024 /24 monitors + /8 monitors mapped with 100% accuracy Increasing monitor deployment, does not help even when population aware placement strategy is used. 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback