EU FP6 LOBSTER European Infrastructure for accurate network - - PowerPoint PPT Presentation

An IST Project http://www.ist-lobster.org/

1

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

EU FP6 LOBSTER

European Infrastructure for accurate network monitoring

personal view on the future of

ero-day Worm Containment

Herbert Bos Vrije Universiteit Amsterdam

herbertb _AT_ cs.vu.nl http://www.ist-lobster.org/

An IST Project http://www.ist-lobster.org/

2

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

What is LOBSTER?

• FP6 Specific Support Activity (SSA)
• Duration: 09/2004 – 12/06
• Partners

– FORTH – Vrije Universiteit Amsterdam – TNO ICT – CESNET – UNINETT – FORTHnet – ALCATEL – TERENA – Symantec?

An IST Project http://www.ist-lobster.org/

3

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

What is LOBSTER?

• European Infrastructure for accurate network monitoring
• Allows one to perform pan-European monitoring

– across organisations

• High-speed

– specialised network cards – also: common NICs

• Why?

– traffic classification – security

• worms
• DDoS

– performance – billing – management

An IST Project http://www.ist-lobster.org/

4

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Privacy

• a

s h a r e d m

• n

i t

• r

i n g i n f r a s t r u c t u r e ?

• w

h a t a b

• u

t p r i v a c y ? !

An IST Project http://www.ist-lobster.org/

5

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

What is LOBSTER?

• Data owners control

– which users may access which data – very flexible

An IST Project http://www.ist-lobster.org/

6

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Passive Monitoring and Security

• Intrusion Detection

– Are any of my computers compromised? – Is there any attacker trying to intrude into my network?

• Large-scale Attack Detection – Detection of Epidemics

– DoS Attack detection (e.g., detect sharp increases in TCP/SYN packets) – Zero-day worm detection

• e.g., detect lots of identical packets, never seen before, from several sources to

several destinations

• e.g., unusual no. of connections from a single port to unique destinations
• e.g., detect worm characteristics

– such as NOP sleds: long sequences of executable code

• Network Telescopes

– monitor unused IP addresses – observe victims of DoS attacks

• “back-scatter” traffic

– observe infected hosts – port scans

An IST Project http://www.ist-lobster.org/

7

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Zero-day worm containment

• Why do we need it?

– detect something new is on the loose – worms spread too fast for human intervention

• Different worms in different forms

– fast slow – polymorphic immutable – wide spread narrow spread – stealth plain – multi-vector uni-vector

• Worm structure

exploit payload

An IST Project http://www.ist-lobster.org/

8

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Two tasks

• Spot the bad guys

– network-based

• content-based: EarlyBird
• flow-based: VirusThrottling

– host-based

• honeypots
• end-users (systrace)
• Stop them!

– filters for networks

• snort
• VirusThrottle

– filters for hosts

• Self-Certifying Alerts
• can be fast (certainly flow-based)
• protects many hosts
• handles polymorphism
• can be very accurate

(no false positives)

• may handle polymorphism
• handles polymorphism
• protects many hosts
• polymorphism
• few false positives
• some polymorphism?

An IST Project http://www.ist-lobster.org/

9

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Two tasks

• Spot the bad guys

– network-based

• content-based: EarlyBird
• flow-based: VirusThrottling

– host-based

• honeypots
• end-users (systrace)
• Stop them!

– filters for networks

• snort
• VirusThrottle

– filters for hosts

• Self-Certifying Alerts
• false positives
• what to do with encryption?
• false positives
• slow
• needs a certain amount of luck
• need real services for accuracy
• false positives
• encryption/polymorphism will kill us
• false positives
• pretty slow
• can we rely on end-users?

An IST Project http://www.ist-lobster.org/

10

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

My conclusion (1/4)

• detection

– network-based

• behaviour-based

– first indication

• content-based:

– weed out known and old threats – first indication for new threats

– host-based

• inaccurate behaviour based: first indication
• accurate behaviour based:

– zero-day detection – verification

• should not handle full streams

An IST Project http://www.ist-lobster.org/

11

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

My conclusion (2/4)

• blocking

– network-based

• behaviour-based:

– no (unless exceptional circumstances)

• content-based:

– weed out known and old threats – first indication for new threats

– host-based

• good place for filtering, but scope of protection limited
• end-host, so filtering should be fairly efficient

An IST Project http://www.ist-lobster.org/

12

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

My conclusion (3/4)

• future of network-based content inspection for

zero-day worm detection

An IST Project http://www.ist-lobster.org/

13

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

My conclusion (4/4)

• passive monitoring still needed, but role is

changing

– redirect traffic – sample traffic – first-pass detection – first-pass filtering – behaviour-based detection

• explore

– multi-tier detection – multi-tier filtering – integrated approaches – cocktail-drugs for Internet diseases?

An IST Project http://www.ist-lobster.org/

14

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Argos Emulator

Fingerprinting zero-day attacks and using advertised honeypots (or: guarding the heifer without falling asleep)

noah

An IST Project http://www.ist-lobster.org/

15

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Argos Overview

• Platform for next generation honeypots

– High-interaction, advertised, safe

• Detection of most common vulnerabilities

– Control, code injection, function argument attacks

• Emulate + protect entire PC systems

– OS agnostic, run on commodity hardware

• Generate host and network intrusion prevention

signatures

– Protect even uncooperative users

• Joint development with Dutch DeWorm project (VU)

noah

An IST Project http://www.ist-lobster.org/

16

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Argos Overview

Argos emulator Guest OS Applications NIC Forensics

Detect attack and log state

Host OS

Correlate data Signature

Signature post-processing

Log

noah

An IST Project http://www.ist-lobster.org/

17

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Argos Overview

Argos emulator Guest OS Applications NIC Forensics

Detect attack and log state

Host OS

Correlate data Signature

Signature post-processing

Log

noah

An IST Project http://www.ist-lobster.org/

18

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Development up to Present

• Based on the Qemu emulator
• Track network data throughout execution
• Detect illegal uses of network data

– Jump targets, function pointers, instructions, system call arguments

• Forensics to generate signatures

– Export emulator state, inject “forensics” shellcode

noah

skip boring details

An IST Project http://www.ist-lobster.org/

19

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Network Data Tracking

• Tagging network data

as “tainted”

RAM Virtual NIC PORT I/O EBX ECX EDX EAX EBX

noah

An IST Project http://www.ist-lobster.org/

20

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Network Data Tracking

• Tagging network data

as “tainted”

• Tracking “tainted” data

– ALU operations

RAM EBX ECX EDX EAX EBX ADD EAX, EBX EAX

noah

An IST Project http://www.ist-lobster.org/

21

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Network Data Tracking

• Tagging network data

as “tainted”

• Tracking “tainted” data

– ALU operations

RAM EBX ECX EDX EAX EBX ADD EAX, EBX EAX XOR EBX, EBX

noah

An IST Project http://www.ist-lobster.org/

22

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Network Data Tracking

• Tagging network data

as “tainted”

• Tracking “tainted” data

– ALU operations – MMU operations

RAM EBX ECX EDX EAX ADD EAX, EBX EAX XOR EBX, EBX ST A, EAX A

noah

An IST Project http://www.ist-lobster.org/

23

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Identifying Attacks

• Jump targets

RAM EBX ECX EDX EAX EAX A STACK JMP EAX ALERT

noah

An IST Project http://www.ist-lobster.org/

24

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Identifying Attacks

• Jump targets
• Function calls

RAM EBX ECX EDX EAX EAX A STACK JMP EAX ALERT CALL EAX

noah

An IST Project http://www.ist-lobster.org/

25

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Identifying Attacks

• Jump targets
• Function calls
• Returns

RAM EBX ECX EDX EAX EAX A STACK JMP EAX ALERT CALL EAX RET

noah

An IST Project http://www.ist-lobster.org/

26

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Identifying Attacks

• Jump targets
• Function calls
• Returns
• Code injection

RAM EBX ECX EDX EAX EAX A STACK JMP EAX ALERT CALL EAX RET JMP A

noah

An IST Project http://www.ist-lobster.org/

27

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Identifying Attacks

• Jump targets
• Function calls
• Returns
• Code injection
• System calls

RAM EBX ECX EDX EAX EAX A STACK JMP EAX ALERT CALL EAX RET JMP A INT 0x80

noah

An IST Project http://www.ist-lobster.org/

28

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

Forensics

• Emulator state (registers, “tainted” memory)
• Injected shellcode data

– Process information (e.g. PID) – Extraction of probable target port PID Name Port

• Network trace

noah

An IST Project http://www.ist-lobster.org/

29

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

“tainted” memory data

Signature Generation

Network streams Alert value Origin of value in memory Forensics data Select stream Signature

noah

An IST Project http://www.ist-lobster.org/

30

Herbert Bos, VU, http://www.cs.vu.nl/~herbertb

noah

http://www.few.vu.nl/argos