1 / 31

Detecting Unknown Massive Mailing Viruses Using Proactive Methods

This presentation discusses the proactive methods for detecting unknown massive mailing viruses. It covers background information, related works, methodology, implementation, and experimental results.

martinr
Download Presentation

Detecting Unknown Massive Mailing Viruses Using Proactive Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Unknown Massive Mailing Viruses Using Proactive Methods – Ruiqi Hu and Aloysius K. Mok Presented By – Vipul Gupta 3/23/2009

  2. Overview • Background Information • Related Works • Methodology • Implementation • Experimental Results • Conclusions

  3. Background Information • Virus - A computer program that multiplies and infects host machines • History: Creeper (1971)– By Bob Thomas : ARPANET “I’m the creeper, catch me if you can !!” Wabbit (fork bomb – 1974): multiplied copies on a single machine ANIMAL (Game -1975): a related program PERVADE also copied itself and ANIMAL to every folder user accesses

  4. Background Information • 1983 – Term ‘virus’ coined • Morris Worm (11/2/88) • May 4, 2000 – ILOVEYOU virus – most costly to businesses (until 2004 survey) • ILOVEYOU in the subject line • LOVE-LETTER-FOR-YOU.TXT.vbs • August 2003 – Blaster Worm (SYN FLOOD to cause DDoS against windowsupdate.com) • “I just want to say LOVE YOU SAN !!” • “Billy gates why do you make this possible? Stop making money and fix your software !!” • January 2009 – Conficker (also called DOWNUP) worm (affects 20 million MS server systems running 2000 to Vista; disables Windows – updates, security center, defender, error reporting)

  5. Background Information • Intrusion Detection Techniques • Misuse-based detection • Simple and effective • Has limitations – false negatives • Anomaly-based detection • Effectively detect intrusions • Hard for intruder to tell – “what not to do” • Disadvantages – false positives Detect Intrusions ASAP

  6. Related Works • Virus Scanners • Known signatures based • Current researches aim at: • Automatic generation of signatures Kephart and Arnold: statistical method for automatic signature generation Schultz et al.: used data mining techniques to build a filter (email integration possible)

  7. Related Works • Deception Tools • Honeypots • Developed to ‘lure’ intruders • Studying intrusion techniques and system security evaluation • Honeytokens • “Generalized” Honeypots – not just a computer system • Value lies in “abuse” • Eg. Fake email address to check if an email list has been stolen

  8. Proactive Intrusion Detection System (PAIDS) • Detect intrusions without knowledge of signatures • Very few false positives • Based on: • Behavior Skewing • Cordoning

  9. Security Policies • Specify behavior as legal or illegal • Disadvantages • Often fail to scale • Often incomplete

  10. Another Approach Legal (Consistent) Illegal (Inconsistent) Unspecified (Independent) • Security Policy P S1 S2 S3

  11. Behavior Skewing Illegal (Inconsistent) Legal (Consistent) Behaviors Unspecified (Independent) • Security Policy P’ S1 S2 S3

  12. Behavior Skewing • Information Items • Information carrying logical entity • Filename, email address, binary file, etc. • Behavior Skewing • Customizing access control

  13. Cordoning • Done on a critical system resources • Ensures integrity of resources • Achieved by: • Dynamically isolating interactions between a malicious process and a resource

  14. Behavior Skewing Legal Behavior Behavior Skewing # 2 Behavior Skewing # 1 Bait # 2 Unspecified Behavior Bait # 1 Illegal Behavior

  15. Behavior Skewing • Legal / Illegal Behavior Sets • Explicitly defined • Unspecified Behavior Set • Behaviors irrelevant to system’s security • User is unaware & fails to specify the security requirements • After Behavior Skewing • Detect violations of skewed policy • Trigger Intrusion Alert

  16. Cordoning • Need • Malicious executables need to misbehave - to be detected • Cordoning to recover system states • Traditional recovery mechanisms may cause loss of recent work.

  17. Cordoning Allows dynamic, partial virtualization of execution environments for Critical System Resources Examples of CSRs – Executables, network services, data files, etc.

  18. Cordoning Actual CSR Cordoned CSR (recoverable) Safe State Current CSR (virtual CSR) Process

  19. Cordoning • Cordoning in time • Delayed commitment • Applied to delayable CSRs (e.g. SMTP server) • Cordoning in space • Applied to a subsitutable CSR (e.g. file) • Actual CSR is kept in secure state • Substitute’s contents copied when it reaches a secure state

  20. Implementation • BESIDES • Three main components: • Email Address Domain Skewer • Email Address Usage Monitor • SMTP Server Cordoner

  21. BESIDES • Email Address Domain Skewer (EADS) • Skewing done based on email address usage policy • Makes certain email addresses unusable in any locally composed email (baits)

  22. BESIDES • Email Address Usage Monitor (EAUM) • Monitors the use of email addresses in SMTP sessions • Looks for SMTP commands that explicitly use email addresses (against those in the skewed email address list) • On a violation, SSC is informed

  23. BESIDES • SMTP Server Cordoner (SSC) • Protect SMTP servers (CSRs) from possible abuse • SSC buffers messages internally • SSC identifies the SMTP sever the process requests, assigns to it – a virtual (current) SMTP server • After delivering a message, SSC creates a log • On being informed of an intrusion alert, SSC identifies the malicious process • Determines the victims from the logs (all processes that access CSRs updated by the malicious process)

  24. BESIDES • SSC Recovery Mechanism • SSC identifies all victims – based on logs • Initiates recovery on all cordoned CSRs they have updated • No buffered messages are committed, instead they are quarantined • For messages already committed, a warning is sent to the recipients (using logs)

  25. BESIDES ARCHITECTURE

  26. Experimental Results • Effectiveness Experiments Effectiveness of BESIDES

  27. Experimental Results Performance Experiments System Overhead

  28. Time Overheads • Latex Application Series • Average Overhead: 8% • Highest Increases (13%) • Latex 1 &2 (I/O) • Lowest Increases (1.5% & 3.3%)

  29. Time Overheads • Command-line Web Client • Relatively small overhead • Few other system calls made • Average overhead ~ 3.4% • Close to 2.02%

  30. Conclusions Proactive methods can be introduced in a system to create unpredictability Proactive system anticipates the attacks and prepares itself in advance Can detect unknown intrusions

  31. Thank You Questions

More Related