scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

An analysis of the witty outbreak: exploiting underlying structure for detailed reconstruction of an internet-scale event

11 Nov 2005-pp 51-51
TL;DR: It is shown that by carefully exploiting the structure of the worm, especially its pseudo-random number generation, from limited and imperfect telescope data, this work can with high fidelity extract the individual rate at which each infectee injected packets into the network prior to loss.
Abstract: In this talk we discuss an analysis of the propagation in March 2004 of the "Witty" worm, which infected more than 12,000 hosts worldwide in 75 minutes. We show that by carefully exploiting the structure of the worm, especially its pseudo-random number generation, from limited and imperfect telescope data we can recover a wealth of information with high fidelity. The corresponding paper, coauthored with Abhishek Kumar and Nicholas Weaver, appears in the Proceedings of the 2005 ACM Internet Measurement Conference.
Citations
More filters
Proceedings ArticleDOI
16 May 2010
TL;DR: The main claim is that the task of finding attacks is fundamentally different from these other applications, making it significantly harder for the intrusion detection community to employ machine learning effectively.
Abstract: In network intrusion detection research, one popular strategy for finding attacks is monitoring a network's activity for anomalies: deviations from profiles of normality previously learned from benign traffic, typically identified using tools borrowed from the machine learning community However, despite extensive academic research one finds a striking gap in terms of actual deployments of such systems: compared with other intrusion detection approaches, machine learning is rarely employed in operational "real world" settings We examine the differences between the network intrusion detection problem and other areas where machine learning regularly finds much more success Our main claim is that the task of finding attacks is fundamentally different from these other applications, making it significantly harder for the intrusion detection community to employ machine learning effectively We support this claim by identifying challenges particular to network intrusion detection, and provide a set of guidelines meant to strengthen future research on anomaly detection

1,377 citations


Cites methods from "An analysis of the witty outbreak: ..."

  • ...…et al. [29] identify users in the anonymized Netflix datasets via correlation with their public reviews in a separate database; and Kumar et al. [30] determine from lossy and remote packet traces the number of disks attached to systems infected by the “Witty” worm, as well as their uptime to…...

    [...]

Proceedings Article
31 Jul 2006
TL;DR: SANE offers strong attack resistance and containment in the face of compromise, yet is practical for everyday use, and can easily scale to networks of tens of thousands of nodes.
Abstract: Connectivity in today's enterprise networks is regulated by a combination of complex routing and bridging policies, along with various interdiction mechanisms such as ACLs, packet filters, and other middleboxes that attempt to retrofit access control onto an otherwise permissive network architecture. This leads to enterprise networks that are inflexible, fragile, and difficult to manage. To address these limitations, we offer SANE, a protection architecture for enterprise networks. SANE defines a single protection layer that governs all connectivity within the enterprise. All routing and access control decisions are made by a logically-centralized server that grants access to services by handing out capabilities (encrypted source routes) according to declarative access control policies (e.g., "Alice can access http server foo"). Capabilities are enforced at each switch, which are simple and only minimally trusted. SANE offers strong attack resistance and containment in the face of compromise, yet is practical for everyday use. Our prototype implementation shows that SANE could be deployed in current networks with only a few modifications, and it can easily scale to networks of tens of thousands of nodes.

464 citations


Cites background from "An analysis of the witty outbreak: ..."

  • ...This provides flexible fine grain access control and eliminates the need for more complex ad-hoc mechanisms....

    [...]

Book ChapterDOI
01 Jan 2007
TL;DR: A significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community, to attacks and intrusions for financial gain, thereby escalating the network security arms race.
Abstract: The continued growth and diversification of the Internet has been accompanied by an increasing prevalence of attacks and intrusions [40]. It can be argued, however, that a significant change in motivation for malicious activity has taken place over the past several years: from vandalism and recognition in the hacker community, to attacks and intrusions for financial gain. This shift has been marked by a growing sophistication in the tools and methods used to conduct attacks, thereby escalating the network security arms race.

364 citations


Cites background from "An analysis of the witty outbreak: ..."

  • ...show how a broad range of details of the Witty worm outbreak can be infer red using information about that malware’s random number generator [24]....

    [...]

Proceedings Article
28 Jul 2008
TL;DR: It is shown that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly minimize the impact of this delay, and a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service is advocated.
Abstract: Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host-based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing complexity has resulted in vulnerabilities that are being exploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model enables identification of malicious and unwanted software by multiple, heterogeneous detection engines in parallel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced forensics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud antivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network service with ten antivirus engines and two behavioral detection engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly minimize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.

353 citations


Cites background from "An analysis of the witty outbreak: ..."

  • ...Simplifying the host software also decreases the chance that it could contain exploitable vulnerabilities [15, 30]....

    [...]

Proceedings ArticleDOI
25 Oct 2006
TL;DR: Binpac is presented, a declarative language and compiler designed to simplify the task of constructing robust and efficient semantic analyzers for complex network protocols and can then be used to express application-level analysis of network traffic in high-level terms that are both concise and expressive.
Abstract: A key step in the semantic analysis of network traffic is to parse the traffic stream according to the high-level protocols it contains. This process transforms raw bytes into structured, typed, and semantically meaningful data fields that provide a high-level representation of the traffic. However, constructing protocol parsers by hand is a tedious and error-prone affair due to the complexity and sheer number of application protocols.This paper presents binpac, a declarative language and compiler designed to simplify the task of constructing robust and efficient semantic analyzers for complex network protocols. We discuss the design of the binpac language and a range of issues in generating efficient parsers from high-level specifications. We have used binpac to build several protocol parsers for the "Bro" network intrusion detection system, replacing some of its existing analyzers (handcrafted in C++), and supplementing its operation with analyzers for new protocols. We can then use Bro's powerful scripting language to express application-level analysis of network traffic in high-level terms that are both concise and expressive. binpac is now part of the open-source Bro distribution.

162 citations


Cites methods from "An analysis of the witty outbreak: ..."

  • ...…is application-protocol parsers that translate packet streams into high-level representations of the traf.c, on top of which we can then use measurement scripts that manipulate semantically meaningful data elements such as HTTP content types or Email senders/recipients, instead of raw IP packets....

    [...]

References
More filters
01 Jan 2001
TL;DR: Here the authors haven’t even started the project yet, and already they’re forced to answer many questions: what will this thing be named, what directory will it be in, what type of module is it, how should it be compiled, and so on.
Abstract: Writers face the blank page, painters face the empty canvas, and programmers face the empty editor buffer. Perhaps it’s not literally empty—an IDE may want us to specify a few things first. Here we haven’t even started the project yet, and already we’re forced to answer many questions: what will this thing be named, what directory will it be in, what type of module is it, how should it be compiled, and so on.

6,547 citations


"An analysis of the witty outbreak: ..." refers background or methods in this paper

  • ...Implementing good PRNGs is a complicated task [8], especially when constrained by limits on code size and the difficulty of incorporating linkable libraries....

    [...]

  • ...Neither of these reasons actually requires the kind of good random­ness provided by following Knuth s advice of picking only the higher order bits....

    [...]

  • ...Knuth s advice applies when uniform randomness is the desired property, and is valid only when a small number of random bits are needed....

    [...]

  • ...This was rec­ ommended by Knuth [8], who showed that the high order bits are more random than the lower order bits returned by the LC PRNG....

    [...]

  • ...This was recommended by Knuth [8], who showed that the high order bits are “more random” than the lower order bits returned by the LC PRNG....

    [...]

Proceedings Article
13 Aug 2001
TL;DR: This article presents a new technique, called “backscatter analysis,” that provides a conservative estimate of worldwide denial-of-service activity, and believes it is the first to provide quantitative estimates of Internet-wide denial- of- service activity.
Abstract: In this paper, we seek to answer a simple question: "How prevalent are denial-of-service attacks in the Internet today?". Our motivation is to understand quantitatively the nature of the current threat as well as to enable longer-term analyses of trends and recurring patterns of attacks. We present a new technique, called "backscatter analysis", that provides an estimate of worldwide denial-of-service activity. We use this approach on three week-long datasets to assess the number, duration and focus of attacks, and to characterize their behavior. During this period, we observe more than 12,000 attacks against more than 5,000 distinct targets, ranging from well known e-commerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections. We believe that our work is the only publically available data quantifying denial-of-service activity in the Internet.

1,444 citations

Proceedings ArticleDOI
16 May 2010
TL;DR: The main claim is that the task of finding attacks is fundamentally different from these other applications, making it significantly harder for the intrusion detection community to employ machine learning effectively.
Abstract: In network intrusion detection research, one popular strategy for finding attacks is monitoring a network's activity for anomalies: deviations from profiles of normality previously learned from benign traffic, typically identified using tools borrowed from the machine learning community However, despite extensive academic research one finds a striking gap in terms of actual deployments of such systems: compared with other intrusion detection approaches, machine learning is rarely employed in operational "real world" settings We examine the differences between the network intrusion detection problem and other areas where machine learning regularly finds much more success Our main claim is that the task of finding attacks is fundamentally different from these other applications, making it significantly harder for the intrusion detection community to employ machine learning effectively We support this claim by identifying challenges particular to network intrusion detection, and provide a set of guidelines meant to strengthen future research on anomaly detection

1,377 citations

Proceedings Article
05 Aug 2002
TL;DR: This work develops and evaluates several new, highly virulent possible techniques: hit-list scanning, permutation scanning, self-coordinating scanning, and use of Internet-sized hit-lists (which creates a flash worm).
Abstract: The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways. We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from empirical data of the spread of Code Red I in July, 2001. We discuss techniques subsequently employed for achieving greater virulence by Code Red II and Nimda. In this context, we develop and evaluate several new, highly virulent possible techniques: hit-list scanning (which creates a Warhol worm), permutation scanning (which enables self-coordinating scanning), and use of Internet-sized hit-lists (which creates a flash worm).

1,255 citations

Journal ArticleDOI
01 Jul 2003
TL;DR: The Slammer worm spread so quickly that human response was ineffective, and why was it so effective and what new challenges do this new breed of worm pose?
Abstract: The Slammer worm spread so quickly that human response was ineffective. In January 2003, it packed a benign payload, but its disruptive capacity was surprising. Why was it so effective and what new challenges do this new breed of worm pose?.

1,070 citations