Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

traces generated using

traces generated using the AES allowed the bootstrapping of ScriptGEN, which now evolves on its own from what its various Internet sensors capture. 4.5 Attack Verification Rule Generation Our experience with the ScriptGEN project taught us that the AES can be used to generate the large number of instances that are required by machine learning algorithms. On a subsequent project [15], we used the AES to generate machine learning instances for the attack verification problem. The attack verification problem consists in determining whether or not a detected attack attempt was indeed successful. For each type of attack (e.g., denial-ofservice, buffer overflow, etc.), a list of indicators can often be established (connections refused, new ports being open on the target machine, reply packets matching a given pattern, etc.). Matching these indicators with each possible way of exploiting a vulnerability is a problem that requires more subtlety than one would imagine. For instance, a denial-ofservice could affect the host (the host freezes), the service (the application does not respond, even if the TCP handshake successfully completes), the TCP/IP stack (connections are actively refused or are simply ignored) or specific users. Building on our previous work on IDS evaluation, we used the same exploit programs and target systems (with a few new ones) we had used for [14], and generated a new data set also containing the execution of the stimuli that are required to reveal the indicators. We fed existing machine learning tools with this data set, and were able to generate attack verification rules, in a completely automated manner. 4.6 Dynamic Malware Analysis Dynamic Malware Analysis means analyzing malware by executing it. Our Malware Analysis research program focuses on network-related aspects of dynamic malware analysis. A question we are asking is the following: what kind of network is required in order to obtain a maximum amount of information from executing malware? In [3, 4], we described network topologies and tools that we developed to extract information from malware samples by executing them in a network that is isolated from the Internet. Isolating malware from the Internet imposes limitations, however, our studies have demonstrated that very useful information can still be obtained in such a context. The AES relies on the existence of a virtualization technology. Although it is known that most virtualization technologies can be detected by malware, our experience has shown that there seems to be enough malware authors that do not care about it for us to be able to analyze a large proportion of samples within the Cyber Observatory. It should be noted that the AES has been developed independently from any particular virtualization technology or operating system. Therefore, efforts that are being made by researchers who are focusing on internal host activity ( [1, 17, 20]) could be integrated within the AES, and should be perceived as complements rather than alternatives. One of the conclusions we drew from this project is that a network of four computers is sufficient to produce a significant amount of information [3, 4]. The solution was to 9 25 use a DNAT 23 to ensure that the handshakes of most TCP connections are completed. In [4], we introduced a tool that configures DNAT rules onthe-fly in order to appropriately handle things like backdoors being open on the infected system during the experiment. This tool allows for more accurate analysis of malware samples in isolated environments like the AES. The AES was also used to asses the usefulness of the tool through a case study performed using 25118 malware samples. 4.7 Static Malware Analysis Static Malware Analysis includes any analysis that is performed on malware samples without executing them. This includes, but is not restricted to, anti-virus scanning, hardcoded strings extraction, hash computation, magic number analysis to determine the file type, etc. The VLab contains various virtual machine images that perform these tasks (i.e., about twenty anti-virus and various static malware analysis tools). In a sense, we have made our own home brew of Virus Total. 24 An important distinction is that our focus is on batch processing rather than on-demand analysis. A static malware analysis experiment consists of scanning several samples by one anti-virus or other analysis tool. Grouping samples together in one experiment rather than performing one experiment per sample is mainly done for performance purposes. There is no technical obstacle to scanning only one sample per experiment. One advantage of scanning malware samples in an experimental framework like the AES is that since virtual machines are reverted to an original state at the end of each experiment, the whole process becomes resilient to malware causing the anti-virus to freeze or to crash. The only samples for which the scanning results will be affected are the ones that are within the same group as the one causing the problem. Careful design of the experiment and of the results analysis scripts may even allow for flagging the sample as being a potential anti-virus crasher (an idea that we are currently investigating). 5. LIMITATIONS There are two main limitations in the AES. First, although the AES framework was designed to support different virtualization technologies, the AES only interfaces with VMware Workstation or VMware ESX. However, we do not foresee any reason why plugins for other virtualization technologies such as QEMU, VirtualBox or Xen could not be developed. Also, we believe that it might be possible to develop an extension of the AES that would be virtualization-free. The main reason why we need virtualization is to be able to quickly revert to an initial state. We believe that using tools such as Faronics Deep Freeze, 25 which restores a fresh image upon reboot, may provide an alterative to virtualization. Second, the size of the virtual environment (i.e., number of 23 DNAT stands for Destination Network Address Translation. It is the opposite of NAT: it changes the destination IP address of packets. 24 www.virustotal.com 25 www.faronics.com/html/deepfreeze.asp

virtual machines) is also a current limitation. For all the experiments presented in Section 4, we were able to derive insightful information by only using lightweight experiments. However, for some experiments, such as simulating peer-topeer botnets, larger experiments may be needed. Hardware resources are not quite the issue, as the AES can control experiments that run across several physical hosts. The problem mostly arises from the fact that each virtual machine in the experiment has to be manually created and configured prior to the experiment (once this is done, it can be used for an unlimited number of experiments). It would be useful if each virtual machine could be used as a template that is automatically cloneable and configurable (IP configuration, firewall rules, etc.) during the experiment setup phase. 6. CONCLUSION In this paper, we have presented the AES, which implements an approach to automatically and systematically conduct cyber security experiments and helps to build a foundation for experimental cyber security. We presented the AES within the context of our Cyber Observatory and provided evidence that the AES has a positive impact on the scope and the scale of research projects that can be undertaken in cyber security. The AES leverages our capabilities to conduct cyber security experiments by changing our focus from how to conduct cyber security experiments to what experiments should and can be conducted. It helps to reduce the effort required to study cyber threats. However, with the large amount of information (e.g., experimentation results) that can be generated with an experimentation system such as the AES, researchers will be facing a new problem. The next challenge will be to analyze, process and render this information so that it can be useful. 7. REFERENCES [1] U. Bayer, A. Moser, C. Krügel, and E. Kirda. Dynamic analysis of malicious code. Journal in Computer Virology, 2(1):67–77, 2006. [2] D. E. Comer, D. Gries, M. C. Mulder, A. Tucker, A. J. Turner, and P. R. Young. Computing as a discipline. Commun. ACM, 32:9–23, January 1989. [3] M. Couture and F. Massicotte. Studying Malware in an Isolated Network. CRC Technical Note CRC-TN-2009-02, Communications Research Center Canada, September 2009. [4] M. Couture and F. Massicotte. Last Minute Traffic Forwarding for Malware Analysis in a Honeynet. CRC Technical Note CRC-TN-2010-01, Communications Research Center Canada, June 2010. [5] B. Dayioglu and A. Ozgit. Use of Passive Network Mapping To Enhance Signature Quality of Misuse Network Intrusion Detection Systems. In Proceedings of the International Symposium on Computer and Information Sciences, 2001. [6] A. DeMontigny-Leboeuf. A Multi-Packet Signature Approach to Passive Operating System Detection. CRC Technical Note CRC-TN-2005-001 / DRDC-Ottawa-TM-2005-018, Communications Research Center Canada, December 2004. [7] P. J. Denning. Acm president’s letter: performance 10 26 analysis: experimental computer science as its best. Commun. ACM, 24:725–727, November 1981. [8] DETER. A laboratory for security research. http://www.isi.edu/deter/ (accessed March 22, 2011). [9] D. G. Feitelson. Experimental computer science: The need for a cultural change. http: //www.cs.huji.ac.il/~feit/papers/exp05.pdf (accessed March 22, 2011). [10] N. Fenton, S. L. Pfleeger, and R. L. Glass. Science and substance: A challenge to software engineers. IEEE Softw., 11:86–95, July 1994. [11] F. Gagnon, F. Massicotte, and B. Esfandiari. Using Contextual Information for IDS Alarm Classification. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009. [12] X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual playgrounds for worm behavior investigation. In Proceedings of the Recent Advances in Intrusion Detection (RAID), 2005. [13] C. Leita, M. Dacier, and F. Massicotte. Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots. In Proceedings of the Recent Advances in Intrusion Detection (RAID), pages 185–205, 2006. [14] F. Massicotte, F. Gagnon, Y. Labiche, M. Couture, and L. Briand. Automatic Evaluation of Intrusion Detection Systems. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 361–370, 2006. [15] F. Massicotte, Y. Labiche, and L. Briand. Toward Automatic Generation of Intrusion Detection System Verification Rules. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 279–288, 2008. [16] J. McHugh. Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security, 3(4), November 2000. [17] Norman Solutions. Norman sandbox whitepaper. http://download.norman.no/ whitepapers/whitepaper Norman SandBox.pdf, 2003. [18] R. Sommer and V. Paxson. Enhancing Byte-Level Network intrusion Detection Signatures with Context. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 262–271, 2003. [19] W. F. Tichy. Should computer scientists experiment more? Computer, 31:32–40, May 1998. [20] C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy, 5(2):32–39, 2007.

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International