Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff

Generating signatures for zero-day network
attacks
Pascal Gamper
Daniela Brauckhoff
Bernhard Tellenbach
Saturday, May 17, 2008
Outline




Motivation
Problem Statement
Automated Signature Generation – Overview
The NoAH approach

Attack Detection
 Attack Analysis
 Signature Generation
Saturday, May 17, 2008
Pascal Gamper
2
Motivation: The dynamics of (In)security
90 % probability for
available 0-day exploits
Source: “The Dynamics of (In)Security“, Stefan Frei, ETH Zurich, BlackHat 2006
Saturday, May 17, 2008
Pascal Gamper
3
Problem Statement
 Defending against 0-day attacks: Intrusion
Detection System (IDS)




Separate benign and malicious network traffic
Host- or Network-based signatures
Most signatures for IDS are hand-craftet by
professionals
Zero-day exploits make manual signature generation
useless
 Problem: Manual signature generation is too
slow! Options?
Saturday, May 17, 2008
Pascal Gamper
4
Overview
Techniques for automated signature generation
Saturday, May 17, 2008
Pascal Gamper
5
Building Blocks of an ASG System
attack vector
information
raw data
Attack
Detector
Site 1
Analysis
Engine
refined attack
vector information
Correlator
Site N
Attack
Detector
Signature
Generator
Analysis
Engine
transformed attack
vector information
Saturday, May 17, 2008
Pascal Gamper
6
The NoAH Approach
EU Project NoAH (Network of Affined Honeypots)
Saturday, May 17, 2008
Pascal Gamper
7
Goals
 NoAH aims at automated


detection of unknown attacks
generation of signatures to counter 0-day attacks
 Generate signatures for common IDS
 Install full-scale infrastructure across Europe
 Target audience: ISP‘s, NREN‘s, researchers
Saturday, May 17, 2008
Pascal Gamper
8
Attack Detection
Saturday, May 17, 2008
Pascal Gamper
9
NoAH Architecture: Attack Detector Argos
 Detection technique (Argos):

OS independent memory tainting (x86 emulator)
Guest OS
Emulated Hardware
NIC
Network
RAM
CPU
0xAAA
Exec
Host OS
> Scope of NoAH: Remote attacks that do not
require a human in the loop
Saturday, May 17, 2008
Pascal Gamper
10
Attack Analysis
Saturday, May 17, 2008
Pascal Gamper
11
Combining Analysis Engines
 Different analysis engines (Extractors) which

Analyse attack information from different sources
 Extractors can depend on each other
 Meta-signature describes entire set of available
attack information
 Quality estimation of meta-signature based on


Which extractors succeeded
Value and amount of extracted information
Saturday, May 17, 2008
Pascal Gamper
12
Combining host- and network-based analysis
 Extractor #1: Host-based information from
Argos



Identifies memory content relevant for the attack
Identifies OS and attacked process
Identifies network traffic bytes involved
 Extractor #2: Network-based information from
Protocol State Tracker


Protocol field(s) containing network bytes involved
Communication/Protocol state history
Saturday, May 17, 2008
Pascal Gamper
13
Basic Architecture of the entire ASG System
Network
Honeypot
Argos
Control Socket
Socket
IPC
Snitch
Perl Script
Main process
Extractor Thread
MySQL Database
Argos Extractor
Snitch Thread
Saturday, May 17, 2008
Argos.csi.x
Signature Generator
File I/O
Network
Argos.netlog
Tracker Extractor
Network Protocol
State Tracker
Pascal Gamper
TrackerOutput.dat
TrackerDump.dat
14
Basic Architecture of the entire ASG System
Network
Honeypot
Argos
Control Socket
Socket
IPC
Snitch
Perl Script
Main process
Extractor Thread
MySQL Database
Argos Extractor
Snitch Thread
Saturday, May 17, 2008
Argos.csi.x
Signature Generator
File I/O
Network
Argos.netlog
Tracker Extractor
Network Protocol
State Tracker
Pascal Gamper
TrackerOutput.dat
TrackerDump.dat
15
Basic Architecture of the entire ASG System
Network
Honeypot
Argos
Control Socket
Socket
IPC
Snitch
Perl Script
Main process
Extractor Thread
MySQL Database
Argos Extractor
Snitch Thread
Saturday, May 17, 2008
Argos.csi.x
Signature Generator
File I/O
Network
Argos.netlog
Tracker Extractor
Network Protocol
State Tracker
Pascal Gamper
TrackerOutput.dat
TrackerDump.dat
16
Basic Architecture of the entire ASG System
Network
Honeypot
Argos
Control Socket
Socket
IPC
Snitch
Perl Script
Main process
Extractor Thread
MySQL Database
Argos Extractor
Snitch Thread
Saturday, May 17, 2008
Argos.csi.x
Signature Generator
File I/O
Network
Argos.netlog
Tracker Extractor
Network Protocol
State Tracker
Pascal Gamper
TrackerOutput.dat
TrackerDump.dat
17
Basic Architecture of the entire ASG System
Network
Honeypot
Argos
Control Socket
Socket
IPC
Snitch
Perl Script
Main process
Extractor Thread
MySQL Database
Argos Extractor
Snitch Thread
Saturday, May 17, 2008
Argos.csi.x
Signature Generator
File I/O
Network
Argos.netlog
Tracker Extractor
Network Protocol
State Tracker
Pascal Gamper
TrackerOutput.dat
TrackerDump.dat
18
Basic Architecture of the entire ASG System
Network
Honeypot
Argos
Control Socket
Socket
IPC
Snitch
Perl Script
Main process
Meta-signature
Extractor Thread
Database
Argos Extractor
Snitch Thread
Saturday, May 17, 2008
Argos.csi.x
Signature Generator
File I/O
Network
Argos.netlog
Tracker Extractor
Network Protocol
State Tracker
Pascal Gamper
TrackerOutput.dat
TrackerDump.dat
19
Network Protocol State Tracker
 Tracks the network connections towards one or




more honeypot systems
Logs protocol states for each packet
User-defined packet and connection analysis
possible
Is highly configurable by relying on various
libraries
State machine configurations currently available
for IP, TCP/UDP, FTP
Saturday, May 17, 2008
Pascal Gamper
20
Libraries
 NetBee library



Developed by NetGroup at Politecnico di Torino
Components for different types of packet processing
We integrated Packet Decoding functionality into Tracker
 Netprotofsm



Finite state machine library for describing network protocols
Our approach is based on work by J. van Gurp and J. Bosch
Features:
- Protocol state machines defined by XML files
- Resource-gentle
- Flexible timer mechanism (schedule events, define timeouts)
- Implement custom actions
Saturday, May 17, 2008
Pascal Gamper
21
Architecture
Network
Capturing
LogReader
PacketDecoder
Replayer
Connection State Log File
Network
Pcap library
EventData
NetBee library
netprotofsm library
State Machine
(libnetprotofsm)
LogAction
Protocol Specification File
ReplayAction
Connection State Log File
State Tracker
Saturday, May 17, 2008
Network
Pascal Gamper
Replayer
22
Example: Attack information extracted
Extractor #2
Information
Protocol Connection State:
TCP: Connection established
FTP: Login, User identification
Network Packet
Argos I
IP
Memory Dump
Src Address
Dest Address
04 F2 A6 00
TCP
Src Port
Argos II
Snitch perl script
FTP
USER
Payload data
04 F2 A6 00
-Operating system: Win2000
-Attacked service / program: WAR-FTPD
Saturday, May 17, 2008
Tainted data which is
about to be used in
instruction execution
Dest Port
Position
in
network
packet
Extractor #1
Information
Packet Field Decoding:
FTP: bytes in USER field
Pascal Gamper
23
Signature Generation
Saturday, May 17, 2008
Pascal Gamper
24
Signature Generation Flow





1. Generate meta-signature
2. Determine signature quality
4. Save to database
5. Use Adapters to create specific signatures
6. Store, (correlate and/or distribute) adapted
signatures
Saturday, May 17, 2008
Pascal Gamper
25
Snort as Signature Format
 SNORT for Proof-of-Concept


SNORT is open source and well-known
Simple signature format
 Implications

Only a part of extracted attack information can be
used, for example
- We cannot include information about attacked program
Saturday, May 17, 2008
Pascal Gamper
26
Generated signature (WAR-FTPD example)
alert tcp any any-> any 21 (msg:
“(NoAH) RET via FTP protocol, USER
command in war-ftpd.exe(win2k)”;
flow: established, from_client;
content:"USER";
content:!"|0D 0A|"; offset: 5; depth:
465;)
Saturday, May 17, 2008
Pascal Gamper
27
Signature Properties (WAR-FTPD example)
Connection state information
alert tcp any any-> any 21 (msg:
“(NoAH) RET via FTP protocol, USER
command in war-ftpd.exe(win2k)”;
flow: established, from_client;
content:"USER";
content:!"|0D 0A|"; offset: 5; depth:
465;)
Saturday, May 17, 2008
Pascal Gamper
28
Signature Properties (WAR-FTPD example)
State transition trigger
alert tcp any any-> any 21 (msg:
“(NoAH) RET via FTP protocol, USER
command in war-ftpd.exe(win2k)”;
flow: established, from_client;
content:"USER";
content:!"|0D 0A|"; offset: 5; depth:
465;)
Saturday, May 17, 2008
Pascal Gamper
29
Signature Properties (WAR-FTPD example)
alert tcp any any-> any 21 (msg:
“(NoAH) RET via FTP protocol, USER
command in war-ftpd.exe(win2k)”;
flow: established, from_client;
content:"USER";
content:!"|0D 0A|"; offset: 5; depth:
465;)
Vulnerable field(s)
Saturday, May 17, 2008
Pascal Gamper
30
Conclusion
 Our ASG system generates signatures with almost zero
false positives


For remote code injection attacks
If full amount of attack information is extracted
 Signature describes the vulnerability of the application
 Protect server applications from buffer overflows in
arbitrary protocols and fields
> Our signatures can compete with other approaches
including manually created reference signatures
Saturday, May 17, 2008
Pascal Gamper
31
Questions?
Saturday, May 17, 2008
Pascal Gamper
32
Evaluation
 Prototype implementation

IP, TCP, UDP, FTP protocol state machines
 Examplary signature generation tests
 Protocol context aware signatures:


Average total generation time: 1,64 s
Few false positives
 LCS signatures (fallback strategy):


Average total generation time: 3,46 s
High rate of false positives depending on strings
Saturday, May 17, 2008
Pascal Gamper
33