Evan Cooke

Virtualized in-cloud security services for mobile devices

Modern mobile devices continue to approach the capabilities and extensibility of standard desktop PCs. Unfortunately, these devices are also beginning to face many of the same security threats as desktops. Currently, mobile security solutions mirror the traditional desktop model in which they run detection services on the device. This approach is complex and resource intensive in both computation and power. This paper proposes a new model whereby mobile antivirus functionality is moved to an off-device network service employing multiple virtualized malware detection engines. Our argument is that it is possible to spend bandwidth resources to significantly reduce on-device CPU, memory, and power resources. We demonstrate how our in-cloud model enhances mobile security and reduces on-device software complexity, while allowing for new services such as platform-specific behavioral analysis engines. Our benchmarks on Nokias N800 and N95 mobile devices show that our mobile agent consumes an order of magnitude less CPU and memory while also consuming less power in common scenarios compared to existing on-device antivirus software.

A Survey of Botnet Technology and Defenses

Global Internet threats have undergone a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. At the center of many of these attacks are collections of compromised computers, or Botnets, remotely controlled by the attackers, and whose members are located in homes, schools, businesses, and governments around the world [6]. In this survey paper we provide a brief look at how existing botnet research, the evolution and future of botnets, as well as the goals and visibility of today’s networks intersect to inform the field of botnet technology and defense.

Toward understanding distributed blackhole placement

The monitoring of unused Internet address space has been shown to be an effective method for characterizing Internet threats including Internet worms and DDOS attacks. Because there are no legitimate hosts in an unused address block, traffic must be the result of misconfiguration, backscatter from spoofed source addresses, or scanning from worms and other probing. This paper extends previous work characterizing traffic seen at specific unused address blocks by examining differences observed between these blocks. While past research has attempted to extrapolate the results from a small number of blocks to represent global Internet traffic, we present evidence that distributed address blocks observe dramatically different traffic patterns. This work uses a network of blackhole sensors which are part of the Internet Motion Sensor (IMS) collection infrastructure. These sensors are deployed in networks belonging to service providers, large enterprises, and academic institutions representing a diverse sample of the IPv4 address space. We demonstrate differences in traffic observed along three dimensions: over all protocols and services, over a specific protocol and service, and over a particular worm signature. This evidence is then combined with additional experimentation to build a list of sensor properties providing plausible explanations for these differences. Using these properties, we conclude with recommendations for the understanding the implications of sensor placement.

The Blaster worm: then and now

The Blaster worm of 2003 infected at least 100000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worms activity can provide insight into the evolution of Internet worms.

Practical Darknet Measurement

The Internet today is beset with constant attacks targeting users and infrastructure. One popular method of detecting these attacks and the infected hosts behind them is to monitor unused network addresses. Because many Internet threats propagate randomly, infection attempts can be captured by monitoring the unused spaces between live addresses. Sensors that monitor these unused address spaces are called darknets, network telescopes, or blackholes. They capture important information about a diverse range of threats such as Internet worms, denial of services attacks, and botnets. In this paper, we describe and analyze the important measurement issues associated with deploying darknets, evaluating the placement and service configuration of darknets, and analyzing the data collected by darknets. To support the discussion, we leverage 4 years of experience operating the Internet motion sensor (IMS), a network of distributed darknet sensors monitoring 60 distinct address blocks in 19 organizations over 3 continents.

Data reduction for the scalable automated analysis of distributed darknet traffic

Threats to the privacy of users and to the availability of Internet infrastructure are evolving at a tremendous rate. To characterize these emerging threats, researchers must effectively balance monitoring the large number of hosts needed to quickly build confidence in new attacks, while still preserving the detail required to differentiate these attacks. One class of techniques that attempts to achieve this balance involves hybrid systems that combine the scalable monitoring of unused address blocks (or darknets) with forensic honeypots (or honeyfarms). In this paper we examine the properties of individual and distributed darknets to determine the effectiveness of building scalable hybrid systems. We show that individual darknets are dominated by a small number of sources repeating the same actions. This enables source-based techniques to be effective at reducing the number of connections to be evaluated by over 90%. We demonstrate that the dominance of locally targeted attack behavior and the limited life of random scanning hosts result in few of these sources being repeated across darknets. To achieve reductions beyond source-based approaches, we look to source-distribution based methods and expand them to include notions of local and global behavior. We show that this approach is effective at reducing the number of events by deploying it in 30 production networks during early 2005. Each of the identified events during this period represented a major globally-scoped attack including the WINS vulnerability scanning, Veritas Backup Agent vulnerability scanning, and the MySQL Worm.

Resource-aware multi-format network security data storage

Internet security systems like intrusion detection and intrusion prevention systems are based on a simple input-output principle: they receive a high-bandwidth stream of input data and produce summaries of suspicious events. This simple model has serious drawbacks, including the inability to attach context to security alerts, a lack of detailed historical information for anomaly detection baselines, and a lack of detailed forensics information. Together these problems highlight a need for fine-grained security data in the shortterm, and coarse-grained security data in the long-term. To address these limitations we propose resource-aware multi-format security data storage. Our approach is to develop an architecture for recording different granularities of security data simultaneously. To explore this idea we present a novel framework for analyzing security data as a spectrum of information and a set of algorithms for collecting and storing multi-format data. We construct a prototype system and deploy it on darknets at academic, Fortune 100 enterprise, and ISP networks. We demonstrate how a hybrid algorithm that provides guarantees on time and space satisfies the short and long-term goals across a four month deployment period and during a series of large-scale denial of service attacks.

Internet-scale malware mitigation: combining intelligence of the control and data plane

Security on the Internet today is treated mostly as a data plane problem. IDSs, firewalls, and spam filters all operate on the simple principle of detecting malicious data plane behavior and erecting data plane filters. In this paper we explore how breaking down the barrier between the control and data plane can significantly enhance our understanding of how to detect and filter Internet threats like worms and botnets. Our investigation is guided by two specific goals: using information and anomalies detected on the data plane to inform control plane decision support and using anomalies detected on the control plane to inform data plane filtering. We begin by analyzing the source of persistent worms and other persistent malicious and misconfigured data plane traffic to understand the scope of this behavior on the control plane. We then analyze how anomalies on the control plane associated with poorly managed networks and are correlated with the sources of malicious and misconfigured traffic detected on the data plane. Our results show that malicious and misconfigured data plane behavior is widely spread across the control plane suggesting that constructing a few control plane filters to block the most infected organizations will not have a significant impact. We demonstrate that networks with data plane anomalies tend to exhibit more routing misconfigurations. Finally, we discuss how these correlations could be used to reject or filter routes and help stop recurring threats like persistent worms.