Stuart Staniford

Inside the Slammer worm

The Slammer worm spread so quickly that human response was ineffective. In January 2003, it packed a benign payload, but its disruptive capacity was surprising. Why was it so effective and what new challenges do this new breed of worm pose?.

Practical automated detection of stealthy portscans

Portscan detectors in network intrusion detection products are easy to evade. They classify a portscan as more than N distinct probes within M seconds from a single source. This paper begins with an analysis of the scan detection problem, and then presents Spice (Stealthy Probing and Intrusion Correlation Engine), a portscan detector that is effective against stealthy scans yet operationally practical. Our design maintains records of event likelihood, from which we approximate the anomalousness of a given packet. We use simulated annealing to cluster anomalous packets together into portscans using heuristics developed from real scans. Packets are kept around longer if they are more anomalous. This should enable us to detect all the scans detected by current techniques, plus many stealthy scans, with manageable false positives. We also discuss detection of other activity such as stealthy worms, and DDOS control networks.

A taxonomy of computer worms

To understand the threat posed by computer worms, it is necessary to understand the classes of worms, the attackers who may employ them, and the potential payloads. This paper describes a preliminary taxonomy based on worm target discovery and selection strategies, worm carrier mechanisms, worm activation, possible payloads, and plausible attackers who would employ a worm.

The top speed of flash worms

Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worms exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds[18]. We grossly over-estimated. In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line rates. Such worms are vulnerable to recently proposed worm containment techniques [12, 16, 25]. To avoid this, flash worms should slow down and use deeper, narrower trees. We explore the resilience of such spread trees when the list of vulnerable addresses is inaccurate. Finally, we explore the implications of flash worms for containment defenses: such defenses must correlate information from multiple sites in order to detect the worm, but the speed of the worm will defeat this correlation unless a certain fraction of traffic is artificially delayed in case it later proves to be a worm.

Towards faster string matching for intrusion detection or exceeding the speed of Snort

Network intrusion detection systems (NIDS) often rely on exact string matching techniques. Depending on the choice of algorithm, implementation and the frequency with which it is applied, this pattern matching may become a performance bottleneck. To keep up with increasing network speeds and traffic, NIDS can take advantage of advanced string matching algorithms. We describe the effectiveness of a significantly faster approach to pattern matching in the open source NIDS Snort.

Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay

Computer attackers frequently relay their attacks through a compromised host at an innocent site, thereby obscuring the true origin of the attack. There is a growing literature on ways to detect that an interactive connection into a site and another outbound from the site give evidence of such a stepping stone. This has been done based on monitoring the access link connecting the site to the Internet (Eg. [7,11, 8]). The earliest work was based on connection content comparisons but more recent work has relied on timing information in order to compare encrypted connections. Past work on this problem has not yet attempted to cope with the ways in which intruders might attempt to modify their traffic to defeat stepping stone detection. In this paper we give the first consideration to constraining such intruder evasion. We present some unexpected results that show there are theoretical limits on the ability of attackers to disguise their traffic in this way for sufficiently long connections. We consider evasions that consist of local jittering of packet arrival times (without addition and subtraction of packets), and also the addition of superfluous packets which will be removed later in the connection chain (chaff). To counter such evasion, we assume that the intruder has a maximum delay tolerance. By using wavelets and similar multiscale methods, we show that we can separate the short-term behavior of the streams - where the jittering or chaff indeed masks the correlation - from the long-term behavior of the streams - where the correlation remains. It therefore appears, at least in principle, that there is an effective countermeasure to this particular evasion tactic, at least for sufficiently long-lived interactive connections.

Intrusion detection inter-component adaptive negotiation

Abstract The intrusion detection inter-component adaptive negotiation (IDIAN) project has developed a negotiation protocol to allow a distributed collection of heterogeneous intrusion detection (ID) components to inter-operate and reach agreement on each others ID information processing capabilities and needs. The negotiation, moreover, is dynamic, so the information generated and processed can evolve as the intrusion detection system (IDS) evolves and as the environment changes. This paper describes IDIAN extensions to the common intrusion specification language (viz., GIDO filters), the negotiation protocol itself, a load model used to measure computing load on a system due to the use of ID services, and a demonstration of the protocol.

Viewing IDS alerts: lessons from SnortSnarf

We consider the design of the user interface to an intrusion detection system console. We first analyze the requirements for this problem; our analysis is novel because we consider the possibility that an attacker can deliberately create spurious packets or audit records purely for the purpose of triggering the intrusion detection system. By this means, he can attempt to control the screen real estate of the security personnel using the IDS in such a way as to disguise the true nature of her activity. We also consider the way in which the ubiquitous false alarms generated by intrusion detection systems impact the console design. Next we describe a simple Web-based prototype console for the Snort IDS built by us: SnortSnarf. It partially embodies the analysis described above. We explain the features of SnortSnarfs design and informally describe some of the experience of the IDS community in using it. We discuss possible future research.

Very Fast Containment of Scanning Worms, Revisited

Computer worms — malicious, self-propagating programs — represent a significant threat to large networks. One possible defense, containment, seeks to limit a worm’s spread by isolating it in a small subsection of the network. In this work we develop containment algorithms suitable for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host after fewer than 10 scans with a very low false-positive rate. We also augment this approach by devising mechanisms for cooperation that enable multiple containment devices to more effectively detect and respond to an emerging infection. In addition, we discuss ways that a worm can attempt to bypass containment techniques in general, and ours in particular.