[ Pobierz całość w formacie PDF ]

flow state and per-packet computation than mere flow re-
7.1 Variant content
assembly and therefore may not scale well without fur-
If content sifting were to be widely deployed this could ther performance-enhancing techniques. An alternative
create an incentive for worm writers to design worms we are considering is to simply filter such obviously odd-
with little or no invariant content. For example, poly- ball packets  at the cost of some impact on sites which
morphic viruses encrypt their content in each generation actually depend on non-standard TCP segmentation or IP
and so-called  metamorphic viruses have even demon- fragmentation implementations.
strated the ability to mutate their entire instruction se- Finally, incidental network evasion may occur if the
quence with semantically equivalent, but textually dis- assumptions underlying the address dispersion threshold
tinct, code. This is an extremely challenging prob- are violated. For example, if a worm requires only a sin-
lem that is currently addressed by antivirus vendors us- gle packet for transmission then the attacker could spoof
ing controlled emulation [2] and procedural signatures. the source address so all packets appear to originate from
While many of these subterfuges are trivially detectable the same source. While such evasions are easy to detect,
(e.g. since polymorphic decryption code may be itself it is requires special purpose code outside the general
invariant), and others can detected by modifying our con- content sifting framework.
tent sifting approach to identify textually  similar con-
tent  in the limit this threat is a fundamental one. As part 7.3 Extensions
of future work we are investigating hybrid pattern match-
In addition to the potential challenges posed by malicious
ing approaches that quickly separate non-code strings
actors, there are a number of additional improvements
(identifiable by unavoidable terminating instruction se-
that could be made to our system even in the current
quences) from potential exploits  and focus complex
environment. For example, while we have experienced
analysis only on those sequences which pose a threat.
that given parameter settings appear to provide consis-
Other problems are presented by compression. While tent results on our link across time, our settings were
themselves based on measurement and experimentation. 7.5 Coordination
We believe they are sensitive to the number of live hosts
One of the key benefits of signature extraction is that a
interdicted by the monitor, but exactly how remains an
given signature can be shared. This provides a  network
open question. In the next generation of our system,
effect because the more deployments are made of a sys-
we plan to use techniques similar to [10] to  autotune
tem such as ours, the more value there is to all deploy-
EarlyBird s content sifting parameters for a given envi-
ments because of sharing. This sharing in turn can re-
ronment.
duce response times, since the first site to discover a new
Finally, while most worms to date have sought to max-
worm signature can share it immediately. A more ag-
imize their growth over time, it is important to address
gressive possibility is to add this detection capability to
the issue of slow worms as well. In our current proto-
core routers which can then spread the signatures to edge
type, worms which are seen less frequently than every
networks. The issue of coordination brings up substan-
60 seconds have no hope of registering. One method
tial questions related to trust, validation and policy that
to address this limitation within our system is to main-
will require additional research attention to address.
tain triggering data across multiple time scales. Alterna-
tively, one might deploy a hybrid system, using Early- 8 Conclusions
bird to intercept high-speed outbreaks worms and host-
New worm outbreaks routinely compromise hundreds
based intrusion detection or large-scale honeypots to de-
of thousands of hosts and despite the enormous recov-
tect slowly spreading pathogens. Indeed, even small de- [ Pobierz całość w formacie PDF ]