Billy Goat Detects Worms and Viruses
by James Riordan and Diego Zamboni
Researchers at the IBM Zurich Research Laboratory have designed and implemented a new intrusion detection tool that not only facilitates early detection of attacks but also sharply reduces the false alarm rate.
The Billy Goat is specialized to address the problems posed by network service worms. As an intrusion detection sensor, its most important property is that it is free from the high rate of false alarms produced by many other sensors. It achieves this property through the use of a novel architecture that combines an extensive view of the network, spoofed service interaction with potential attackers, and a clear focus on detecting automated attacks.
One of the greatest threats to security has come from automatic, self-propagating attacks such as viruses and worms. These attacks scan at random until they are able to place a program on the server using a maliciously crafted request. The program uses the now-infected server as a base from which to attack other servers. The direct result is rapid exponential growth in the number of attackers leading to load-induced network failure.
While the presence of these attacks is by no means new, the damage that they are able to inflict and the speed with which they are able to propagate has become paramount. Further increases in connectivity and service complexity only threaten to exacerbate their virulence.
The Billy Goat functions by spoofing the existence of machines and services at otherwise unused IP addresses. Because the addresses are otherwise unused, all traffic destined to them is a priori suspicious. The sensor spoofs services, rather than merely recording attempted connections, to determine the intention behind the traffic.
Billy Goat is built atop a security-hardened Linux machine that offers no real services beyond very restricted login. It is configured in conjunction with the network on which it runs so that traffic directed toward address subnets that are not used is routed to the Billy Goat.
The Billy Goat itself offers a virtualization infrastructure that allows individual sensors to be written as if they were running on a single host. It also provides a logging infrastructure based on a relational database facilitating correlation and analysis of the copious data produced by the large number of virtual sensors.
The spoofed services include HTTP, Microsoft RPC (remote procedure call), Microsoft SQL (database), and SMB (file sharing and printing). Vulnerabilities in these services are commonly used as vectors for worm and virus propagation.
One very important requirement of the Billy Goat is that it continue to function in times of heavy worm activity. In particular, it must retain its utility even when the performance of the network is dramatically diminished or even completely unreliable. This requirement implies a distributed system of Billy Goats on the network. Each local Billy Goat serves to inform administrators of local infection so that it can be eliminated. In order to support the distributed architecture, the Billy Goat distribution contains an automatic update mechanism. This mechanism ensures that a deployed Billy Goat has all the latest sensors and signatures.
It is worth contrasting the Billy Goat Box with another security tool called a Honey Pot. A Honey Pot, as its name suggests, offers "something desirable" to lure attacks to a particular machine. Unlike a Honey Pot, the Billy Goat does not advertise any services, and does not allow any of its services to be corrupted. The Billy Goat is designed to detect large-scale automated attacks rather than trying to deceive sentient human attackers.
James Riordan, Diego Zamboni, IBM Zurich Research Lab/SARIT
Tel.: +41 1 724 89 81