Author: Matthew M. Williamson, HP Labs Bristol

Slides:

Advertisements

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Advertisements

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Low-Rate TCP-Targeted Denial of Service Attacks Presenter: Juncao Li Authors: Aleksandar Kuzmanovic Edward W. Knightly.

1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

4061 Session 26 (4/19). Today Network security Sockets: building a server.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Malicious Software.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

The Internet Worm Incident Eugene H. Spafford  Attack Format –Worm vs. Virus  Attack Specifications –Worm operation –Infection and propagaion  Topics.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Travis DeBona COSC  What is Malicious Code  Types of Malicious Code  Who’s Behind It  How To Secure My Computer.

1 Design and Implementation of a High-Performance Distributed Web Crawler Polytechnic University Vladislav Shkapenyuk, Torsten Suel 06/13/2006 석사 2 학기.

Network Security Lab Jelena Mirkovic Sig NewGrad presentantion.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Chapter 40 Internet Security.

Internet Quarantine: Requirements for Containing Self-Propagating Code

DDoS Attacks on Financial Institutions Presentation

Very Fast containment of Scanning Worms

3.2 Virtualisation.

WHAT IS A VIRUS? A Computer Virus is a computer program that can copy itself and infect a computer A Computer Virus is a computer program that can copy.

Dedicated Hosting Servers In The US With Faster Bandwidth Connectivity Fast bandwidth connectivity for dedicated hosting servers is vital for any enterprise.

NETWORK SECURITY.

Intrusion detection systems?

Intrusion Prevention Systems

Jiyong Park Seoul National University, Korea

Firewalls Jiang Long Spring 2002.

Lecture 3: Secure Network Architecture

Intrusion Detection system

Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson

Authors: Helen J. Wang, Chuanxiong Guo, Daniel R

IASP 470 PROJECT PROPOSAL MALWARE DETECTION

Introduction to Internet Worm

Presentation transcript:

Throttling Viruses: Restricting propagation to defeat malicious mobile code Author: Matthew M. Williamson, HP Labs Bristol Published at the 18th Annual Computer Security Applications Conference (ACSAC), 2002 Presenter: Walter Mundt

Slowing Down Worms Limit outgoing connections to unique machines Normal traffic tends to made repeat connections to a small set of servers Worm traffic connects to many different servers Benign filter design exploits this difference to slow worm traffic selectively.

Why Bother? Why only slow worm traffic? Primary threat of worms is their speed Human response is too slow Automated responses can cause damage due to false positives Need a “benign” automated response that does not interfere with normal traffic.

How to tell the difference? HTTP Traffic Worm Traffic

What Not to Do Drop connections classified as “worm traffic” Slow down normal traffic unnecessarily Fail to slow down worm traffic

How? Set a limit on the rate of outgoing connections to “new” machines to r “New” machines are those not connected to recently A buffer of 4-5 remote hosts is sufficient Queue connections that are too fast Constantly de-queue and send connection attempts, at a rate of r

Algorithm Flow On connection attempt Delay queue loop

Behavior for normal traffic Normal traffic has bursts of new connections followed by repeated connections to the same hosts New connections get queued briefly, but delay is minimal Reconnections are allowed as normal

Behavior for worm traffic Worm traffic connections attempts are much faster than allowed rate A few connections go through, but most will be stuck in delay queue When the queue fills, the user can be notified and take action against the offending process

Contribution of the paper This paper provides an effective way to slow down worm traffic from an infected machine. The effects of false positive results are minimal. If widely implemented, could effectively limit worm spread rate enough to allow human intervention. Implementation would be fairly simple on most platforms

Weaknesses in Paper Tests few types of “normal” traffic Too much focus on HTTP Would need to be implemented very widely to significantly effect worm spread Does not stop worm spread, ineffective against slow-spread or “stealth” worms No future work discussed

Possible Improvements Experiment with more types of data Discuss future work Consider limitations, possible issues Test an implementation on an actual network environment Combine with other methods of identifying worm traffic and limiting worm effectiveness.