Very Fast containment of Scanning Worms

Slides:



Advertisements
Similar presentations
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Intrusion Detection Systems and Practices
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
By:Tanvi lotliker TE COMPUTER
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
Propagation and Containment Presented by Jing Yang, Leonid Bolotnyy, and Anthony Wood.
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Cisco 3 - Switching Perrine. J Page 16/4/2016 Chapter 4 Switches The performance of shared-medium Ethernet is affected by several factors: data frame broadcast.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Security System for KOREN/APII-Testbed
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Very Fast Containment of Scanning Worms Written By: Nicholas Weaver, Stuart Staniford, Vern Paxson Presentation By: Nathan Johnson A.K.A Space Monkey and.
Very Fast containment of Scanning Worms Presented by Vinay Makula.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE
MALWARE.
LECTURE 6 MALICIOUS SOFTWARE
Internet Quarantine: Requirements for Containing Self-Propagating Code
Cybersecurity First Principles
Author: Matthew M. Williamson, HP Labs Bristol
Threats to computers Andrew Cormack UKERNA.
Worm Origin Identification Using Random Moonwalks
Firewalls.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Internet Worm propagation
Very Fast Containment of Scanning Worms
Brad Karp UCL Computer Science
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson
CSE551: Introduction to Information Security
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Introduction to Internet Worm
2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자.
Presentation transcript:

Very Fast containment of Scanning Worms Artur Zak ------------------------------------------------ Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI

Abstract Worms – malicious, self-propagating programs. Represent threat to large networks. Containment – one form of defense; limit a worm’s spread by isolating it in a small subsection of the network.

Worm Containment (virus throttling) Needs to be Automated. Worms propagate more rapidly than human response. Works by detecting that a worm is operating in the network and then block the infected machines from contacting further hosts.

Mechanism Requirements Break the network into many cells Within each cell a worm can spread unimpeded. Between cells, containment limits infections by blocking outgoing connections from infected cells. Must have very low false positive rate. Blocking suspicious machines can cause a DOS if false positive rate is high.

Scanning Worms Operate by picking “random” address and attempt to infect the machine. Blaster – linear scanning Code Red – fully random Code Red II & Nimda – bias toward local addresses

Scanning Worms Common properties of scanning worms: Most scanning attempts result in failure. Infected machines will institute many connection attempts. Containment looks for a class of behavior rather than specific worm signature. Able to stop new worms.

Epidemic Threshold Worm-suppression device must necessarily allow some scanning before it triggers a response. Worm may find a victim during that time.

Epidemic Threshold The epidemic threshold depends on: The sensitivity of the containment response devices The density of vulnerable machines on the network The degree to which the worm is able to target its efforts into the correct network, and even into the current cell.

Sustained Scanning Threshold If worm scans slower than sustained scanning threshold, the detector will not trigger. Vital to achieve as low a sustained scanning threshold as possible. For this implementation threshold set to 1 scan per minute.

Scan Suppression Scan Suppression – responding to detected portscans by blocking future scanning attempts. Portscans have two basic types: Horizontal – search for identical service on large number of machines. Vertical – examine an individual machine to discover running services.

Implementation Scan detection and suppression algorithm derived from Threshold Random Walk (TRW) scan detection. The algorithm operates by using an oracle to determine if a connection will fail or succeed.

Implementation Scan detection algorithm easier than TRW. Suitable for both hardware and software implementation. Simplified algorithm caused increased false negative rate. No changes in the false positive rate.

Hardware Implementation Constraints: Memory access speed. During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations. (4 accesses for full duplex). Use SRAM to solve the problem. (more expensive)

Hardware Implementation Approximate cache: a cache for which collisions cause imperfections. Store amounts of data that normally exceeds memory volume. Bloom filter is a type of approximation cache.

Connection Cache

Address Cache Lookup

Attacking the Containment Attacker an create false positive Trigger responses which wouldn’t otherwise occur. False positive create a DOS target.

Attacking the Containment False Negative: The worm slips by even thought containment is active. Scan at a rate slower than sustained scanning threshold. Requires complicated code by worm writers.