CSE551: Introduction to Information Security

Slides:



Advertisements
Similar presentations
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Sigurnost računala i podataka
CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Active Worm and Its Defense1 CSE651: Network Security.
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.
TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004.
Honeypot and Intrusion Detection System
Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.
How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Page 1 8 Oct 2004 IT Security Awareness Dangers in the Networked World Lai Zit Seng NUS School of Computing.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Recent Internet Viruses & Worms By Doppalapudi Raghu.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Defending against Hitlist Worms using NASR Khanh Nguyen.
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
Introduction to Computer Systems. Stacks and Buflab Recitation 3 Monday September 21th, 2009.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Network Attacks Instructor: Dr. X. Outline Worms DoS.
Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE
Company LOGO Malicious SW By Dr. Shadi Masadeh 1.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Malicious Software.
CSE 4471: Information Security
Viruses and Other Malicious Content
Internet Worm propagation
Chap 10 Malicious Software.
A Distributed DoS in Action
Brad Karp UCL Computer Science
Chap 10 Malicious Software.
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
DDoS Attack and Its Defense
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson
Introduction to Internet Worm
Presentation transcript:

CSE551: Introduction to Information Security Active Worm CSE551: Introduction to Information Security CSE551 Handout on DDoS and Worm

Worm vs. Virus Worm Virus A program that propagates itself over a network, reproducing itself as it goes Virus A program that searches out other programs and infects them by embedding a copy of itself in them CSE551 Handout on DDoS and Worm

Active Worm VS. [D]DoS Propagation method Goal: congestion, resource appropriation Rate of distribution Scope of infection CSE551 Handout on DDoS and Worm

Historical Analysis Morris Worm (1988, http://www.worm.net/worm-src/worm-src.html) Code Red v.2 (2001, nearly 8 infections/sec.) Nimbda (2001, netbios, UDP) SQL Slammer (2003, UDP) CSE551 Handout on DDoS and Worm

Recent Worms July 13, 2001, Code Red V1 July 19, 2001, Code Red V2 Aug. 04, 2001, Code Red II Sep. 18, 2001, Nimba … … Jan. 25, 2003, SQL Slammer More recent SoBigF, MSBlast … … CSE551 Handout on DDoS and Worm

How an Active Worm Spreads Autonomous No need of human interaction infected machine scan probe transfer copy Infected CSE551 Handout on DDoS and Worm

Scanning Strategy Random scanning Hitlist scanning Probes random addresses in the IP address space (CRv2) Hitlist scanning Probes addresses from an externally supplied list Topological scanning Uses information on the compromised host (Email worms) Local subnet scanning Preferentially scans targets that reside on the same subnet. (Code Red II & Nimda Worm) CSE551 Handout on DDoS and Worm

Techniques for Exploiting Vulnerability fingerd (buffer overflow) sendmail (bug in the “debug mode”) rsh/rexec (guess weak passwords) CSE551 Handout on DDoS and Worm

Active Worm Defense Modeling Infection Mitigation CSE551 Handout on DDoS and Worm

Worm Behavior Modeling Propagation model mirrors epidemic: V is the total number of vulnerable nodes N is the size of address space i(t) is the percentage of infected nodes among V r is the scanning speed of a infected node CSE551 Handout on DDoS and Worm

Infection Mitigation Patching Filtering/intrusion detection (signature based) TCP/IP stack reimplementation, bound connection requests CSE551 Handout on DDoS and Worm

Summary Worms can spread quickly: 359,000 hosts in < 14 hours Home / small business hosts play significant role in global internet health No system administrator  slow response Can’t estimate infected machines by # of unique IP addresses DHCP effect appears to be real and significant Active Worm Defense Modeling Infection Mitigation CSE551 Handout on DDoS and Worm