Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.

Slides:

Advertisements

Similar presentations

Resource Management §A resource can be a logical, such as a shared file, or physical, such as a CPU (a node of the distributed system). One of the functions.

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

* Mellanox Technologies LTD, + Technion - EE Department

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Vivaldi Coordinate Service Justin Ma, Patrick Verkaik, Michael Vrable Department of Computer Science And Engineering UCSD CSE222A, Winter 2005.

Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.

Lecture 11 Intrusion Detection (cont)

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Introduction to Honeypot, Botnet, and Security Measurement

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 4 09/10/2013 Security and Privacy in Cloud Computing.

Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.

1 CS 425 Distributed Systems Fall 2011 Slides by Indranil Gupta Measurement Studies All Slides © IG Acknowledgments: Jay Patel.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Autonomous Replication for High Availability in Unstructured P2P Systems Francisco Matias Cuenca-Acuna, Richard P. Martin, Thu D. Nguyen

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Group 3 Sandeep Chinni Arif Khan Venkat Rajiv. Delay Tolerant Networks Path from source to destination is not present at any single point in time. Combining.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

Exact Modeling of Propagation for Permutation-Scanning Worms Parbati Kumar Manna, Shigang Chen, Sanjay Ranka INFOCOM’08.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

On the Impact of Clustering on Measurement Reduction May 14 th, D. Saucez, B. Donnet, O. Bonaventure Thanks to P. François.

Teknik Routing Pertemuan 10 Matakuliah: H0524/Jaringan Komputer Tahun: 2009.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

INTERNET SIMULATOR Jelena Mirkovic USC Information Sciences Institute

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Interaction and Animation on Geolocalization Based Network Topology by Engin Arslan.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Botnets A collection of compromised machines

Internet Quarantine: Requirements for Containing Self-Propagating Code

Vivaldi: A Decentralized Network Coordinate System

Worm Origin Identification Using Random Moonwalks

Botnets A collection of compromised machines

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.

CSE551: Introduction to Information Security

Introduction to Internet Worm

Presentation transcript:

Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer Science and Engineering University of California, San Diego

2 Worm Epidemic Aftermath Belief: identifying infected hosts easy Expectation: infection activity continues long after the fact Self-stopping worms can evade existing worm treatment techniques

3 State of Affairs Zotob: 1 week Witty: 1 day

4 State of Affairs Opportunity to prevent/contain is short Real-world responses focus on treatment Slammer: 10 minutes Staniford et al.: a few seconds Zotob: 1 week Witty: 1 day

5 State of Affairs Opportunity to prevent/contain is short Real-world responses focus on treatment From: To: Dear Hapless, (hapless.ucsd.edu, 00:0f:ca:c0:e6:64, HAPLESS_WIN2K) appears to be infected with a worm and is scanning external networks on port 445 in violation of University policy. The machine has been blocked at the campus border until it can be cleaned up, secured, and made fully compliant with the Minimum Network Security Standards (see ). Pursuant to UCSD policy concerning compliance with California State Bill 1386 ( if "personal identity information" exists on this machine, that fact must be reported to Sincerely, Academic Computing Services / Network Security

6 State of Affairs Opportunity to prevent/contain is short Real-world responses focus on treatment Just need to know when all hosts infected Why spew?

7 State of Affairs Opportunity to prevent/contain is short Real-world responses focus on treatment Self-stop gives malware many advantages Just need to know when all hosts infected Self-stop

8 Difficulty of Self-Stop How hard with random scanning worms? Gossip-style communication –Opportunistic contact –Conform to probe traffic pattern Without a priori knowledge –E.g., no need to know vulnerability density Perform as well as strategies with a priori knowledge

9 Self-Stopping Worm Design Primary Goal: stop after infecting x% vulnerables –Infect as many as possible Accuracy: ability to meet Primary Goal –At least >= 85% vulnerables Speed: time to reach x% vulnerables –Spread as quickly as possible (beat containment) Duration: time until last host deactivates –Stop as quickly as possible (minimize containment window) Scan traffic –Not focusing on stealthy (tradeoff w/ speed/duration) Ease of implementation/parameterization –Piggy-back over uniform random scanning –No a priori knowledge of vulnerable population

10 Dynamic Estimation Do individual nodes need a priori knowledge? –Size of vulnerable population N –Infected count over time I(t) Worm has an oracle –Know N and I (stop when I(t)/N reaches goal) Increasingly practical –Know N (locally estimate I(t) knowing N) –Sum-Count (locally estimate N) –Sum-Count-X (collaborate to estimate N)

11 Simulation Methodology Modify random scanning worms –32-bit address space –130,000 vulnerables (we tried other values too) –Each host, 4000 scans per timestep –Slammer: >= 75,000 vulnerable, ~4000 scans/s [Moore et al., “Inside the Slammer Worm”, 2003] Universal reachability No network latency or congestion Start w/ one infected host Scan in rounds

12 Know-NI Perfect knowledge lets worms stop on a dime

13 Estimating I(t) from N Directly observing I(t) is difficult Restricted to only knowing N? –Observe through netcraft.com, port scanning I(t) = f(N, r, t) –Based on analytic model for epidemics –r is per-host scan rate –See paper for details

14 Estimating I(t) from N Only knowing N, worms can still stop quickly

15 Local Estimation Estimate N on-the-fly –General-purpose self-stop –No need to gather a priori intelligence Scanning = Sampling w/ Replacement –Hits on Vulnerables = Successes –Total Scans = Trials N est = 2 32 * (Hits / Scans)

16 Hits: 0 Scans: 1Hits: 0 Scans: 0Hits: 1 Scans: 2 Sum-Count Estimate N through local estimation Hits: 1 Scans: 3 33% hosts vulnerable

17 Sum-Count More than 2x longer to stop… Local sampling alone insufficient

18 Why Sum-Count Fails Variance[N est ]  1 / Scans Many infected nodes too unlucky/new Reduce error by increasing scans without increasing scan rate Sum-Count-X –Aggregate samples (scans) –Opportunistic exchange –Distributed sampling by combining host estimates

19 Sum-Count-X Collaborative estimation via exchange Hits: 1 Scans: 3 Hits: 2 Scans: 3 Hits: 3 Scans: 6 Hits: 1 Scans: 2Hits: 0 Scans: 1 Hits: 1 Scans: 2Hits: 0 Scans: % hosts vulnerable +

20 Sum-Count-X Similar result without perfect knowledge!

21 Why Sum-Count-X Succeeds Combines local estimation with exchange Leverages “experience” of older hosts

22 Summary 20 simulation runs each Speed (to 85%)Duration Strategy50th90th50th90th Greedy Know-NI Know-N Sum-Count Sum-Count-X Spreads quicklyStops quickly

23 Conclusions Self-stopping worms –Easy to write –Advance knowledge of vulnerable host population is unnecessary to be successful –Sum-Count-X demonstrates these points Implications for future defenses –Cannot depend on simple identification –Need new ways to identify/treat –If those fail, containment is even more critical

24

25 More in Paper Basic Heuristics –From epidemic protocol literature Dynamic Estimation with Bitmaps Permutation Scanning Scan Traffic

26 Infected Count

27 Sum-Count-Push

28 Nematodes Aka “good worms” Xerox PARC [Shoch and Hupp, 1980] Prevent nematodes from spreading out of control Utility not so convincing