T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence Computer Graphics Computer Networking Software Engineering Systems Technical Reports About... Admissions BSCSE BSCIS BACIS CIS Minor Courses Undergrad Advising Honors Program Student Organizations About... Admissions Masters Program PhD Program Joint Programs Fellowships/Financial Aid Courses Graduate Life Student Organizations Faculty Grad Students Undergraduates Administrative Staff Computing Staff Administrative Contacts Directory of Personnel About... CSE Class Schedule CSE Course Description CSE Syllabi OSU Course Description OSU Registrar About... Policies Users Guide Help Desk (SOC) CSE Labs Staff Listing Faculty Positions Diversity Program Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence Computer Graphics Computer Networking Software Engineering Systems Technical Reports About... Admissions BSCSE BSCIS BACIS CIS Minor Courses Undergrad Advising Honors Program Student Organizations About... Admissions Masters Program PhD Program Joint Programs Fellowships/Financial Aid Courses Graduate Life Student Organizations Faculty Grad Students Undergraduates Administrative Staff Computing Staff Administrative Contacts Directory of Personnel About... CSE Class Schedule CSE Course Description CSE Syllabi OSU Course Description OSU Registrar About... Policies Users Guide Help Desk (SOC) CSE Labs Staff Listing Faculty Positions Diversity Program Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence Computer Graphics Computer Networking Software Engineering Systems Technical Reports About... Admissions BSCSE BSCIS BACIS CIS Minor Courses Undergrad Advising Honors Program Student Organizations About... Admissions Masters Program PhD Program Joint Programs Fellowships/Financial Aid Courses Graduate Life Student Organizations Faculty Grad Students Undergraduates Administrative Staff Computing Staff Administrative Contacts Directory of Personnel About... CSE Class Schedule CSE Course Description CSE Syllabi OSU Course Description OSU Registrar About... Policies Users Guide Help Desk (SOC) CSE Labs Staff Listing Faculty Positions Diversity Program Effective Detection of Active Worms with Varying Scan Rate Wei Yu ‡, Xun Wang †, Dong Xuan † and David Lee † ‡ Texas A&M University † The Ohio State University Wei Yu ‡, Xun Wang †, Dong Xuan † and David Lee † ‡ Texas A&M University † The Ohio State University Presented by Xun Wang Presented by Xun Wang

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 2 Motivation & Contributions Motivation –Active worms are evolving –Existing worm detection can not detect them effectively –Need to understand them and defend against them Contributions –Modeling Varying Scan Rate (VSR) worm –Designing attack target Distribution Entropy based dynamiC (DEC) detection scheme for VSR and traditional worms

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 3 Outline Traditional Worms Varying Scan Rate Worm Modeling Existing Worm Detection Schemes DEC Worm Detection Performance Evaluations Discussions Final Remarks

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 4 Traditional Worms Self-propagate by exploiting vulnerabilities of hosts mostly through port scanning Scan strategy –Pure Random Scan (PRS): Pure randomly select IP addresses –Hitlist Scan: Use an externally supplied list of vulnerable hosts as the targets –Local Subnet Scan: Scan the hosts in the same sub network first Scan rate –Constant: Does not change scan rate –Random changing scan rate

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 5 Traditional PRS Worm Propagation Model Traditional PRS worm - PRS scan strategy with constant port scan rate Worm propagation model (Epidemic model [ AM91 ]) –S: port scan rate –M(i): the number of infected hosts at time tick i –N(i): the number of un-infected vulnerable hosts at time tick i respectively –E(i + 1): the number of newly infected hosts from time tick i to i + 1 –T: the number of IP addresses in the Internet Exponential increase of worm instance number (thus the scan traffic volume observed by traffic monitors)  Easy to be detected by existing detection systems

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 6 Varying Scan Rate Worms Each VSR worm-infected victim (worm instance) adopts –a varying scan rate: S(t) –a varying attack probability: P a (t) VSR worm Traditional PRS worm If S(t) is constant and P a (t) = 1 Change scan strategy Other worms

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 7 VSR Worm Propagation Model VSR worm propagation model: VSR worm instance number observed by detection system: where P m is the percentage of IP addresses under monitoring. If S(i)=S and P a (i)=1

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 8 Effectiveness of VSR Worms (1) VSR worm propagation model is different from that of traditional worms

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 9 Effectiveness of VSR Worms (2) Detected worm instance number is not mono-increasing any more  existing worm detection is not effective

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 10 Worm Detection Global traffic monitoring based worm detection Distributed monitors passively record and report port scan traffic to the worm detection center [ SANs, BCJ+05 ] The detection center determines whether there is a large-scale worm propagation using certain detection schemes

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 11 Three key elements –Detection data: port scan record count, scan target (different IP) distribution –Statistical property of worm detection data: individual count, mean, variance, entropy –Detection decision rule: threshold-based, trend-based, static/dynamic rule Worm Detection Space CISH: Count, Individual, Static tHreshold [VSG05] CVDH: Count, Variance, Dynamic tHreshold [WVG04] CISR: Count, Individual, Static tRend [ZGT+03] † Other subspaces  other detection schemes? DVDH: Distribution, Variance, Dynamic tHreshold [Our extension of WVG04] DEC (or DEDH): Distribution, entropy, Dynamic tHreshold [Ours] Fig. 3. Space of worm detection.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 12 Ineffectiveness of Existing Detection Schemes to VSR worms Metrics: - Detection Time (in minute) - Maximal Infection Ratio (%)

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 13 DEC Worm Detection Attack target Distribution Entropy based dynamiC (DEC) worm detection Three key elements –Detection Data: distribution of worm scan/attack target IP, i.e., how many different IP addresses are scanned –Statistical property of worm detection data: entropy –Detection decision Rule: run-time dynamic threshold adaptation

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 14 Why Worm Attack Target Distribution? Capture the fundamental feature of active worms To propagate worm to as many hosts as possible, worm port scan traffic’s target IP addresses must show a widely dispersed distribution  the worm scan/attack target distribution is a key feature to distinguish worm traffic from other traffic Example –Data-set1 = [(IP1, 8)] –Data-set2 = [(IP2, 1), (IP3, 1), (IP4, 1), (IP5, 1),(IP6, 1), (IP7, 1)] –By count, Data-set1’s count is 8 > Data-set2’s count is 6 –But Data-set2 is more like worm scan traffic and its IP addresses set is more distributed

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 15 Why Entropy ? Entropy quantifies “the amount of uncertainty” contained in data or “the randomness” of the data –The entropy is 0 when the distribution of data is maximally concentrated –It takes on the maximal value when the distribution is maximally dispersed We use entropy to measure the target distribution, which is better than other measurements, such as variance

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 16 Entropy of port scan target distribution –From collected port scan reports in an unit time  Z = ((DestIP 1 ; sn 1 );... ; (DestIP M ; sn M )), where sn 1 is the number of times a IP DestIP i is scanned –Entropy of Z: where Example: –Data-set1: Z1= [(IP1, 8)] –Data-set2: Z2= [(IP2, 1), (IP3, 1), (IP4, 1), (IP5, 1),(IP6, 1), (IP7, 1)] How to Use Entropy? Variances of two data-sets are same and equal to 0Entropy of Z1 is 0, but entropy of Z2 is 0.78!

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 17 Performance Evaluation Metrics - Detection Time (in minute) - Maximal Infection Ratio (%) Simulation setup - Real-world trace plus simulated worm traffic Evaluated worm detection schemes –CISH: Count, Individual, Static tHreshold –CVDH: Count, Variance, Dynamic tHreshold –CISR: Count, Individual, Static tRend –DVDH: Distribution, Variance, Dynamic tHreshold –Our DEC (or DEDH): Distribution, entropy, Dynamic tHreshold

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 18 Detection Time of DEC (1) DEC can detect VSR worm much faster than other detection schemes CISR (trend-based detection) can not detect VSR worm Fig. 4. Detection time of detection schemes on VSR worms.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 19 Detection Time of DEC (2) DEC can detect traditional worm faster and earlier than other detection schemes Fig. 5. Detection time of detection schemes on traditional PRS worms.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 20 Maximal Infection Ratio of DEC (1) DEC can detect VSR worm at its very early propagate stage Fig. 6. Maximal infection ratio of detection schemes on VSR worms.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 21 Maximal Infection Ratio of DEC (2) Fig. 7. Maximal infection ratio of detection schemes on traditional PRS worms. Higher scan rate worms get detected earlier, and propagate less eventually

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 22 Discussions Worm Modeling –Evolving worms: e.g., Atak worm [Zdnet] –VSR worm: varying scan rate –Determination of optimal S(t) and P a (t) functions Detection –Why DEC is effective? -Attack target distribution -Entropy –Limitations? -Needs scan target distribution information -Do not protect individual sub network or host

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 23 Final Remarks We formally modeled VSR worm and designed DEC worm detection Future work –Investigate other potential evolving worms which attempt to camouflage worm propagation –Design effective detection against them –Example: Self-adjusting worm and detection, ACSAC’06

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 24 References [AM91] R. M. Anderson and R. M. May, Infectious Diseases of Humans:Dynamics and Control, Oxford University Press, Oxford, [BCJ+05] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. “Internet motion sensor: A distributed blackhole monitoring system”, NDSS’05. [SANs] SANs, Internet Storm Center, [WVG04] J. Wu, S. Vangala, and L. X. Gao, “An effective architecture and algorithm for detecting worms with various scan techniques,” NDSS’04. [ZGT02] C. C. Zou, W. Gong, and D. Towsley, “Code red worm propagation modeling and analysis,” CCS’02. [ZGT+03] C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, “Monitoring and early detection for internet worms,” CCS’03. [Zdnet]Zdnet, “Smart worm lies low to evade detection”, m. m

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 25 Q&A Thanks!