Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Slides:

Advertisements

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

By Hiranmayi Pai Neeraj Jain

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Virus & Anti-Virus Itthiwat Phiphopsukhawadee M.2/7 No.5 Saranpat Prasertthum M.2/7 No.17 Korakrit Laotrakul M.2/7 No.23 Pesan Kasemkitjanuwat M.2/7 No.25.

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Internet Drivers License CSS411/BIS421 Computing Technology & Public Policy Mark Kochanski Spring 2010.

Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Networks Worms Research and Engineering Challenges Stefan Savage Department of Computer Science and Engineering University of California, San Diego Joint.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Understand Malware LESSON Security Fundamentals.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Role Of Network IDS in Network Perimeter Defense.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

By: Austen Perelman-Hall COSC 101 Presentation.  What is a worm? What is a virus?  What is the Red Worm?  Where did it come from? Causes  Effects.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE

Internet Quarantine: Requirements for Containing Self-Propagating Code

Author: Matthew M. Williamson, HP Labs Bristol

Viruses and Other Malicious Content

CS4622 Team 4 Worms, DoS, and Smurf Attacks

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson

CSE551: Introduction to Information Security

Introduction to Internet Worm

Presentation transcript:

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego

Outline Background about worm, esp. Code-Red – What’s worm, esp. Code-Red – Prevention, Treatment and Containment of the worm. SI epidemic model and Code Red propagation model. Simulations on Code Red Propagation and Containment System Deployment. Conclusion.

Background: what is worm? Worm is a self-replicating software designed to spread through the network. Worm vs Virus and Trojan horse – Virus and Trojan horse rely on human intervention to spread. – Worm is autonomous.

Background: Code-Red v1 Outbreak: June 18, 2001 How it works: – Buffer overflow exploit on Microsoft IIS web server. – Upon infected a machine, randomly generate a list of IP addresses. – Probe each of the addresses from the list. Payload: DDoS attack against www1.whitehouse.gov. Damage: little – Fixed random seed.

Background: Code-Red v2 Outbreak: July 19, 2001 How it works: – Similar to Code-Red v1, but with a random seed. – Generates 11 probes for second. Damage: severe – 359,000 machines were infected within 14 hours.

How to mitigate the threat of worms(1) Three approaches – Prevention: Reduce the size of the vulnerable population. E.g. A single vulnerability in a popular software system can result in millions of vulnerable hosts. E.g. Code Red attacks millions of MS IIS web server.

How to mitigate the threat of worms (2) Treatment: – E.g. virus scanner. – The time required to design, develop and test a security flaw is usually for too slow than the spread of the worm. Containment: – E.g. firewall, filters – Containment is used to protect individual networks, and isolate infected hosts.

SI Model (1) In this work, a vulnerable machine is described as susceptible (S) machine. A infected machine is described as infected (I). Let N be the number of vulnerable machines. Let S(t) be the number of susceptible host at time t, and s(t) be S(t)/N, where N = S(t) + I(t). Let I(t) be the number of infected hosts at time t, and i(t) be I(t)/N. Let be the contact rate of the worm. Define:

SI Model (2) Solving the differential equation: where T is a constant

Code Red Propagation Model (1) Code Red generates IPv4 address by random. Thus, there are totally 2^32 addresses. Let r be the probe rate of a Code Red worm. Thus:

Code Red Propagation Model (2) Two problems – Cannot model preferential targeting algorithm. E.g. select targets form address ranges closer to the infected host. – The rate only represents average contact rate. E.g. a particular epidemic may grow significantly more quickly by making a few lucky targeting decisions in early phase.

Code Red Propagation Model (3) Example on 100 simulations on Code Red propagation model: After 4 hours: 55% on average 80% in 95 th percentiles 25% in 5 th percentiles

Modeling Containment Systems (1) A containment system has three important properties: – Reaction time – the time necessary for Detection of malicious activity, Propagation of the containment information to all hosts participating the system, and Activating any containment strategy.

Modeling Containing Systems (2) – Containing Strategy Address blacklisting – Maintain a list of IP addresses that have been identified as being infected. – Drop all the packets from one of the addresses in the list. – E.g. Mail filter. – Advantage: can be implemented easily with existing firewall technology.

Modeling Containing Systems (3) Content filtering – Requires a database of content signatures known to represent particular worms. – This approach requires additional technology to automatically create appropriate content signatures. – Advantage: a single update is sufficient to describe any number of instances of a particular worm implementation. Deployment scenarios – Ideally, a global deployment is preferable. – Practically, a global deployment is impossible. – May be deploying at the border of ISP networks.

Idealized Deployment (1) Simulation goal – To find how short the reaction time is necessary to effectively contain the Code-Red style worm. Simulation Parameters: – 360,000 vulnerable hosts out of 2 32 hosts. – Probe rate of a worm : 10 per sec. Containment strategy implementation – Address blacklisting Send IP addresses to all participating hosts. – Content filtering Send signature of the worm to all participating hosts.

Idealized Deployment (2) Result: content filtering is more effective. 20 min 2 hr Number of susceptible host decreases Worms unchecked

Idealized Deployment (3) Next goal: – To find the relationship between containment effectiveness and worm aggressiveness. – Figures are in log-log scale.

Idealized Deployment (4) Percentage of infected hosts Address blacklisting is hopeless when encountering aggressive worms.

Practical Deployment (1) Network Model – AS sets in the Internet: routing table on July 19, st day of the Code Red v2 outbreak. – A set of vulnerable hosts and ASes: Use the hosts infected by Code Red v2 during the initial 24 hours of propagation. A large and well-distributed set of vulnerable hosts. – 338,652 hosts distributed in 6,378 ASes.

Practical Deployment (2) Deployment Scenarios – Use content filtering only. – Filtering firewall are deployed on the borders of both the customer networks, and ISP’s networks. Deployment of containment strategy.

Practical Deployment (3) Reaction time: 2hrs Difference in performance because of the difference in path coverage.

Practical Deployment (4) System fails to contain the worm.

Conclusion Explore the properties of the containment system – Reaction time – Containment strategy – Deployment scenario In order to contain the worm effectively – Require automated and fast methods to detect and react to worm epidemics. – Content filtering is the most preferable strategy. – Have to cover all the Internet paths when deploying the containment systems.