1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Slides:



Advertisements
Similar presentations
Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
Advertisements

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)
University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.
RUMORS: How can they work ? Summer School Math Biology, 2007 Nuno & Sebastian.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Virus Propagation Modeling Chenxi Wang, Christos Faloutsos Yang Wang, Deepayan Chakrabarti Carnegie Mellon University Center for Computer.
THE CASE FOR PROACTIVE NETWORK SECURITY: WORMS, VIRUSES & BUSINESS CONTINUITY Presented to Dr. Yan Chen MITP 458- Information Security & Assurance Business.
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.
Dynamic Network Security Deployment under Partial Information George Theodorakopoulos (EPFL) John S. Baras (UMD) Jean-Yves Le Boudec (EPFL) September 24,
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct
Modelling the control of epidemics by behavioural changes in response to awareness of disease Savi Maharaj (joint work with Adam Kleczkowski) University.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
 Fundamental terms  Diseases vs. Diseases transmitted by a network  Branching Process  The SIR epidemic model  The SIS epidemic Model  5 Worst Computer.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lecture 11 Intrusion Detection (cont)
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
The Politics of Smallpox Modeling Rice University - November 2004 Edward P. Richards, JD, MPH Director, Program in Law, Science, and Public Health Harvey.
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,
V5 Epidemics on networks
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Worms, Viruses, and Cascading Failures in networks D. Towsley U. Massachusetts Collaborators: W. Gong, C. Zou (UMass) A. Ganesh, L. Massoulie (Microsoft)
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Network theory 101 Temporal effects What we are interested in What kind of relevant temporal /topological structures are there? Why? How does.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,
Epidemic (Compartment) Models. Epidemic without Removal SI Process Only Transition: Infection Transmission SIS Process Two Transitions: Infection and.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
SPYCE/May’04 coverage: A Cooperative Immunization System for an Untrusting Internet Kostas Anagnostakis University of Pennsylvania Joint work with: Michael.
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Cooperative Response Strategies for Large Scale Attack Mitigation D. Nojiri, J. Rowe, K. Levitt Univ of California Davis DARPA Info Survivability Conference.
1 Lecture 16 Epidemics University of Nevada – Reno Computer Science & Engineering Department Fall 2015 CS 791 Special Topics: Network Architectures and.
2016/3/13 1 Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications.
Spread of Disease in Africa Based on a Logistic Model By Christopher Morris.
Biao Wang 1, Ge Chen 1, Luoyi Fu 1, Li Song 1, Xinbing Wang 1, Xue Liu 2 1 Shanghai Jiao Tong University 2 McGill University
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE
Internet Quarantine: Requirements for Containing Self-Propagating Code
Epidemic spreading in complex networks with degree correlations
Worm Origin Identification Using Random Moonwalks
Research Progress Report
Large Graph Mining: Power Tools and a Practitioner’s guide
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson
CSE551: Introduction to Information Security
Introduction to Internet Worm
Presentation transcript:

1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst

2 Motivation: automatic mitigation and its difficulties Fast spreading worms pose serious challenges:  SQL Slammer infected 90% within 10 minutes.  Manual counteractions out of the question. Difficulty of automatic mitigation  high false alarm cost.  Anomaly detection for unknown worm.  False alarms vs. detection speed.  Traditional mitigation:  No quarantine at all  …  long-time quarantine until passing human’s inspection.

3 Principles in real-world epidemic disease control Principle #1  Preemptive quarantine  Assuming guilty before proven innocent  Comparing with disease damage, we are willing to pay certain false alarm cost. Principle #2  Feedback adjustment  More serious epidemic, more aggressive quarantine action  Adaptive adjustment of the trade-off between disease damage and false alarm cost.

4 Dynamic Quarantine Assuming guilty before proven innocent  Quarantine on suspicion, release quarantine after a short time automatically  reduce false alarm cost  Can use any host-based, subnet-based anomaly detection system.  Host or subnet based quarantine (not whole network- level quarantine).  Quarantine is on suspicious port only. A graceful automatic mitigation: No quarantine Dynamic short-time quarantine long-time quarantine

5 Worm detection system Feedback Control Dynamic Quarantine Framework (host-level) Feedback : More suspicious, more aggressive action Predetermined constants: ( for each TCP/UDP port) Observation variables: : # of quarantined. Worm detection and evaluation variables: Control variables: Network Activities Worm Detection & Evaluation Decision & Control Anomaly Detection System Probability Damage Quarantine time Alarm threshold

6 Two-level Feedback Control Dynamic Quarantine Framework Network-level quarantine (Internet scale)  Dynamic quarantine is on routers/gateways of local networks.  Quarantine time, alarm threshold are recommended by MWC. Host-level quarantine (local network scale)  Dynamic quarantine is on individual host or subnet in a network.  Quarantine time, alarm threshold are determined by:  Local network’s worm detection system.  Advisory from Malware Warning Center. Host-level quarantine Malware Warning Center Network-level quarantine Local network

7 Host-level Dynamic Quarantine without Feedback Control First step: no feedback control/optimization  Fixed quarantine time, alarm threshold. Results and conclusions:  Derive worm models under dynamic quarantine.  Efficiently reduce worm spreading speed.  Give human precious time to react.  Cost: temporarily quarantine some healthy hosts.  Raise/generate epidemic threshold  Reduce the chance for a worm to spread out.

8 Worm modeling — simple epidemic model # of contacts  I  S Simple epidemic model for fixed population system: I(t) t susceptibleinfectious : # of susceptible : # of hosts : # of infectious : infection ability

9 Worm modeling — Kermack-McKendrick model State transition: : # of removed from infectious : removal rate Epidemic threshold theorem:  No outbreak happens if susceptible infectious removed t where : epidemic threshold

10 Analysis of Dynamic Quarantine I(t): # of infectious S(t): # of susceptible T : Quarantine time R(t) : # of quarantined infectious Q(t) : # of quarantined susceptible 1 : quarantine rate of infectious 2 : quarantine rate of susceptible Without “removal”: Assumptions:

11 Extended Simple Epidemic Model Before quarantine: After quarantine: I(t) R(t)=p’ 1 I(t) S(t) Q(t)=p’ 2 S(t) # of contacts  Susceptible Infectious

12 Extended Simple Epidemic Model Vulnerable population N=75,000, worm scan rate 4000 /sec T=4 seconds, 1 = 1, 2 = (twice false alarms per day per node) Law of large number R(t) : # of quarantined infectious Q(t) : # of quarantined susceptible

13 Extended Kermack-McKendrick Model Before quarantine: After quarantine: removed

14 Extended Kermack-McKendrick Model Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2 = ,  =0.005 R(t) : # of quarantined infectious Q(t) : # of quarantined susceptible

15 Dynamic Quarantine Model — Considering Human’s Counteraction A more realistic dynamic quarantine scenario:  Security staffs inspect quarantined hosts only.  Not enough time to check all quarantine hosts before their quarantine time expired --- removal only from quarantined infectious hosts R(t).  Model is similar to the Kermack-McKendrick model Introduced Epidemic threshold:

16 Dynamic Quarantine Model — Considering Human’s Counteraction R(t) : # of quarantined infectious Q(t) : # of quarantined susceptible Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2 = ,  =0.005

17 Summary Learn the quarantine principles in real-world epidemic disease control:  Preemptive quarantine: Assuming guilty before proven innocent  Feedback adjustment: More serious epidemic, more aggressive quarantine action Two-level feedback control dynamic quarantine framework  Optimal control objective:  Reduce worm spreading speed, # of infected hosts.  Reduce false alarm cost. Derive worm models under dynamic quarantine  Efficiently reduce worm spreading speed  Give human precious time to react  Raise/generate epidemic threshold  Reduce the chance for a worm to spread out

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.