Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Worms: Reality or Hype

Published byDeddy Budiaman Modified over 5 years ago

Similar presentations

Presentation on theme: "Internet Worms: Reality or Hype"— Presentation transcript:

1 Internet Worms: Reality or Hype
Literature Review and Comments Shai Rubin UW Madison 2/16/2019 Security Seminar Fall 2002

2 Overview Background: 3 behavioral models Threat from future worms
What a worm is How a worm works 3 behavioral models Threat from future worms Defending against worms (Wild and Crazy) Summary Message: What we are going to do today. Talk about Worms: Need to talk about the differences between worms and viruses. How they work How they behave (we are trying to develop models to predict how worms behave). How we can protect against them. Models: We will look on the assumptions, motivation, paramaters behind the model and not too much into their details. Transition: So let us start by looking how worms work 2/16/2019 Security Seminar Fall 2002

3 An Internet Worm Self propagating program Speeding Mechanism: Threats:
Spreading phase DDoS attack Self propagating program Speeding Mechanism: Exploits a bug over the network (e.g., buffer overflow in IIS) Probe the net to find new machines to exploit Amazon.com Threats: Distributed denial of service attack Access to classified information on each compromised host Message: To understand how a single worm work. Talk about Illustrate how a single worm work. Initial phase. Illustrate how the Internet is getting Infected. What are the threats: Access to classify data. launching DDOS attacks. Multimedia DDoS attacks Example of worms Transition: So let see what a worm can cause Find an Internet illustration. Router Host 2/16/2019 Security Seminar Fall 2002

4 Code Red II Vulnerability: buffer overflow Microsoft IIS.
Code Red II Behavior [DM02] Vulnerability: buffer overflow Microsoft IIS. Vulnerability published: 19 June, 2001 Started Spreading 19 July, 2001 360,000 hosts infected in 24 hours (demo) Damage: $1.2 billion [USA01] Message: Illustrate the risk/threat of worms Talk about Show Code Red II information. When the vulnerability was discovered. When Code Red II was discovered. Show a graph of infected/hour. Show interesting modeling questions: What is the infection rate? Knowing the infection rate will help us: Predict future-worm behavior. Which Infection rate is not effective? Any system that protects against worms ‘strive’ for this infection rate. What should be the immunization rate? We need to build a system that would deploy at least this rate. Transition: So, the first think to look in is the human society: how viruses spread in human society. 2/16/2019 Security Seminar Fall 2002

5 Overview Background: Worm behavioral models: Threat from future worms
What a worm is How a worm works Worm behavioral models: Why analytical models? Simple Advance Sophisticated Threat from future worms Defending against worms Summary Message: What we are going to do today. Talk about Worms: Need to talk about the differences between worms and viruses. How they work How they behave (we are trying to develop models to predict how worms behave). How we can protect against them. Models: We will look on the assumptions, motivation, paramaters behind the model and not too much into their details. Transition: So let us start by looking how worms work 2/16/2019 Security Seminar Fall 2002

6 Modeling Worm Behavior
Why analytical model? In general, analytical model cheaper than simulation Help us understand better: Parameters that influence behavior Use the model to explore future worm behavior Use model define the properties of defense techniques Starting point: human epidemic Many similarities: infection, immunization, viruses, etc. Message: What we are going to do today. Talk about Worms: Need to talk about the differences between worms and viruses. How they work How they behave (we are trying to develop models to predict how worms behave). How we can protect against them. Models: We will look on the assumptions, motivation, paramaters behind the model and not too much into their details. Transition: So let us start by looking how worms work 2/16/2019 Security Seminar Fall 2002

7 The ‘Simple’ Epidemic Model
Model assumptions [SPW02, Bai75]: Homogenous population (each node has ~k neighbors) no immunization Two parameters: n – Total population size = # of susceptible hosts  - Infection rate Number of infected individuals: Known as Logistic Equation Message: Explain the simplest model for human viruses. Talk about: Homogeneously mixing group of individuals. Every individual is susceptible. No immunization. t=0, just one individual becoming infectious. Mention the name: logistic equation. Transition: The question we ask now: Do computer viruses behaves the same 2/16/2019 Security Seminar Fall 2002

8 Does Code Red Fit the ‘Simple’ Model?
Staniford at el. [SPW02]:  = 1.8 We are done Are we really done? A match does not entail that the model is ‘correct’ Check other viruses/worms Weak model assumptions (homogenous population, no immunization) ‘Unnatural’ Code Red behavior Message: Does the model fits the data. Talk about: The parameters Yes (by XXX). Argument : We found parameters that fits the model to the real behavior, hence the model is correct. Flowed methodology. If it fits, does it means that it is OK? Transition: There are other processes involves in infection: immunization. Hosts are patched (immune). Hosts are remove from the Internet (dead). So let’s go back to human models. 2/16/2019 Security Seminar Fall 2002

9 ‘Advance’ Epidemic Model
Model assumptions [Bai75]: Homogenous population Immunization: infected individuals are removed from population Three basic parameters: n - Total population size = # of susceptible hosts  - Infection rate  - Removal rate No analytical solution1 (unlike the logistic equation for the ‘simple’ model) Epidemic Threshold exist: When the total number of susceptible individuals drops blow a certain threshold the epidemic ‘dies’ =/=effective infection rate Message: A more realistic model for human epidemic Talk about: Homogeneously mixing group of individuals. Every individual is susceptible. Immunization/recovery. t=0, just one individual becoming infectious. Main result: epidemic threshold: either the epidemic dies by itself, or almost every one is infected. Full, or K-connected graph (is that the correct term?) Transition: 2/16/2019 Security Seminar Fall 2002 1As far as I know, based on [Bai75]

10 Do Worms Fit the ‘Advance’ Model?
Satorras at el. [SV01] : No Investigate three viruses types. Why not? because computer viruses do not die. Computer viruses have long lifetime (months) This implies, for all computer viruses: effective spreading rate is just above the epidemic threshold ‘2’ is very unlikely to occur How, we can better explain this observation? Message: We do not know. Talk about: What XXX and YYY found” Argument 1: Low # of computers infected for a log period of time. Hence, the effective spreading rate is just above the epidemic threshold. Unlikely to occur. Argument 2: Long live behavior. High removal rate. Hence, high spreading rate. Contradiction to 1. Talk about the type of viruses they explore. Transition: So, we need to explain the behavior in some other way. 2/16/2019 Security Seminar Fall 2002

11 ‘Advance + Topology’ Model [SV01]
Epidemic models do not account for the scale free topology of the Internet Model assumptions: Scale free topology: P[n has K neighbors]=K- (23) As in the ‘advance’ model: three parameters: n, ,  Intuition: individuals with higher connectivity has higher spreading rate Scale Free Topology Message: Talk about: Internet Topology. Mix group. Give details about the model? Limitation: Two types of users (humans). Transition: So, we need to explore another possibility. 2/16/2019 Security Seminar Fall 2002

12 Do Worms Fit the ‘Advance +Topology’ Model?
Model property: epidemic never dies Seems to fit data (both of old viruses [SV01], and current worms SPW02) Code Red II does not die: Message: Talk about: Transition: Oct’ 01 Nov’ 01 Dec’ 01 Jan’ 02 Feb’ 02 2/16/2019 Security Seminar Fall 2002

13 The But of ‘Advance + Topology’
Is the assumption (scale free topology) valid? Viruses/worms attack ‘end’ machines (servers/hosts) Routers are the ‘highly connected’ individuals, but they are not susceptible (usually) Hence, we should consider a fully connected graph of susceptible individuals Message: Talk about: Internet Topology. Mix group. Give details about the model? Limitation: Two types of users (humans). Transition: So, we need to explore another possibility. 2/16/2019 Security Seminar Fall 2002

14 Current Models Summary
Simple Advanced + Topology Topology K-connected Scale Free Infection/ Removal rate Constant infection rate (no removal rate) Constant Rates Analytical solution Yes Approximation Evidence that fits data Purpose: Understand what we did. Talk about What we did. What we are going to do now. Transition: 2/16/2019 Security Seminar Fall 2002

15 ‘Sophisticated’ Epidemic Model
Zou at el. [ZGT02] objects Staniford at el. [SPW02]: No removal process Model was artificially fitted. Code Red II artificially stopped spreading after 24 hours Furthermore, infection/removal rate not constant. Infection rate decreased (due to high network traffic) Removal rate increased Real population: 490,000 Message: A more realistic model for human epidemic Talk about: Homogeneously mixing group of individuals. Every individual is susceptible. Immunization/recovery. t=0, just one individual becoming infectious. Main result: epidemic threshold: either the epidemic dies by itself, or almost every one is infected. Full, or K-connected graph (is that the correct term?) Transition: 2/16/2019 Security Seminar Fall 2002

16 ‘Sophisticated’ Epidemic Model
Message: A more realistic model for human epidemic Talk about: Homogeneously mixing group of individuals. Every individual is susceptible. Immunization/recovery. t=0, just one individual becoming infectious. Main result: epidemic threshold: either the epidemic dies by itself, or almost every one is infected. Full, or K-connected graph (is that the correct term?) Transition: So, which parameters should we take into account? 2/16/2019 Security Seminar Fall 2002

17 Models Summary Simple Advanced + Topology Sophisticated Topology
K-connected Scale Free K-Connected Infection/ Removal rate Constant infection rate (no removal rate) Constant Rates Time dependent rates Limitations Naive Questionable topology Complex Analytical solution Yes Approximation No? Evidence that fits data Common Highly virulence Purpose: Understand what we did. Talk about What we did. What we are going to do now. Transition: 2/16/2019 Security Seminar Fall 2002

18 Overview Background: Worm behavior models: Threat from future worms
What a worm is How a worm works Worm behavior models: Simple Advance Sophisticated Threat from future worms Defending against worms The defender advantage Defense techniques Summary Message: Talk about Transition: 2/16/2019 Security Seminar Fall 2002

19 ‘Better’ Worms Can someone implement even ‘faster’ worms?
The dominant factor: start-up time Short start-up time  faster worm Purpose Talk: Transition: 2/16/2019 Security Seminar Fall 2002

20 Short Start-Up Time [SPW01]
Technique Hit List scanning (HL) Creator prepares a list of potential susceptible machines. Worm splits the list into sub-lists as it propagates. Problem: infection rate drops after list is exhausted. Permutation scanning (PS) Each copy of the worm scans different range of addresses. Problem: sill long start up time Warhol (HL+PS) Initially use HL. Continue with PS. Problem: ??? Purpose Talk: Transition: 2/16/2019 Security Seminar Fall 2002

21 ‘Better’ Worms - Simulation
Code Red II (Initial Infection rate =1.8) Permutation scanning (Initial Infection rate =6) Warwol (Initial Infection rate =20) Purpose To understand what is a better worm. Talk: According to model ’1’ (Staniford), the time that dominates the infection time is the start. Show the graph, say that we use the model as the first step in creation of better worms. Transition: So how can we get the worm ‘off the ground’? So, is the battle lost? 2/16/2019 Security Seminar Fall 2002

22 Overview Background: 3 behavioral models: Threat from future worms
What a worm is How a worm works 3 behavioral models: Simple Advance Sophisticated Threat from future worms Defending against worms ‘Good guy’ advantages Defense techniques Summary Message: Talk about Transition: 2/16/2019 Security Seminar Fall 2002

23 ‘Good Guy’ Advantages Easier to patch system than implementing a new worm [CIPART] Good guys have more resources Use resources the identify/fight worms Diversify resources Models suggest: easier to slow active worm than making it faster Other? 2/16/2019 Security Seminar Fall 2002

24 CIPART: Eliminating Known Vulnerabilities
Code Red exploited ‘known’ vulnerability: MS announce a patch on June 19, 2001 Code Red propagate on July 19, 2001 $1.2 Billion damage could have been avoided if patch was deployed Solaris Vulnerability Database What is the threat? Should I do something? If yes, what should I do? System Administrator Linux Win New vulnerability Linux Guided Patcher Win Solaris Vulnerability Exist? Vulnerability Database Formal Vulnerability Description Vulnerability Test Generator Threat Estimator Test results Administrator Report Audit Tool 2/16/2019 Security Seminar Fall 2002

25 Fast Worm Identification: Birds Eat Worms
Deploy hidden censors (birds) in the web: Birds: machines that ‘pretend’ they run services (e.g., IIS) When someone ask ‘do you run ‘x’’, say ‘yes, I run ‘x’’. Check if the censor was ‘infected’ Eliminate worm Message: To understand how a single worm work. Talk about Illustrate how a single worm work. Initial phase. Illustrate how the Internet is getting Infected. What are the threats: Access to classify data. launching DDOS attacks. Multimedia DDoS attacks Example of worms Transition: So let see what a worm can cause Find an Internet illustration. 2/16/2019 Security Seminar Fall 2002

26 Defending Against Worms
The defender advantage Attacker gain Defender gain Purpose Talk: Transition: So how can we keep the worm near the ground? Same effort (X3): attacker gains 9 hours, defender gains 30 hours 2/16/2019 Security Seminar Fall 2002

27 Summary: Reality of Hype?
Do worms are a potential threat? No What is the magnitude of the threat? $1.2 Billion/worm Is that a big threat? No (car accidents in the US: $150 Billion/year) Yes Reality Hype 2/16/2019 Security Seminar Fall 2002

28 Bibliography [SPW02] Stuart Staniford, Vern Paxson, and Nicholas Weaver. "How to 0wn the Internet in Your Spare Time". In the Proceedings of the 11th USENIX Security Symposium, 2002. [SV01] Romualdo Pastor-Satorras and Alessandro Vespignani. "Epidemic Spreading in Scale-Free Networks". Physical Review Letters Vol 86(14), 2001. [ZGT02] Changchun Zou, Weibo Gong, and Don Towsley. "Code Red Worm Propagation Modeling and Analysis". 9th ACM Conference on Computer and Communications Security, 2002. [DM02] David Moore. “The Spread of the Code-Red Worm”. Cooperative Association for Internet Data Analysis (CAIDA), [USA01] USA Today 08/01/01. [Bai75] Norman T. J. Bailey . “The mathematical theory of infectious diseases and its applications”, 1975. 2/16/2019 Security Seminar Fall 2002

Download ppt "Internet Worms: Reality or Hype"

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.

University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.

1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.
How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.

Similar presentations

Ads by Google