Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: " Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1."— Presentation transcript:

1  Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1

2  Three factors define worm spread: o Size of vulnerable population  Prevention – patch vulnerabilities, increase heterogeneity o Rate of infection (scanning and propagation strategy)  Deploy firewalls  Distribute worm signatures o Length of infectious period  Patch vulnerabilities after the outbreak

3  This depends on several factors: o Reaction time o Containment strategy – address blacklisting and content filtering o Deployment scenario – where is response deployed  Evaluate effect of containment 24 hours after the onset “Internet Quarantine: Requirements for Containing Self-Propagating Code”, Proceedings of INFOCOM 2003, D. Moore, C. Shannon, G. Voelker, S. Savage

4 Idealized deployment: everyone deploys defenses after given period

5

6

7  Reaction time needs to be within minutes, if not seconds  We need to use content filtering  We need to have extensive deployment on key points in the Internet

8  Monitor outgoing connection attempts to new hosts  When rate exceeds 5 per second, put the remaining requests in a queue  When number of requests in a queue exceeds 100 stop all communication “Implementing and testing a virus throttle”, Proceedings of Usenix Security Symposium 2003, J. Twycross, M. Williamson

9

10

11  Organizations share alerts and worm signatures with their “friends” o Severity of alerts is increased as more infection attempts are detected o Each host has a severity threshold after which it deploys response  Alerts spread just like worm does o Must be faster to overtake worm spread o After some time of no new infection detections, alerts will be removed “Cooperative Response Strategies for Large-Scale Attack Mitigation”, Proceedings of DISCEX 2003, D. Norjiri, J. Rowe, K. Levitt

12  As number of friends increases, response is faster  Propagating false alarms is a problem

13  Early detection would give time to react until the infection has spread  The goal of this paper is to devise techniques that detect new worms as they just start spreading  Monitoring: o Monitor and collect worm scan traffic o Observation data is very noisy so we have to filter new scans from  Old worms’ scans  Port scans by hacking toolkits C. C. Zou, W. Gong, D. Towsley, and L. Gao. "The Monitoring and Early Detection of Internet Worms," IEEE/ACM Transactions on Networking.

14  Detection: o Traditional anomaly detection: threshold-based  Check traffic burst (short-term or long-term).  Difficulties: False alarm rate o “Trend Detection”  Measure number of infected hosts and use it to detect worm exponential growth trend at the beginning

15  Worms uniformly scan the Internet o No hitlists but subnet scanning is allowed  Address space scanned is IPv4

16  Simple epidemic model: Detect worm here. Should have exp. spread

17

18  Provides comprehensive observation data on a worm’s activities for the early detection of the worm  Consists of : o Malware Warning Center (MWC) o Distributed monitors  Ingress scan monitors – monitor incoming traffic going to unused addresses  Egress scan monitors – monitor outgoing traffic

19  Ingress monitors collect: o Number of scans received in an interval o IP addresses of infected hosts that have sent scans to the monitors  Egress monitors collect: o Average worm scan rate  Malware Warning Center (MWC) monitors: o Worm’s average scan rate o Total number of scans monitored o Number of infected hosts observed

20  MWC collects and aggregates reports from distributed monitors  If total number of scans is over a threshold for several consecutive intervals, MWC activates the Kalman filter and begins to test the hypothesis that the number of infected hosts follows exponential distribution

21  Population: N=360,000, Infection rate:  = 1.8/hour,  Scan rate  = 358/min, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 minute Infected hosts  estimation

22  Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts  estimation

23  Worms spread very fast (minutes, seconds) o Need automatic mitigation  If this is a new worm, no signature exists o Must apply behaviour-based anomaly detection o But this has a false-positive problem! We don’t want to drop legitimate connections!  Dynamic quarantine o “Assume guilty until proven innocent” o Forbid network access to suspicious hosts for a short time o This significantly slows down the worm spread C. C. Zou, W. Gong, and D. Towsley. "Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense," ACM CCS Workshop on Rapid Malcode (WORM'03),

24  Behavior-based anomaly detection can point out suspicious hosts o Need a technique that slows down worm spread but doesn’t hurt legitimate traffic much o “Assume guilty until proven innocent” technique will briefly drop all outgoing connection attempts (for a specific service) from a suspicious host o After a while just assume that host is healthy, even if not proven so o This should slow down worms but cause only transient interruption of legitimate traffic

25  Assume we have some anomaly detection program that flags a host as suspicious o Quarantine this host o Release it after time T o The host may be quarantined multiple times if the anomaly detection raises an alarm o Since this doesn’t affect healthy hosts’ operation a lot we can have more sensitive anomaly detection technique

26  An infectious host is quarantined after time units  A susceptible host is falsely quarantined after time units  Quarantine time is T, after that we release the host  A few new categories: o Quarantined infectious R(t) o Quarantined susceptible Q(t)

27  Initially 75,000 vulnerable hosts  Quarantine rate of infectious host is per second o Infectious host will be quarantined after 5 seconds on average  Quarantine rate of susceptible host is per second o There are 2 false alarms per host per day  T=10 seconds

28

29 T=10sec T=30sec

30

31 Cleaning I(t) Cleaning R(t)

Download ppt " Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1."

Similar presentations

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Worms 1. Viruses don’t break into your computer – they are invited by you – They cannot spread unless you run infected application or click on infected.

Worms 1. Viruses don’t break into your computer – they are invited by you – They cannot spread unless you run infected application or click on infected.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005.

The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Similar presentations

Ads by Google