Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz."— Presentation transcript:

1 Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz

2 Motivation Automatic containment of worms required Slammer infected about 95% of vulnerable population within 10 mins Easier to write: Worm = “Propagation” toolkit + new exploit

3 Worm containment strategies End-host instrumentation: CCCSRB 04, NS 05 specialized end-points end-hosts firewalls core routers Core-router augmentation: WWSGB 04 Specialized end-points (honeyfarms): P 04 Firewall-level containment: WSP 04, WESP 04

4 Decentralized Cooperation Internet firewalls exchange information with each other to contain the worm Suggested in recent work: WSP 04, NRL 03, AGIKL 03 Pros of decentralization: Scales with the system size No single point of failure / administrative control Efficacy and limitations not well understood

5 Questions we seek to answer Cost of decentralization Effect of finite communication rate between firewalls on containment Effect of malice Impact of malicious firewalls on containment Performance under partial deployment

6 Roadmap Abstract model of cooperation Analysis of cooperation model Numerical Results Analytical, Simulation Conclusion

7 Model of Cooperation Each firewall in the cooperative performs following actions: Local Detection: Identify when its network is infected by analyzing outgoing traffic Signaling: Informs other firewalls of its own infection along with filters Filtering: A informed firewall drops incoming packets

8 Firewall states Infected Normal Alerted/Uninfected Detected Successful worm scan Local Detection Signals Sent Signal Received

9 Model of Signaling Two kinds of signaling: Implicit: Piggyback signals on outgoing packets Explicit: Signals addressed to other firewalls Setup attacks: Challenge-response verification of signals Firewall sends false signal: Thresholding: Enter “alerted” state after receiving signals from T different firewalls Firewall suppresses signal: Even if up to 25% firewalls behave this way, good containment is possible

10 Roadmap Abstract model of cooperation Analysis of cooperation model Numerical Results Analytical, Simulation Conclusion

11 Analytical results Main focus: Containment metric C: C = fraction of networks that escape infection Is Signaling Necessary? Cost of Decentralization: Dependence of containment on signaling rate Effect of malice: Dependence of containment on Threshold T

12 Parameters used in analysis Worm model: Scanning: Topological scanning (zero time) followed by global uniform scanning Probability of successful probe = p Scanning rate = s Vulnerable hosts uniformly distributed behind these firewalls Local detection model: After infection, the time required for the infection to be detected is an exponential variable with time t d Signaling model: Explicit signals sent at rate E

13 Detection and Filtering Worm probes only in interval between “infection” and “detection” λ is the expected number of successful infections made by a infected network before detection λ = p s t d Result: If λ < 1, C = 1 for large N Analogy to birth-death process Implications Earlier worms like Blaster satisfied this constraint

14 Detection and Filtering (2) Surprisingly, even if λ > 1, containment can be achieved without signaling Intuition: As the infection proceeds, harder to find new victims λ (= p s t d ) effectively decreases over time For λ = 1.5, about 40% containment For λ = 2.0, about 20% containment λ = 2.0 for a Slammer-like worm

15 Analyzing Signaling Signaling required if λ > 1 Differential equation model For λ > 1 and σ = (λ-1)/t d, the containment metric C is at least

16 Asympotic Variations Implicit Signaling: Worm spreads at rate “ps” Signals sent at rate “s” Linear drop with time to detection ( t d ) Linear drop with threshold (T) Explicit Signaling: Implicit signaling relies on (p << 1) Explicit signals essential for high p Linear drop with 1/E Tunable parameter

17 Roadmap Abstract model of cooperation Analysis of cooperation model Numerical Results Analytical, Simulation Conclusion

18 Numerical Results Parameter Settings: Scan rate set to that of Slammer Size of vulnerable population = 2 x Blaster 1,00,000 networks: 20 vulnerable hosts per network Start out with 10 infected networks and track worm propagation

19 Cost of Decentralization Higher the detection time, lower the containment

20 Effect of Malice Defends against a few hundred malicious firewalls

21 Conclusions Contribution: Further the understanding of cooperative worm containment Cost of Decentralization: With moderate overhead, good containment can be achieved Effect of Malice: Can handle a few hundred malicious firewalls in the cooperative Cost of Deployment: Even with deployment levels as low as 10%, good containment can be achieved

22 Detection and Filtering

23 Signaling

24 Containment vs Vulnerable population size

25 Containment vs Signaling Rate

26 Containment vs Deployment

27 Internet-like Scenario Works well even under non-uniform distributions

28 Conclusions Main result: with moderate overhead, cooperation can provide good containment even under partial deployment For earlier worms, cooperation may have been unnecessary Required for the fast scanning worms of today Our results can be used to benchmark local detection schemes in their suitability for cooperation Our model and results can be applied to: Internet-level / enterprise-level cooperation More sophisticated worms like hit-list worms Room for improvement in terms of robustness Verifiable signals Hybrid architecture: Fit in “well-informed” participants in the cooperative

Download ppt "Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz."

Similar presentations

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.

Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Monday, June 01, 2015 ARRIVE: Algorithm for Robust Routing in Volatile Environments 1 NEST Retreat, Lake Tahoe, June 17-19 2002.

Monday, June 01, 2015 ARRIVE: Algorithm for Robust Routing in Volatile Environments 1 NEST Retreat, Lake Tahoe, June
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.
1 Estimating Shared Congestion Among Internet Paths Weidong Cui, Sridhar Machiraju Randy H. Katz, Ion Stoica Electrical Engineering and Computer Science.

1 Estimating Shared Congestion Among Internet Paths Weidong Cui, Sridhar Machiraju Randy H. Katz, Ion Stoica Electrical Engineering and Computer Science.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.

The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
Exploring Tradeoffs in Failure Detection in P2P Networks Shelley Zhuang, Ion Stoica, Randy Katz HIIT Short Course August 18-20, 2003.

Exploring Tradeoffs in Failure Detection in P2P Networks Shelley Zhuang, Ion Stoica, Randy Katz HIIT Short Course August 18-20, 2003.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
A Real-Time Video Multicast Architecture for Assured Forwarding Services Ashraf Matrawy, Ioannis Lambadaris IEEE TRANSACTIONS ON MULTIMEDIA, AUGUST 2005.

A Real-Time Video Multicast Architecture for Assured Forwarding Services Ashraf Matrawy, Ioannis Lambadaris IEEE TRANSACTIONS ON MULTIMEDIA, AUGUST 2005.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.
Adaptive Self-Configuring Sensor Network Topologies ns-2 simulation & performance analysis Zhenghua Fu Ben Greenstein Petros Zerfos.

Adaptive Self-Configuring Sensor Network Topologies ns-2 simulation & performance analysis Zhenghua Fu Ben Greenstein Petros Zerfos.

Similar presentations

Ads by Google