Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd.,

Published byVirgil Chase Modified over 9 years ago

Similar presentations

Presentation on theme: "Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd.,"— Presentation transcript:

1 Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd., Japan)

2 Background Witty worm infected 12,000 hosts for 75 minutes. [6] Nimda worm infected 150,000 hosts for 6 hours. http://www2.nsknet.or.jp/~azuma/menu.htm Portscan have been performed every 18 minutes on average. [1] Can you guess how long worms infect hosts?

3 Portscans and Infection Period round 1 round 2 silent period 12/01/0402/01/0507/01/0509/01/05 Time [day] Sensor ID

4 Our Objective To identify how long a host has been infected by worms.

5 Difficulties 1.Uncertainty in identifying boundaries between rounds. –Scanning behavior varies by worms –Subjective segmentation 2.Too many packets to dealt with by human specialist 2004/10/242004/12/32004/12/142004/1/142004/2/142004/12/302005/3/22005/8/182005/4/272005/9/24

6 Segmentation: Pros and Cons 1. Uncertainty in boundaries between rounds 2. Too many packets (1) random sampling & manual segmentation goodpoor (2) Constant thresholdpoor (No common threshold for all hosts) good (3) Adaptive thresholdgood

7 Fundamental Definition Number of rounds: r = 2 s1s1 s3s3 count c round 1 round 2 Infection period d 1 ( 9 days ) Infection period d 2 ( 7 days ) 1 st s2s2 9 th 20 th 27 th Total count : c = 7 Unique sensors ( visit ) : k = 3 Infection duration per round: d 1 = 9 、 d 2 = 7 [days / rounds] visit k silent period t

8 1. Random sampling Sample data –An average d and r were evaluated. Steps 1.As random sampling, 100 source addresses were chosen out of a subset K 6 in which visit is k=6. 2.Sample data was analyzed manually ? Whole data K6K6 random sampling Human operator

9 Relationship Between k and c A lot of maliciou s hosts. A lot of counts

10 1. Statistics for K 6 ( 100 ) rounds r [round /host] count c [packets /round] visit k [sensors /round] duration d [days /round] average 1.49 8.724.36 24.6 standard deviation 0.8111.571.9940.8

11 2. Constant Threshold Segmentation A Partition activity period by a common threshold T d2d2 TT ttd1d1 T t

12 2. Infected Duration ( |K 6 |= 1,586 ) T=30 μ r =1.67 μ d =18.6

13 d1d1 d2d2 d3d3 d4d4 d5d5 d6d6 d7d7 d2d2 d3d3 3. Drawback of Constant Threshold Segmentation d1d1 d2d2 A B TTT No common threshold T T good fails d1d1 d2d2 d3d3 T

14 d6d6 d7d7 d3d3 3. Adaptive Threshold Segmentation d1d1 d2d2 d3d3 d1d1 A B d4d4 d5d5 d2d2 d 2 d3d3 d1d1 TA*TA* TA*TA* TB*TB* TB*TB* TB*TB* TB*TB* TB*TB* TB*TB* T* depends on malicious hosts (source address) T A : Too short T B : Too large

15 Poisson Distribution Examples include –The number of cars through an intersection –The number of e-mail received in a day The probability that k packets arrive when packets arrive on an average. Average arrival ratio c : Number of total counts per year d 0 : duration for one year.

16 3. Distribution of Inter-arrival Time 32% 120187 1% An approximation Actual distribution

17 3. Distribution of Packet Arrival Ratio group1 group2

18 Distribution of Rounds Common threshold Adaptive threshold 80

19 Distribution of Source Address

20 Summary round rinfection period dcount cvisit k μrμr μdμd μcμc μkμk (1) Sampling and manual segmentation 1.4924.68.724.36 (2) Constant Threshold 1.6718.29.153.13 (3) Adaptive Threshold 1.5732.39.754.32

21 Conclusions We have proposed a new segmentation algorithm using Adaptive Threshold based on the Poisson Distribution Our experiment shows: –Average duration of an infection is 32 days a year –Average hosts has infections 1.5 times a year

22 How long do you usually have a cold?

23

24 (3) A problem to be settled with the adaptive threshold 1.Uncertainly in identifying boundaries between rounds. –Many behavior by worm –Subjective difference 2.Too many packets

25 ( 1 ) Distribution of IP address(k 6 )

26 (1) Used frequency of port by (K 6 ) Port 1433 Port4899 Port 137

27 (2) Difference of average observation period by port ( K 6 :1,586 ) T*=30

28 (3) Distribution of scan c 20

29 Infection period 43 day Infection period 63 day Infection period 86 day (4) Distribution by fitting Estimotied value of unique host addresses Duration for fitting [day]

Download ppt "Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd.,"

Similar presentations

All Rights Reserved, Copyright(C) 2007, Hitachi, Ltd. 1 Transport-layer optimization for thin-client systems Yukio OGAWA Systems Development Laboratory,

All Rights Reserved, Copyright(C) 2007, Hitachi, Ltd. 1 Transport-layer optimization for thin-client systems Yukio OGAWA Systems Development Laboratory,
© 2002 Prentice-Hall, Inc.Chap 5-1 Basic Business Statistics (8 th Edition) Chapter 5 Some Important Discrete Probability Distributions.

© 2002 Prentice-Hall, Inc.Chap 5-1 Basic Business Statistics (8 th Edition) Chapter 5 Some Important Discrete Probability Distributions.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
1 Self-Similar Wide Area Network Traffic Carey Williamson University of Calgary.

1 Self-Similar Wide Area Network Traffic Carey Williamson University of Calgary.
Probability Event a result or outcome of a procedure Simple Event an event that can’t be broken down Sample Space the set of all possible simple events.

Probability Event a result or outcome of a procedure Simple Event an event that can’t be broken down Sample Space the set of all possible simple events.
Error Propagation. Uncertainty Uncertainty reflects the knowledge that a measured value is related to the mean. Probable error is the range from the mean.

Error Propagation. Uncertainty Uncertainty reflects the knowledge that a measured value is related to the mean. Probable error is the range from the mean.
Introduction to Probability and Statistics

Introduction to Probability and Statistics
On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.

On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.
OS Fall ’ 02 Performance Evaluation Operating Systems Fall 2002.

OS Fall ’ 02 Performance Evaluation Operating Systems Fall 2002.
October 26, 2001MED Classification1 Major Event Day Classification Rich Christie University of Washington Distribution Design Working Group Webex Meeting.

October 26, 2001MED Classification1 Major Event Day Classification Rich Christie University of Washington Distribution Design Working Group Webex Meeting.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
OS Fall ’ 02 Performance Evaluation Operating Systems Fall 2002.

OS Fall ’ 02 Performance Evaluation Operating Systems Fall 2002.
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Multivariate Probability Distributions. Multivariate Random Variables In many settings, we are interested in 2 or more characteristics observed in experiments.

Multivariate Probability Distributions. Multivariate Random Variables In many settings, we are interested in 2 or more characteristics observed in experiments.
Example of Poisson Distribution-Wars by Year Number of wars beginning by year for years 1482-1939. Table of Frequency counts and proportions (458 years):

Example of Poisson Distribution-Wars by Year Number of wars beginning by year for years Table of Frequency counts and proportions (458 years):
The Effects of Systemic Packets Loss on Aggregate TCP Flows Thomas J. Hacker May 8, 2002 Internet 2 Member Meeting.

The Effects of Systemic Packets Loss on Aggregate TCP Flows Thomas J. Hacker May 8, 2002 Internet 2 Member Meeting.
©2003/04 Alessandro Bogliolo Background Information theory Probability theory Algorithms.

©2003/04 Alessandro Bogliolo Background Information theory Probability theory Algorithms.
1 Machine Learning: Lecture 5 Experimental Evaluation of Learning Algorithms (Based on Chapter 5 of Mitchell T.., Machine Learning, 1997)

1 Machine Learning: Lecture 5 Experimental Evaluation of Learning Algorithms (Based on Chapter 5 of Mitchell T.., Machine Learning, 1997)
Applications of Poisson Process

Applications of Poisson Process

Similar presentations

Ads by Google