Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Published byBasil Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst."— Presentation transcript:

1 1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst

2 2 How to detect an unknown worm at its early stage? Monitoring:  Monitor worm scan traffic (non-legitimate traffic).  Connections to nonexistent IP addresses.  Connections to unused ports. noisy  Observation data is very noisy.  Old worms’ scans.  Port scans by hacking toolkits. Detecting:  Anomaly detection for unknown worms  Traditional anomaly detection: threshold-based  Check traffic burst (short-term or long-term).  Difficulties: False alarms; threshold tuning.

3 3 “Trend Detection”  Detect traffic trend, not burst Trend: worm exponential growth trend at the beginning Detection: the exponential rate should be a positive, constant value Worm traffic Non-worm traffic burst Exponential rate  on-line estimation Monitored illegitimate traffic rate

4 4 Why exponential growth at the beginning? The law of natural growth  reproduction Exponential growth — fastest growth pattern when:  Negligible interference (beginning phase).  All objects have similar reproductive capability.  Large-scale system — law of large number. Fast worm has exponential growth pattern  Attacker’s incentive: infect as many as possible before counteractions.  If not, a worm does not reach its spreading speed limit.  Slow spreading worms can be detected by other ways.

5 5 Worm modeling — simple epidemic model # of contacts  I  S Simple epidemic model: ItIt Discrete model: with exponential rate : # of susceptible : # of infectious : Total # of hosts : Infectious ability At very early stage:

6 6 Why use simple epidemic model? Can model most scan-based worms. We can use other worm models as well with minor modifications (such as exponential model). Code Red SQL Slammer Figures from: D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, “Inside the Slammer Worm”, IEEE Security & Privacy, July 2003.

7 7 Kalman Filter Estimation Equivalent to Recursive Least Square Estimator:  Give estimation at each discrete time.  Robust to noise. System: Discrete-time simple epidemic model System state:  Worm infection rate . (  =  N, exponential growth rate at beginning )  Epidemic parameter . (worm infectious ability) Measurement from monitors:  C i : cumulative # of observed infected, Z i :# of scans at time i.

8 8 Kalman Filter Estimation System: where Kalman Filter for estimation of X t :

9 9 Code Red simulation experiments Population: N=360,000, Infection rate:  = 1.8/hour, Scan rate  = N(358/min, 100 2 ), Initially infected: I 0 =10 Monitored IP space 2 20, Monitoring interval:  = 1 minute Consider background noise Before 2% (223 min): estimate is already stabilized and oscillating a little around a positive constant value

10 10 SQL Slammer simulation experiments Population: N=100,000, Monitored IP space 2 20, Scan rate  = N(4000/sec, 2000 2 ), Initially infected: I 0 =10 Monitoring interval:  = 1 second, Consider background noise Before 1% (45 sec): estimate is already stabilized and oscillating around a positive constant value

11 11 Early detection of Blaster Blaster: sequentially scans from a starting IP address:  40% from local Class C address.  60% from a random IP address. It follows simple epidemic model. After using low-pass filter

12 12 Bias correction for uniform-scan worms Bernoulli trial for a worm to hit monitors (hitting prob. = p ). Bias correction: Monitoring 2 17 IP space Monitoring 2 14 IP space Bias correction can provide unbiased estimate of I t : Average scan rate

13 13 Prediction of Vulnerable population size N Estimation of population N Direct from Kalman filter: Alternative method:    : A worm sends out  scans per  time  derived from egress scan monitor)

14 14 Use exponential growth model At the early stage: Model #2: Autoregressive (AR) model Model #3: Transformed linear model  Early stage of worm propagation  : observation data  

15 15 Comparison between three estimation models Epidemic model AR exponential modelTransformed linear model Observations  AR exponential model is smoother than epidemic model  Transformed linear model gives best results  Detect a worm when it infects about 0.5% population

16 16 Simple analysis of three estimation models Why AR exponential model is smoother than epidemic model?  Introduced errors from measurement data:  Epidemic model  AR exponential model Why transformed linear model is better than AR model? AR exponential model: Transformed linear model: where assume

17 17 Summary Trend detection : non-threshold-based methodology  Principle: detect traffic trend, not burst  Pros : Robust to background noise  low false alarm rate  Cons: Rely on worm model, representation of measurement data  Epidemic model, exponential model  Using low-pass filter on noisy observation data For uniform-scan worms  Bias correction:  Forecasting N: ( IPv4 ) : scan hitting prob. : cumulative # of observed infectious : Average scan rate : Infection rate : scanning IP space   Routing worm

Download ppt "1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst."

Similar presentations

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005.

The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Similar presentations

Ads by Google