Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Published byEustace Lee Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th."— Presentation transcript:

1 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th ACM Conference on Computer and Communication Security (CCS'03), 2003 Presenter: Cliff C. Zou (01/12/2006)

2 2 Monitor:  Worm scans to unused IPs  TCP/SYN packets  UDP packets How to detect an unknown worm at its early stage? Unused IP space Monitored traffic Internet noisy Monitored data is noisy Local network

3 3 Worm anomaly  other anomalies?  A worm has its own propagation dynamics Deterministic models appropriate for worms Reflection Can we take advantage of worm model to detect a worm?

4 4 1% 2% Worm model in early stage Initial stage exhibits exponential growth

5 5 “Trend Detection”  Detect traffic trend, not burst Trend: worm exponential growth trend at the beginning Detection: the exponential rate should be a positive, constant value Worm traffic Non-worm traffic burst Exponential rate  on-line estimation Monitored illegitimate traffic rate

6 6 Why exponential growth at the beginning? The law of natural growth  reproduction  When interference is negligible (beginning phase) Attacker’s incentive: infect as many as possible before people’s counteractions If not, a worm does not reach its spreading speed limit Slow spreading worm detected by other ways  Security experts manual check  Honeypot, …

7 7 Model for estimate of worm exponential growth rate  Exponential model: : monitoring noise Z t : # of monitored scans at time t yield

8 8 Estimation by Kalman Filter System: where Kalman Filter for estimation of X t :

9 9 Code Red simulation experiments Population: N=360,000, Infection rate:  = 1.8/hour, Scan rate  = N(358/min, 100 2 ), Initially infected: I 0 =10 Monitored IP space 2 20, Monitoring interval: 1 minute Consider background noise At 0.3% (157 min): estimate stabilizes at a positive constant value

10 10 Damage evaluation — Prediction of global vulnerable population N yield Accurate prediction when less than 1% of N infected

11 11 Monitoring 2 14 IP space ( p =4 £ 10 -6 ) Damage evaluation — Estimation of global infected population I t : fraction of address space monitored : cumulative # of observed infected hosts by time t : per host scan rate : Prob. an infected to be observed by the monitor in a unit time # of unobserved Infected by t # of newly observed (t  t+1)

12 12 What’s the paper’s contribution? A novel approach in anomaly detection  Popular approach is based on static threshold  Paper exploits worm dynamics  Dynamics in a series of time Worm potential damage prediction  Estimate global infected based on local info  Predict global vulnerable population

13 13 Why this paper can be published? Different approach from popular ways  Model-based anomaly detection  Fresh view point --- interesting Solid (fancy) mathematic background  Math is appropriate  A pure experimental report is not (good) enough for academic paper Timely appearance  Catch a promising/hot topic ASAP  Rely on: advisors, (conference) paper, tech news, colleagues,

14 14 What’s the paper’s weakness? Early detection provides limited information  Does not provide signature for worm defense  Does not (accurately) identify global infected hosts Require a large empty IP space for monitoring  Not very good for individual local network Worm damage prediction results are accurate only for uniform-scan worms  Many worms using biased scanning strategies

15 15 How to improve the paper? I have improved CCS’03 conference paper and published in IEEE Tran. on Networking Detect a worm earlier  Conference paper uses simple worm model, TON’s uses exponential model (several times faster) Consider the limitation of monitoring system  TON’s paper adds analysis/experiments of the monitoring problem for non-uniform scan worms

Download ppt "1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th."

Similar presentations

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005.

The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Midterm 1. Quiz 2 Posted on DEN Same as quiz 1 Due by Wed 3/16 Should be taken after you complete your Firewalls lab Grading: If you take both quizzes.

Midterm 1. Quiz 2 Posted on DEN Same as quiz 1 Due by Wed 3/16 Should be taken after you complete your Firewalls lab Grading: If you take both quizzes.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Similar presentations

Ads by Google