1 / 30

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Modeling, Early Detection, and Mitigation of Internet Worm Attacks. Cliff C. Zou Assistant professor School of Computer Science University of Central Florida Orlando, FL Email: czou@cs.ucf.edu Web: http://www.cs.ucf.edu/~czou. Worm propagation process. Find new targets

arva
Download Presentation

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central Florida Orlando, FL Email: czou@cs.ucf.edu Web: http://www.cs.ucf.edu/~czou

  2. Worm propagation process • Find new targets • IP random scanning • Compromise targets • Exploit vulnerability Newly infected join infection army

  3. Worm research motivation • Code Red (Jul. 2001) : 360,000 infected in 14 hours • Slammer (Jan. 2003) : 75,000 infected in 10minutesCongested parts of Internet (ATMs down…) • Blaster (Aug. 2003): 150,000 ~ 8 million infected DDOS attack (shut down domain windowsupdate.com) • Witty (Mar. 2004) : 12,000 infected in half an hourAttackvulnerabilityin ISS security products • Sasser (May 2004): 500,000 infected within two days Infection faster than human response !

  4. How to defend against worm attack? • Automaticresponse required • First, understanding worm behavior • Basis for worm detection/defense • Next, early warning of an unknown worm • Detection based on worm model • Prediction of worm damage scale • Last, autonomous defense • Dynamic quarantine • Self-tuning defense

  5. Outline • Worm propagation modeling • Early warning of an unknown worm • Autonomous defense • Summary and current work

  6. Outline • Worm propagation modeling • Early warning of an unknown worm • Autonomous defense • Summary and current work

  7. # of increased infected in a unit time Prob. of a scan hitting vulnerable Simple worm propagation model W • address space, size W • N : total vulnerable • It : infected by time t • N-It vulnerable at time t • scan rate (per host), h

  8. Simple worm propagation

  9. Code Red worm modeling • Simple worm model matches observed Code Red data • “Ideal” network condition • No human countermeasures • No network congestions • First model work to consider these [CCS’02]

  10. Consider an infected computer: • Constant bandwidth  constant time to send 20,000 scans • Random point writing  infected host crashes with prob. • Crashing time approximate by Exponential distribution ( ) Witty worm modeling • Witty’s destructive behavior: 1). Send 20,000 UDP scans to 20,000 IP addresses 2). Write 65KB in a random point in hard disk

  11. # of vulnerable at t : # of crashed infected computers at time t Memoryless property # of vulnerable at t hours Witty worm modeling *Witty trace provided by U. Michigan “Internet Motion Sensor”

  12. Lasts less than a minute Advanced worm modeling— hitlist, routing worm • Hitlist worm — increase I0 • Contains a list of known vulnerable hosts • Infects hit-list hosts first, then randomly scans • Routing worm — decrease W • Only scan BGP routable space • BGP table information: W = .32£ 232 • 32% of IPv4 space is Internet routable

  13. Hitlist, routing worm • Code Red style worm • h = 358/min • N = 360,000 • hitlist, I(0) = 10,000 • routing, W=.29£ 232

  14. Outline • Worm propagation modeling • Early warning of an unknown worm • Autonomous defense • Summary and current work

  15. Monitored traffic How to detect an unknown worm at its early stage? • Monitor: • Worm scans to unused IPs • TCP/SYN packets • UDP packets Internet Monitored data is noisy Unused IP space Local network

  16. Reflection • Worm anomaly  other anomalies? • A worm has its own propagation dynamics • Deterministic models appropriate for worms Can we take advantage of worm model to detect a worm?

  17. 2% 1% Worm model in early stage Initial stage exhibits exponential growth

  18. Monitored illegitimate traffic rate Exponential rate a on-line estimation Worm traffic Non-worm burst traffic “Trend Detection”  Detect traffic trend, not burst Trend: wormexponential growth trend at the beginning Detection: estimated exponential rate a be a positive, constant value

  19. Why exponential growth at the beginning? • Attacker’s incentive: infect as many as possible before people’s counteractions • If not, a worm does not reach its spreading speed limit • Slow spreading worm detected by other ways • Security experts manual check • Honeypot, …

  20. Zt: # of monitored scans at time t : monitoring noise yield Model for estimate of wormexponential growth rate a Exponential model:

  21. Code Red simulation experiments Population: N=360,000, Infection rate: a = 1.8/hour, Scan rate h = N(358/min, 1002), Initially infected: I0=10 Monitored IP space 220, Monitoring interval: 1 minute Consider background noise At 0.3% (157 min): estimate stabilizes at a positive constant value

  22. yield Damage evaluation—Prediction of global vulnerable population N Accurate prediction when less than 1% of N infected

  23. : Prob. an infected to be observed by the monitor in a unit time Monitoring 214 IP space (p=4£ 10-6) # of newly observed (tt+1) # of unobserved Infected by t Damage evaluation — Estimation of global infected population It : cumulative # of observed infected hosts by time t : per host scan rate : fraction of address space monitored

  24. Outline • Worm propagation modeling • Early warning of an unknown worm • Autonomous defense • Summary and current work

  25. Autonomous defense principles • Principle #1 Preemptive Quarantine • Compared to attack potential damage, we are willing to tolerate some false alarm cost • Quarantine upon suspicious, confirm later • Basis for our Dynamic Quarantine[WORM’03] • Principle #2  Adaptive Adjustment • More serious attack, more aggressive defense • At any time t, minimize: (attack damage cost) + (false alarm cost)

  26. Self-tuning defense against various network attacks • Principle #2 : Adaptive Adjustment • More severe attack, more aggressive defense • Self-tuning defense system designs: • SYN flood Distributed Denial-of-Service (DDoS) attack • Internet worm infection • DDoS attack with no source address spoofing

  27. Severe attack 1 Light attack : Fraction of attack in traffic 0 1 Motivation of self-tuning defense : False positive prob. blocking normal traffic : False negative prob. missing attack traffic : Detection sensitivity Q: Which operation point is “good”? A: All operation points are good Optimal one depends on attack severity p

  28. Passed Incoming Optimization: Self-tuning optimization Attack estimation Fraction of passed attack Fraction of dropped normal : Cost of dropping a normal traffic : Cost of passing an attack traffic Self-tuning defense design Filter Discrete time k  k+1

  29. Outline • Worm propagation modeling • Early warning of an unknown worm • Autonomous defense • Summary and current work

  30. Worm research contribution • Worm modeling: • Two-factor model:Human counteractions; network congestion • Diurnal modeling; worm scanning strategies modeling • Early detection: • Detection based on “exponential growth trend” • Estimate/predict worm potential damage • Autonomous defense: • Dynamic quarantine (interviewed by NPR) • Self-tuning defense (patent filed by AT&T) • Email-based worm modeling and defense

More Related