1 / 22

Modeling/Detecting the Spread of Active Worms

Modeling/Detecting the Spread of Active Worms. Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts lgao@ecs.umass.edu http://www-unix.ecs.umass.edu/~lgao Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat.

dory
Download Presentation

Modeling/Detecting the Spread of Active Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts lgao@ecs.umass.edu http://www-unix.ecs.umass.edu/~lgao Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat

  2. Monitoring Component Network Black Hole Detector Detector Black Black Hole Hole Detector Detector Local Local Local IDS IDS IDS IDS Local Subnet Local Subnet Local Subnet Local Local IDS IDS IDS IDS IDS Local Subnet Local Subnet Local Subnet Local Subnet Monitoring Architecture Detection Center Traffic Traffic Analyzer Traffic Analyzer Traffic Analyzer Traffic Analyzer Traffic Analyzer Analyzer Black Hole Black Hole Black Hole DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  3. What to monitor? • Inactive addresses • Inactive ports • # of victims • Total scan traffic • # of flows • Distribution of destination addresses • Outbound traffic • ? DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  4. How to monitor? • Aggregate data from inactive addresses and ports • Address space • Address and port selection • Learn trend and determine anomalies • Selectively monitoring • Adaptive monitoring • Feedback based DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  5. Potential Issues • Spoofed IP • Multi-vector worm • Aggressive scan • Stealth scan • Detecting only large scale attack DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  6. Analytical Active Worm Propagation (AAWP) Model • T: size of the address space worm scans • N: total number of vulnerable hosts in the space • S: scan rate • ni: number of infected machines at time i DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  7. Monitoring Random Scan DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  8. Detection Time vs. Monitoring Space DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  9. Local Subnet Scan • The worms preferentially scan for targets on the “local” address space • Nimda worm: 50% of the time, choose an address with the same first two octets 25% of the time, choose an address with the same first octet 25% of the time, choose a random address AAWP model is extended to understand the characteristics of local subnet scanning DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  10. Compare Local Subnet Scan with Random Scan DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  11. More Malicious Scan • Random Scan • Wastes too much power • Easier to get caught • More malicious scan techniques • Probing hosts are chosen more carefully? DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  12. Scan Methods • Selective Scan • Routable Scan • Divide-Conquer Scan • Hybrid Scan DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  13. Selective Scan • Randomly selected destinations • Selective Random Scan • Slapper worm • Picks 162 /8 networks • Benefit: Simplicity, small program size DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  14. Selective Scan DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  15. Routable Scan • Scan only routable addresses from global BGP table • How to reduce the payload? • 112K prefixes  merge address segments, and use 2^16 threshold = 15.4 KB database • Only 20% segments contribute 90% addresses  3KB database • Further compression DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  16. Spread of Routable Scan DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  17. Monitoring Routable Scan DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  18. Divide-Conquer Scan • An extension to routable scan • Each time a new host gets infected, it will get half of the address space. • Susceptible to single point of failure • Possible overlapping address space DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  19. Divide-Conquer Scan DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  20. Monitoring Divide-Conquer Scan DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  21. Hybrid Scan • A combination of the simple scan methods above • For example: • Routable + Hitlist + Local Subnet Scan • Divide-Conquer + Hitlist DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

  22. More Details • See • Modeling the Spread of Active Worms, Z.Chen, L. Gao, K. Kwiat, INFOCOM 2003 at http://www-unix.ecs.umass.edu/~lgao/paper/AAWP.pdf • An Effective Architecture and algorithm for Detecting Worms with Various Scan Techniques, J. Wu, S. Vangala, L.Gao, K.Kwiat, at http://rio.ecs.umass.edu/gao/paper/final.pdf DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

More Related