1 / 15

Monitoring and Early Warning for Internet Worms

Monitoring and Early Warning for Internet Worms. Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th ACM Conference on Computer and Communication Security (CCS'03), 2003 Presenter: Cliff C. Zou (01/12/2006). Monitored traffic.

dwarthen
Download Presentation

Monitoring and Early Warning for Internet Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th ACM Conference on Computer and Communication Security (CCS'03), 2003 Presenter: Cliff C. Zou (01/12/2006)

  2. Monitored traffic How to detect an unknown worm at its early stage? • Monitor: • Worm scans to unused IPs • TCP/SYN packets • UDP packets Internet • Monitored data is noisy Unused IP space Local network

  3. Reflection • Worm anomaly  other anomalies? • A worm has its own propagation dynamics • Deterministic models appropriate for worms Can we take advantage of worm model to detect a worm?

  4. 2% 1% Worm model in early stage Initial stage exhibits exponential growth

  5. Worm traffic “Trend Detection”  Detect traffic trend, not burst Trend: wormexponential growth trend at the beginning Detection: the exponential rate should be a positive, constant value Monitored illegitimate traffic rate Exponential rate a on-line estimation Non-worm traffic burst

  6. Why exponential growth at the beginning? • The law of natural growth reproduction • When interference is negligible (beginning phase) • Attacker’s incentive: infect as many as possible before people’s counteractions • If not, a worm does not reach its spreading speed limit • Slow spreading worm detected by other ways • Security experts manual check • Honeypot, …

  7. Zt: # of monitored scans at time t : monitoring noise yield Model for estimate of wormexponential growth rate a Exponential model:

  8. Estimation by Kalman Filter System: where Kalman Filter for estimation of Xt :

  9. Code Red simulation experiments Population: N=360,000, Infection rate: a = 1.8/hour, Scan rate h = N(358/min, 1002), Initially infected: I0=10 Monitored IP space 220, Monitoring interval: 1 minute Consider background noise At 0.3% (157 min): estimate stabilizes at a positive constant value

  10. yield Damage evaluation—Prediction of global vulnerable population N Accurate prediction when less than 1% of N infected

  11. : Prob. an infected to be observed by the monitor in a unit time Monitoring 214 IP space (p=4£ 10-6) # of newly observed (tt+1) # of unobserved Infected by t Damage evaluation — Estimation of global infected population It : cumulative # of observed infected hosts by time t : per host scan rate : fraction of address space monitored

  12. What’s the paper’s contribution? • A novel approach in anomaly detection • Popular approach is based on static threshold • Paper exploits worm dynamics • Dynamics in a series of time • Worm potential damage prediction • Estimate global infected based on local info • Predict global vulnerable population

  13. Why this paper can be published? • Different approach from popular ways • Model-based anomaly detection • Fresh view point --- interesting • Solid (fancy) mathematic background • Math is appropriate • A pure experimental report is not (good) enough for academic paper • Timely appearance • Catch a promising/hot topic ASAP • Rely on: advisors, (conference) paper, tech news, colleagues,

  14. What’s the paper’s weakness? • Early detection provides limited information • Does not provide signature for worm defense • Does not (accurately) identify global infected hosts • Require a large empty IP space for monitoring • Not very good for individual local network • Worm damage prediction results are accurate only for uniform-scan worms • Many worms using biased scanning strategies

  15. How to improve the paper? • I have improved CCS’03 conference paper and published in IEEE Tran. on Networking • Detect a worm earlier • Conference paper uses simple worm model, TON’s uses exponential model (several times faster) • Consider the limitation of monitoring system • TON’s paper adds analysis/experiments of the monitoring problem for non-uniform scan worms

More Related