1 / 27

The Monitoring and Early Detection of Internet Worms

The Monitoring and Early Detection of Internet Worms. Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005. Virus / Worm / Trojan Horse. Virus: 寄生 在已存在的檔案中。 一段電腦程式碼,它會「將自身附加到程式或檔案」,在電腦之間傳佈,並在旅行途中感染電腦。 系統漏洞(不需使用者操作) Worm: 以 新檔案 的形式安裝到電腦上。

serena-curry
Download Presentation

The Monitoring and Early Detection of Internet Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005

  2. Virus / Worm / Trojan Horse • Virus: • 寄生在已存在的檔案中。 • 一段電腦程式碼,它會「將自身附加到程式或檔案」,在電腦之間傳佈,並在旅行途中感染電腦。 • 系統漏洞(不需使用者操作) • Worm: • 以新檔案的形式安裝到電腦上。 • 蠕蟲通常不需要使用者的動作即可散佈,而且它會將它本身的完整複本 (可能已修改) 透過網路發佈。 • 系統漏洞(不需使用者操作) • Trojan Horse: • 看似有用,但實際上卻會造成損害的電腦程式。 • 後門程式(Backdoor) • 以偽裝欺騙使用者(需使用者操作)

  3. Outline • Worm propagation models • Worm monitoring system • Kalman filter estimation • Code Red simulation • Blaster-like worm simulation

  4. Summary of worm models • Scan mode • Uniform-scan (random) (as default) • Code Red • Imperfect uniform-scan • Slammer • Sequential-scan • Blaster • Subnet-scan • Code Red II • Worm propagation models • Simple epidemic model • Discrete-time version • Exponential model (for slow start phase) • AR discrete-time model • Transformed linear model

  5. Notations

  6. Worm propagation model

  7. Propagation models • Simple epidemic model (*) • Discrete-time version (*) • Exponential model (slow start phase: N - It N) • AR discrete-time model • Transformed linear model where * D.J. Daley and J. Gani, Epidemic Modeling: An Introduction. Cambridge, U.K.: Cambridge Univ. Press, 1999.

  8. Generic worm monitoring system

  9. Components • Ingress scan monitor • Listen to the global traffic in the Internet. • Scan traffic • Incoming traffic to unused local IP addresses • Egress scan monitor • Monitor the outgoing traffic from a network to infer the scan behavior of a potential worm. • Scan rate • Scan distribution • Data mixer • Reduce the traffic for sending observation data to the MWC

  10. The data that MWC obtains • The number of scans monitored in a monitoring interval from discrete time (t-1) to t, denoted by Zt. • The cumulative number of infected hosts observed by the discrete time t, denoted by Ct. • A worm’s scan distribution • A worm’s average scan rate η

  11. Correction of biased observation Ct (1/2) • For a uniform-scan worm, each worm scan has a small probability p of being observed by a monitoring system, thus an infected host will send out many scans before one of them is observed. • Ct is not proportional to It • In a monitoring interval Δ, a worm send out on average scans, thus the monitoring system has the probability to observe at least on scan from an infected host in a monitoring interval.

  12. Correction of biased observation Ct (2/2) unobserved infected hosts remove the conditioning on Ct-1 replace E[Ct] by Ct

  13. Estimated It(217 IP space)

  14. Estimated It(214 IP space) noisier

  15. Kalman filter estimation(simple epidemic model) (α and β are derived from It) System state: (y1, y2, …, yt are the measurement data, e.g., Zt or It) The system is described as (υt is the noise)

  16. How to detect a worm? • For each TCP or UDP port, MWC has an alarm threshold for monitored illegitimate scan traffic Zt. • If the monitored scan traffic is over the alarm threshold for several consecutive monitoring intervals, the Kalman filter will be activated. • The MWC begins to record Ct and calculates the average worm scan rate η from the report of egress scan monitors. • The Kalman filter can either use Ct or Zt to estimate all the parameters of a worm. • The three discrete-time models are used to detect the worm. • Once an estimated value of α stabilizes and oscillates slightly around a positive constant value, we have detected the presence of a worm.

  17. Code Red simulation • Uniform-scan • Can be accurately modeled by the simple epidemic model • The alarm threshold for Zt • Set to be two times as large as the mean value of the background noise (*) * D. Goldsmith. Incidents Maillist: Possible Codered Connection Attempts. [Online]. Available: http://lists.jammed.com/incidents/2001/07/0149.html

  18. Kalman filter estimation of Code Red infection rate α (1/3) epidemic model

  19. Kalman filter estimation of Code Red infection rate α (2/3) AR exponential model

  20. Kalman filter estimation of Code Red infection rate α (3/3) 0.3% infected transformed linear model

  21. Long-term Kalman filter estimation In fast spread phrase

  22. Estimate of the vulnerable population size N of Code Red In fast spread phrase

  23. Blaster-like worm simulation • Sequential-scan • Still can be accurately modeled by the simple epidemic model • 16-block monitor • Monitor 16 “/16” networks • 1024-block monitor • Monitor 1024 “/22” networks IP Space A B monitored IP space C So for sequential-scan worms, the monitors should cover as distributed as possible. 16*232-16 = 1024*232-22

  24. Blaster-like worm (It)

  25. Blaster-like worm (Zt)

  26. Blaster-like worm (Zt after using a low pass filter)

  27. Kalman filter estimation of α for the Blaster-like worm 1.3% infected Transformed linear model

More Related