270 likes | 379 Views
The Monitoring and Early Detection of Internet Worms. Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005. Virus / Worm / Trojan Horse. Virus: 寄生 在已存在的檔案中。 一段電腦程式碼,它會「將自身附加到程式或檔案」,在電腦之間傳佈,並在旅行途中感染電腦。 系統漏洞(不需使用者操作) Worm: 以 新檔案 的形式安裝到電腦上。
E N D
The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005
Virus / Worm / Trojan Horse • Virus: • 寄生在已存在的檔案中。 • 一段電腦程式碼,它會「將自身附加到程式或檔案」,在電腦之間傳佈,並在旅行途中感染電腦。 • 系統漏洞(不需使用者操作) • Worm: • 以新檔案的形式安裝到電腦上。 • 蠕蟲通常不需要使用者的動作即可散佈,而且它會將它本身的完整複本 (可能已修改) 透過網路發佈。 • 系統漏洞(不需使用者操作) • Trojan Horse: • 看似有用,但實際上卻會造成損害的電腦程式。 • 後門程式(Backdoor) • 以偽裝欺騙使用者(需使用者操作)
Outline • Worm propagation models • Worm monitoring system • Kalman filter estimation • Code Red simulation • Blaster-like worm simulation
Summary of worm models • Scan mode • Uniform-scan (random) (as default) • Code Red • Imperfect uniform-scan • Slammer • Sequential-scan • Blaster • Subnet-scan • Code Red II • Worm propagation models • Simple epidemic model • Discrete-time version • Exponential model (for slow start phase) • AR discrete-time model • Transformed linear model
Propagation models • Simple epidemic model (*) • Discrete-time version (*) • Exponential model (slow start phase: N - It N) • AR discrete-time model • Transformed linear model where * D.J. Daley and J. Gani, Epidemic Modeling: An Introduction. Cambridge, U.K.: Cambridge Univ. Press, 1999.
Components • Ingress scan monitor • Listen to the global traffic in the Internet. • Scan traffic • Incoming traffic to unused local IP addresses • Egress scan monitor • Monitor the outgoing traffic from a network to infer the scan behavior of a potential worm. • Scan rate • Scan distribution • Data mixer • Reduce the traffic for sending observation data to the MWC
The data that MWC obtains • The number of scans monitored in a monitoring interval from discrete time (t-1) to t, denoted by Zt. • The cumulative number of infected hosts observed by the discrete time t, denoted by Ct. • A worm’s scan distribution • A worm’s average scan rate η
Correction of biased observation Ct (1/2) • For a uniform-scan worm, each worm scan has a small probability p of being observed by a monitoring system, thus an infected host will send out many scans before one of them is observed. • Ct is not proportional to It • In a monitoring interval Δ, a worm send out on average scans, thus the monitoring system has the probability to observe at least on scan from an infected host in a monitoring interval.
Correction of biased observation Ct (2/2) unobserved infected hosts remove the conditioning on Ct-1 replace E[Ct] by Ct
Estimated It(214 IP space) noisier
Kalman filter estimation(simple epidemic model) (α and β are derived from It) System state: (y1, y2, …, yt are the measurement data, e.g., Zt or It) The system is described as (υt is the noise)
How to detect a worm? • For each TCP or UDP port, MWC has an alarm threshold for monitored illegitimate scan traffic Zt. • If the monitored scan traffic is over the alarm threshold for several consecutive monitoring intervals, the Kalman filter will be activated. • The MWC begins to record Ct and calculates the average worm scan rate η from the report of egress scan monitors. • The Kalman filter can either use Ct or Zt to estimate all the parameters of a worm. • The three discrete-time models are used to detect the worm. • Once an estimated value of α stabilizes and oscillates slightly around a positive constant value, we have detected the presence of a worm.
Code Red simulation • Uniform-scan • Can be accurately modeled by the simple epidemic model • The alarm threshold for Zt • Set to be two times as large as the mean value of the background noise (*) * D. Goldsmith. Incidents Maillist: Possible Codered Connection Attempts. [Online]. Available: http://lists.jammed.com/incidents/2001/07/0149.html
Kalman filter estimation of Code Red infection rate α (1/3) epidemic model
Kalman filter estimation of Code Red infection rate α (2/3) AR exponential model
Kalman filter estimation of Code Red infection rate α (3/3) 0.3% infected transformed linear model
Long-term Kalman filter estimation In fast spread phrase
Estimate of the vulnerable population size N of Code Red In fast spread phrase
Blaster-like worm simulation • Sequential-scan • Still can be accurately modeled by the simple epidemic model • 16-block monitor • Monitor 16 “/16” networks • 1024-block monitor • Monitor 1024 “/22” networks IP Space A B monitored IP space C So for sequential-scan worms, the monitors should cover as distributed as possible. 16*232-16 = 1024*232-22
Kalman filter estimation of α for the Blaster-like worm 1.3% infected Transformed linear model