1. 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central Florida Orlando, FL Email: czou@eecs.ucf.edu Web: http://www.cs.ucf.edu/~czou

2. 2 Worm propagation process Find new targets  IP random scanning Compromise targets  Exploit vulnerability Newly infected join infection army

3. 3 Worm research motivation Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected DDOS attack (shut down domain windowsupdate.com ) Witty (Mar. 2004) : 12,000 infected in half an hour Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days Infection faster than human response !

4. 4 How to defend against worm attack? Automaticresponse required Automatic response required First, understanding worm behavior  Basis for worm detection/defense Next, early warning of an unknown worm  Detection based on worm model  Prediction of worm damage scale Last, autonomous defense  Dynamic quarantine  Self-tuning defense

5. 5 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

6. 6 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

7. 7 Simple worm propagation model address space, size  N : total vulnerable I t : infected by time t  N-I t vulnerable at time t scan rate (per host),   Prob. of a scan hitting vulnerable # of increased infected in a unit time

8. 8 Simple worm propagation

9. 9 Code Red worm modeling Simple worm model matches observed Code Red data “ Ideal ” network condition  No human countermeasures  No network congestions  First model work to consider these [CCS’02]

10. 10 Witty worm modeling Witty’s destructive behavior: 1). Send 20,000 UDP scans to 20,000 IP addresses 2). Write 65KB in a random point in hard disk  Consider an infected computer:  Constant bandwidth  constant time to send 20,000 scans  Random point writing  infected host crashes with prob.  Crashing time approximate by Exponential distribution ( )

11. 11 Witty worm modeling hours Memoryless property : # of crashed infected computers at time t # of vulnerable at t *Witty trace provided by U. Michigan “Internet Motion Sensor”

12. 12 Advanced worm modeling — hitlist, routing worm Hitlist worm — increase I 0  Contains a list of known vulnerable hosts  Infects hit-list hosts first, then randomly scans Routing worm — decrease   Only scan BGP routable space  BGP table information:  =.32 £ 2 32  32% of IPv4 space is Internet routable Lasts less than a minute

13. 13 Hitlist, routing worm Code Red style worm  = 358/min N = 360,000 hitlist, I(0) = 10,000 routing,  =.29 £ 2 32

14. 14 Botnet-based Diurnal Modeling Diurnal property of online infectious hosts  Determined by time zone North America Europe Eastern Asia

15. 15 Worm Propagation Diurnal Model Divide Internet hosts into groups  Each group has hosts in one or several nearby time zones  same diurnal property Consider modeling in one group: : diurnal shaping function (fraction of online hosts) : # of infected : # of online infected : # of susceptible : # of online susceptible

16. 16 Optimal Worm Releasing Time based on Diurnal Model Diurnal property affects a worm’s speed Speed prediction derived based on diurnal model

17. 17 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

18. 18 Monitor:  Worm scans to unused IPs  TCP/SYN packets  UDP packets  Also called “darknet” How to detect an unknown worm at its early stage? Unused IP space Monitored traffic Internet noisy Monitored data is noisy Local network

19. 19 Worm anomaly  other anomalies?  A worm has its own propagation dynamics Deterministic models appropriate for worms Reflection Can we take advantage of worm model to detect a worm?

20. 20 1% 2% Worm model in early stage Initial stage exhibits exponential growth

21. 21 “Trend Detection”  Detect traffic trend, not burst Trend: worm exponential growth trend at the beginning Detection: estimated exponential rate  be a positive, constant value Worm traffic Non-worm burst traffic Exponential rate  on-line estimation Monitored illegitimate traffic rate

22. 22 Why exponential growth at the beginning? Attacker’s incentive: infect as many as possible before people’s counteractions If not, a worm does not reach its spreading speed limit Slow spreading worm detected by other ways  Security experts manual check  Honeypot, …

23. 23 Model for estimate of worm exponential growth rate  Exponential model: : monitoring noise Z t : # of monitored scans at time t yield

24. 24 Estimation by Kalman Filter System: where Kalman Filter for estimation of X t :

25. 25 Code Red simulation experiments Population: N=360,000, Infection rate:  = 1.8/hour, Scan rate  = N(358/min, 100 2 ), Initially infected: I 0 =10 Monitored IP space 2 20, Monitoring interval: 1 minute Consider background noise At 0.3% (157 min): estimate stabilizes at a positive constant value

26. 26 Damage evaluation — Prediction of global vulnerable population N yield Accurate prediction when less than 1% of N infected

27. 27 Monitoring 2 14 IP space ( p =4 £ 10 -6 ) Damage evaluation — Estimation of global infected population I t : fraction of address space monitored : cumulative # of observed infected hosts by time t : per host scan rate : Prob. an infected to be observed by the monitor in a unit time # of unobserved Infected by t # of newly observed (t  t+1)

28. 28 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

29. 29 Autonomous defense principles Principle #1  Preemptive Quarantine  Compared to attack potential damage, we some are willing to tolerate some false alarm cost  Quarantine upon suspicious, confirm later  Basis for our Dynamic Quarantine [ WORM’03 ] Principle #2  Adaptive Adjustment  More serious attack, more aggressive defense  At any time t, minimize: (attack damage cost) + (false alarm cost)

30. 30 Self-tuning defense against various network attacks Principle #2 : Adaptive Adjustment  More severe attack, more aggressive defense Self-tuning defense system designs:  SYN flood Distributed Denial-of-Service (DDoS) attack  Internet worm infection  DDoS attack with no source address spoofing

31. 31 Motivation of self-tuning defense : False positive prob. blocking normal traffic : False negative prob. missing attack traffic : Detection sensitivity Q: Which operation point is “ good ” ? Severe attack Light attack A: All operation points are good Optimal one depends on attack severity  : Fraction of attack in traffic 1 0 1

32. 32 Estimation of attack severity  Filter Passed Incoming Dropped : Fraction of detected traffic # of incoming normal traffic # of incoming attack traffic Unbiased

33. 33 Self-tuning defense design Filter Passed Incoming Self-tuning optimization Attack estimation Discrete time k  k+1 Optimization: Fraction of passed attack Fraction of dropped normal : Cost of dropping a normal traffic : Cost of passing an attack traffic

34. 34 Self-tuning defense structure More severe attack, more aggressive defense Self-tuning defense Detection Defense AttackSeverity OperationSettings

35. 35 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

36. 36 Worm research contribution Worm modeling:  Two-factor model: Human counteractions; network congestion  Diurnal modeling; worm scanning strategies modeling Early detection:  Detection based on “exponential growth trend”  Estimate/predict worm potential damage Autonomous defense:  Dynamic quarantine (interviewed by NPR)  Self-tuning defense (patent filed by AT&T) Email-based worm modeling and defense