Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Published byBeverly Newton Modified over 8 years ago

Similar presentations

Presentation on theme: "1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst."— Presentation transcript:

1 1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst

2 2 Motivation Hackers have tried various scanning strategies in their scan-based worms  Uniform scan  Code Red, Slammer  Local preference scan  Code Red II  Sequential scan  Blaster Possible scanning strategies:  Target preference scan (selective attack from a routing worm)  Divide-and-conquer scan How do they affect a worm’s propagation?  Mean value analysis ( based on law of large number )  Numerical solutions; Simulation studies.

3 3 Some Analysis Conclusions Equivalent when hosts are uniformly distributed  Uniform scan  Sequential scan  Divide-and-conquer scan Local preference scan increases a worm’s speed  When vulnerable hosts are not uniformly distributed  Optimal local scan prob. p  when local network size  Sequential scan  selecting starting point locally slows down worm propagation speed Selective attack  global scan or target-only scan determined by distribution of vulnerable hosts.

4 4 Two Guidelines in Defense Prevent attackers from  Identifying IP addresses of a large number of vulnerable hosts  Flash worm, Hit-list worm  Obtaining address information to reduce a worm’s scanning space  Routing worm Worm monitoring system  IP space coverage is not the only issue  Should monitor as many as possible well distributed IP blocks  non-uniform scan worm

5 5 Epidemic Model Introduction Model for homogeneous system Model for interacting groups : # of infectious : infection ability : # of hosts : scan rate For worm modeling: : scanning space

6 6 Infinitesimal Analysis of Epidemic Model From time t to t+  : (  ! 0)  Vulnerable hosts [N-I(t)]; infected hosts I(t).  An infected host infects vulnerable hosts.  Negligible of Prob. “two scans hitting the same vulnerable host”.  Newly infected hosts:  Negligible of Prob. “two infected hosts infect the same vulnerable host”. Thus I(t+  ) is : # of hosts : scan rate : scanning space : # of infectious : small time interval Prob. p of a worm copy hitting a specific IP address during  :

7 7 Idealized Worm Know IP addresses of all vulnerable hosts Perfect worm  Cooperation among worm copies Flash worm  No cooperation; random scan Complete infection within seconds

8 8 Uniform Scan Worm Traditional worm: Code Red, Slammer  Uniformly scans the entire IPv4 space (  = 2 32 ) Hit-list worm: [Staniford et al. 2002]  Knowing IP addresses of a fraction of vulnerable hosts.  Has a large number of initially infected hosts I(0). Routing worm: [Zou et al. 2003]  Using BGP routing table to reduce worm scanning space.  Has a bigger infection ability 

9 9 Uniform Scan Worms Comparison Defense: Crucial to prevent attackers from  Identifying IP addresses of a large number of vulnerable hosts  Flash worm, Hit-list worm  Obtaining address information to reduce a worm’s scanning space  Routing worm Hit-list worm has a hit-list of I(0)=10,000 Routing worm has  =0.286 £ 2 32 Other parameters: N=360,000  =358/min I(0)=10

10 10 Divide-and-Conquer Scan Worm Divide-and-conquer scan:  An infected host gives half of its scanning space to its newest infected child host.  At time t, each worm copy has  Scanning space:  Vulnerable hosts:  Use infinitesimal analysis technique. Conclusion: when vulnerable hosts are uniformly distributed, divide-and-conquer scan is equivalent to uniform scan.

11 11 Local Preference Scan Worm Model: epidemic in interacting groups Analysis: assume K “/n” networks  Prob. p : uniformly scan local “/n” network  Prob. ( 1-p ): uniformly scan others Conclusions:  Vulnerable hosts uniformly distributed:  No difference as long as the worm spreads out to every network.  Vulnerable hosts not uniformly distributed:  Analysis: hosts uniformly distributed in m out of K networks  Local preference scan increases a worm’s speed.

12 12  Local preference scan increases speed (when vulnerable hosts are not uniformly distributed)  Local scan on Class A ( “/8”) networks: p*  1  Local scan on Class B ( “/16” ) networks: p*  0.85  Code Red II: p =0.5 (Class A), p =0.375 (Class B)  Smaller than p* Local Preference Scan Worm Class A local scan (K=256, m=116) Class B local scan (K=2 16, m=116 £ 2 8 )

13 13 Sequential Scan Worm Sequential scan:  Sequentially scans IP addresses from a starting point.  Blaster worm selects its starting point locally with p =0.4  Such local preference slows down worm propagation.  Reason: child worm copies are more likely to be wasted on repeating their parents’ scanning trails. Sequential scan is equivalent to uniform scan when  Vulnerable hosts uniformly distributed in IPv4 space.  The worm selects starting point uniformly.

14 14 Simulations agree with our analyses. Analysis limitation (mean value analysis):  No consideration of variability. Sequential Scan Worm Simulation Study Comparison of uniform scan, sequential scan with/without local preference (100 simulation runs; vulnerable hosts uniformly distributed in entire IPv4 space)

15 15 Sequential Scan Worm Simulation Study Observations:  Local preference in selecting starting point is a bad idea.  Mean value analysis cannot analyze variability. Uniform scan, sequential scan with/without local preference (100 simulation runs) Vulnerable hosts uniformly distributed in BGP routable IP space (28.6% of IPv4 space)

16 16 Selective Attack Worm Target domain: Other domains: Target-only scan: Global scan: Conclusion:  Target-only scan is faster when vulnerable hosts are more densely distributed in the target domain than in other domains ( c 1 <c 2 )

17 17 Worm Monitoring System Design “Network telescope” monitoring system: [Moore 2002]  Observing global Internet activities based on monitored traffic on a small fraction of IP space.  Should monitor as many as possible well distributed IP blocks. Blaster worm simulation and monitoring After low-pass filter Directly monitored data Worm propagation I(t) and monitored data C(t)

18 18 Summary Modeling basis:  Law of large number; mean value analysis; infinitesimal analysis.  Epidemic model: Conclusions:  All about worm scanning space   or density of vulnerable population)   Flash worm, Hit-list worm, Routing worm  Local preference, divide-and-conquer, selective attack  Monitoring: sequential scan worm

Download ppt "1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.

Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.
Mobility Improves Coverage of Sensor Networks Benyuan Liu*, Peter Brass, Olivier Dousse, Philippe Nain, Don Towsley * Department of Computer Science University.

Mobility Improves Coverage of Sensor Networks Benyuan Liu*, Peter Brass, Olivier Dousse, Philippe Nain, Don Towsley * Department of Computer Science University.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.
The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005.

The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Similar presentations

Ads by Google