Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff Changchun Zou Assistant professor School of Computer Science University of Central Florida Orlando, FL Email: czou@cs.ucf.edu Web: http://www.cs.ucf.edu/~czou
Worm propagation process Find new targets IP random scanning Compromise targets Exploit vulnerability Newly infected join infection army
Worm research motivation Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected DDOS attack (shut down domain windowsupdate.com) Witty (Mar. 2004) : 12,000 infected in half an hour Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days Infection faster than human response !
How to defend against worm attack? Automatic response required First, understanding worm behavior Basis for worm detection/defense Next, early warning of an unknown worm Detection based on worm model Prediction of worm damage scale Last, autonomous defense Dynamic quarantine Self-tuning defense
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
Simple worm propagation model address space, size W N : total vulnerable It : infected by time t N-It vulnerable at time t scan rate (per host), h W Prob. of a scan hitting vulnerable # of increased infected in a unit time
Simple worm propagation
Code Red worm modeling Simple worm model matches observed Code Red data “Ideal” network condition No human countermeasures No network congestions First model work to consider these [CCS’02]
Witty worm modeling Witty’s destructive behavior: 1). Send 20,000 UDP scans to 20,000 IP addresses 2). Write 65KB in a random point in hard disk Consider an infected computer: Constant bandwidth constant time to send 20,000 scans Random point writing infected host crashes with prob. Crashing time approximate by Exponential distribution ( )
Witty worm modeling hours # of vulnerable at t : # of crashed infected computers at time t Memoryless property # of vulnerable at t hours *Witty trace provided by U. Michigan “Internet Motion Sensor”
Advanced worm modeling — hitlist, routing worm Hitlist worm — increase I0 Contains a list of known vulnerable hosts Infects hit-list hosts first, then randomly scans Lasts less than a minute Routing worm — decrease W Only scan BGP routable space BGP table information: W = .32£ 232 32% of IPv4 space is Internet routable
Hitlist, routing worm Code Red style worm h = 358/min N = 360,000 hitlist, I(0) = 10,000 routing, W=.29£ 232
Botnet-based Diurnal Modeling North America Europe Eastern Asia Diurnal property of online infectious hosts Determined by time zone
Worm Propagation Diurnal Model Divide Internet hosts into groups Each group has hosts in one or several nearby time zones same diurnal property Consider modeling in one group: : diurnal shaping function (fraction of online hosts) : # of infected : # of online infected : # of online susceptible : # of susceptible
Optimal Worm Releasing Time based on Diurnal Model Diurnal property affects a worm’s speed Speed prediction derived based on diurnal model
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
How to detect an unknown worm at its early stage? Monitor: Worm scans to unused IPs TCP/SYN packets UDP packets Also called “darknet” Internet Monitored traffic Monitored data is noisy Unused IP space Local network
Can we take advantage of worm model to detect a worm? Reflection Worm anomaly other anomalies? A worm has its own propagation dynamics Deterministic models appropriate for worms Can we take advantage of worm model to detect a worm?
Worm model in early stage 1% 2% Initial stage exhibits exponential growth
“Trend Detection” Detect traffic trend, not burst Trend: worm exponential growth trend at the beginning Detection: estimated exponential rate a be a positive, constant value Monitored illegitimate traffic rate Worm traffic Non-worm burst traffic Exponential rate a on-line estimation
Why exponential growth at the beginning? Attacker’s incentive: infect as many as possible before people’s counteractions If not, a worm does not reach its spreading speed limit Slow spreading worm detected by other ways Security experts manual check Honeypot, …
Model for estimate of worm exponential growth rate a Exponential model: : monitoring noise Zt : # of monitored scans at time t yield
Estimation by Kalman Filter System: where Kalman Filter for estimation of Xt :
Code Red simulation experiments Population: N=360,000, Infection rate: a = 1.8/hour, Scan rate h = N(358/min, 1002), Initially infected: I0=10 Monitored IP space 220, Monitoring interval: 1 minute Consider background noise At 0.3% (157 min): estimate stabilizes at a positive constant value
Damage evaluation — Prediction of global vulnerable population N yield Accurate prediction when less than 1% of N infected
Damage evaluation — Estimation of global infected population It Monitoring 214 IP space (p=4£ 10-6) : cumulative # of observed infected hosts by time t : per host scan rate : fraction of address space monitored : Prob. an infected to be observed by the monitor in a unit time # of unobserved Infected by t # of newly observed (tt+1)
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
Autonomous defense principles Principle #1 Preemptive Quarantine Compared to attack potential damage, we are willing to tolerate some false alarm cost Quarantine upon suspicious, confirm later Basis for our Dynamic Quarantine [WORM’03] Principle #2 Adaptive Adjustment More serious attack, more aggressive defense At any time t, minimize: (attack damage cost) + (false alarm cost)
Self-tuning defense against various network attacks Principle #2 : Adaptive Adjustment More severe attack, more aggressive defense Self-tuning defense system designs: SYN flood Distributed Denial-of-Service (DDoS) attack Internet worm infection DDoS attack with no source address spoofing
Motivation of self-tuning defense 1 : False positive prob. blocking normal traffic Severe attack : False negative prob. missing attack traffic : Detection sensitivity Light attack : Fraction of attack in traffic Q: Which operation point is “good”? A: All operation points are good Optimal one depends on attack severity p
Estimation of attack severity p Incoming Filter Passed Dropped : Fraction of detected traffic # of incoming normal traffic attack traffic Unbiased
Self-tuning defense design Incoming Filter Passed Self-tuning optimization Attack estimation Discrete time k k+1 Optimization: Fraction of passed attack dropped normal : Cost of dropping a normal traffic : Cost of passing an attack traffic
Self-tuning defense structure Attack Severity Operation Settings Detection Defense More severe attack, more aggressive defense
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
Worm research contribution Worm modeling: Two-factor model: Human counteractions; network congestion Diurnal modeling; worm scanning strategies modeling Early detection: Detection based on “exponential growth trend” Estimate/predict worm potential damage Autonomous defense: Dynamic quarantine (interviewed by NPR) Self-tuning defense (patent filed by AT&T) Email-based worm modeling and defense