Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Traffic Analyzer Traffic Analyzer Traffic Analyzer Black Hole Black Hole Black Hole Detection Center Monitoring Component Monitoring Architecture
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, What to monitor? Inactive addresses Inactive ports # of victims Total scan traffic # of flows Distribution of destination addresses Outbound traffic ?
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, How to monitor? Aggregate data from inactive addresses and ports Address space Address and port selection Learn trend and determine anomalies Selectively monitoring Adaptive monitoring Feedback based
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Potential Issues Spoofed IP Multi-vector worm Aggressive scan Stealth scan Detecting only large scale attack
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Analytical Active Worm Propagation (AAWP) Model T: size of the address space worm scans N: total number of vulnerable hosts in the space S: scan rate n i: number of infected machines at time i
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Monitoring Random Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Detection Time vs. Monitoring Space
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Local Subnet Scan The worms preferentially scan for targets on the “local” address space Nimda worm: 50% of the time, choose an address with the same first two octets 25% of the time, choose an address with the same first octet 25% of the time, choose a random address AAWP model is extended to understand the characteristics of local subnet scanning
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Compare Local Subnet Scan with Random Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, More Malicious Scan Random Scan Wastes too much power Easier to get caught More malicious scan techniques Probing hosts are chosen more carefully?
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Scan Methods Selective Scan Routable Scan Divide-Conquer Scan Hybrid Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Selective Scan Randomly selected destinations Selective Random Scan Slapper worm Picks 162 /8 networks Benefit: Simplicity, small program size
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Selective Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Routable Scan Scan only routable addresses from global BGP table How to reduce the payload? 112K prefixes merge address segments, and use 2^16 threshold = 15.4 KB database Only 20% segments contribute 90% addresses 3KB database Further compression
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Spread of Routable Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Monitoring Routable Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Divide-Conquer Scan An extension to routable scan Each time a new host gets infected, it will get half of the address space. Susceptible to single point of failure Possible overlapping address space
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Divide-Conquer Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Monitoring Divide-Conquer Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Hybrid Scan A combination of the simple scan methods above For example: Routable + Hitlist + Local Subnet Scan Divide-Conquer + Hitlist
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, More Details See Modeling the Spread of Active Worms, Z.Chen, L. Gao, K. Kwiat, INFOCOM 2003 at An Effective Architecture and algorithm for Detecting Worms with Various Scan Techniques, J. Wu, S. Vangala, L.Gao, K.Kwiat, at