Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Slides:

Advertisements

Similar presentations

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

Advertisements

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Zhichun Li Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

University of Massachusetts at Amherst 1 Flooding Attacks by Exploiting Persistent Forwarding Loops Jianhong Xia, Lixin Gao and Teng Fei University of.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Introduction to Honeypot, Botnet, and Security Measurement

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.

1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

FlowScan at the University of Wisconsin Perry Brunelli, Network Services.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Open-Eye Georgios Androulidakis National Technical University of Athens.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.

Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Security System for KOREN/APII-Testbed

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

Defending against Hitlist Worms using NASR Khanh Nguyen.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

Exact Propagation Modeling of Permutation-Scanning Worms Parbati Kumar Manna Dr. Shigang Chen Dr. Sanjay Ranka University of Florida.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Network-based Intrusion Detection, Prevention and Forensics System

Worm Origin Identification Using Random Moonwalks

Internet Worm propagation

Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai

A Distributed DoS in Action

Balancing Risk and Utility in Flow Trace Anonymization

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

CSE551: Introduction to Information Security

Introduction to Internet Worm

PCAV: Evaluation of Parallel Coordinates Attack Visualization

Presentation transcript:

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Traffic Analyzer Traffic Analyzer Traffic Analyzer Black Hole Black Hole Black Hole Detection Center Monitoring Component Monitoring Architecture

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, What to monitor?  Inactive addresses  Inactive ports  # of victims  Total scan traffic  # of flows  Distribution of destination addresses  Outbound traffic  ?

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, How to monitor?  Aggregate data from inactive addresses and ports  Address space  Address and port selection  Learn trend and determine anomalies  Selectively monitoring  Adaptive monitoring  Feedback based

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Potential Issues  Spoofed IP  Multi-vector worm  Aggressive scan  Stealth scan  Detecting only large scale attack

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Analytical Active Worm Propagation (AAWP) Model  T: size of the address space worm scans  N: total number of vulnerable hosts in the space  S: scan rate  n i: number of infected machines at time i

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Monitoring Random Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Detection Time vs. Monitoring Space

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Local Subnet Scan  The worms preferentially scan for targets on the “local” address space  Nimda worm: 50% of the time, choose an address with the same first two octets 25% of the time, choose an address with the same first octet 25% of the time, choose a random address AAWP model is extended to understand the characteristics of local subnet scanning

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Compare Local Subnet Scan with Random Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, More Malicious Scan  Random Scan Wastes too much power Easier to get caught  More malicious scan techniques Probing hosts are chosen more carefully?

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Scan Methods  Selective Scan  Routable Scan  Divide-Conquer Scan  Hybrid Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Selective Scan  Randomly selected destinations  Selective Random Scan Slapper worm Picks 162 /8 networks  Benefit: Simplicity, small program size

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Selective Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Routable Scan  Scan only routable addresses from global BGP table  How to reduce the payload? 112K prefixes  merge address segments, and use 2^16 threshold = 15.4 KB database Only 20% segments contribute 90% addresses  3KB database  Further compression

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Spread of Routable Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Monitoring Routable Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Divide-Conquer Scan  An extension to routable scan  Each time a new host gets infected, it will get half of the address space.  Susceptible to single point of failure  Possible overlapping address space

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Divide-Conquer Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Monitoring Divide-Conquer Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, Hybrid Scan  A combination of the simple scan methods above  For example: Routable + Hitlist + Local Subnet Scan Divide-Conquer + Hitlist

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, More Details  See Modeling the Spread of Active Worms, Z.Chen, L. Gao, K. Kwiat, INFOCOM 2003 at An Effective Architecture and algorithm for Detecting Worms with Various Scan Techniques, J. Wu, S. Vangala, L.Gao, K.Kwiat, at