Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Slides:



Advertisements
Similar presentations
Min-Plus Linear Systems Theory and Bandwidth Estimation Min-Plus Linear Systems Theory and Bandwidth Estimation TexPoint fonts used in EMF. Read the TexPoint.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang
1 Distributed Control Algorithms for Service Differentiation in Wireless Packet Networks INFOCOM 2001 Michael Barry, Andrew T. Campbell Andras Veres.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
AdaBoost & Its Applications
Adaptive Load Shedding for Mining Frequent Patterns from Data Streams Xuan Hong Dang, Wee-Keong Ng, and Kok-Leong Ong (DaWaK 2006) 2008/3/191Yi-Chun Chen.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Statistical Inference Chapter 12/13. COMP 5340/6340 Statistical Inference2 Statistical Inference Given a sample of observations from a population, the.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
CSE 221: Probabilistic Analysis of Computer Systems Topics covered: Statistical inference (Sec. )
Maximum Likelihood We have studied the OLS estimator. It only applies under certain assumptions In particular,  ~ N(0, 2 ) But what if the sampling distribution.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Study of Distance Vector Routing Protocols for Mobile Ad Hoc Networks Yi Lu, Weichao Wang, Bharat Bhargava CERIAS and Department of Computer Sciences Purdue.
EL 933 Final Project Presentation Combining Filtering and Statistical Methods for Anomaly Detection Augustin Soule Kav´e SalamatianNina Taft.
CSE 221: Probabilistic Analysis of Computer Systems Topics covered: Statistical inference.
The Effects of Systemic Packets Loss on Aggregate TCP Flows Thomas J. Hacker May 8, 2002 Internet 2 Member Meeting.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
Bandwidth Estimation TexPoint fonts used in EMF.
Soft Sensor for Faulty Measurements Detection and Reconstruction in Urban Traffic Department of Adaptive systems, Institute of Information Theory and Automation,
Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
The GEO Line detection Monitor Thomas Cokelaer Cardiff University 22 nd August 2003 LIGO-G Z LSC meeting – Hannover – 18,21 August 2003.
Hung X. Nguyen and Matthew Roughan The University of Adelaide, Australia SAIL: Statistically Accurate Internet Loss Measurements.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
1 Chapters 8 Overview of Queuing Analysis. Chapter 8 Overview of Queuing Analysis 2 Projected vs. Actual Response Time.
Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd.,
1 Robust Endpoint Detection and Energy Normalization for Real-Time Speech and Speaker Recognition Qi Li, Senior Member, IEEE, Jinsong Zheng, Augustine.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
1 A Framework for Measuring and Predicting the Impact of Routing Changes Ying Zhang Z. Morley Mao Jia Wang.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Presenter: Kuei-Yu Hsu Advisor: Dr. Kai-Wei Ke 2013/4/29 Detecting Skype flows Hidden in Web Traffic.
EE515/IS523: Security 101: Think Like an Adversary Evading Anomarly Detection through Variance Injection Attacks on PCA Benjamin I.P. Rubinstein, Blaine.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
On-line Detection of Real Time Multimedia Traffic
A 2 veto for Continuous Wave Searches
Data Streaming in Computer Networking
Worm Origin Identification Using Random Moonwalks
Presented by Prashant Duhoon
Transport Layer Unit 5.
Statistics in Applied Science and Technology
Mapping Internet Sensors With Probe Response Attacks
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Network-Wide Routing Oblivious Heavy Hitters
By: Ran Ben Basat, Technion, Israel
Maximum Likelihood We have studied the OLS estimator. It only applies under certain assumptions In particular,  ~ N(0, 2 ) But what if the sampling distribution.
Lu Tang , Qun Huang, Patrick P. C. Lee
Introduction to Internet Worm
PCAV: Evaluation of Parallel Coordinates Attack Visualization
Presentation transcript:

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu

Outline Introduction Algorithm Design CUSUM Maximum Likelihood Inference of Worm Propagation Rate Algorithm Evaluation Conclusion

Requirement of worm detections High -speed: Fast worms: making damage within minutes Accuracy: False positives: alarm without worms False negatives: worms without alarms Avoiding both Robustness: Working well for various worms with different propagation characteristics

Introduction Motivation: Proposing detecting methods with above requirements Method of work: Monitoring unused IP addresses Unsolicited traffic Using unsolicited packets as input to worm detection algorithms Result: Proposing a two-step algorithm 1st stage: CUSUM counting 2nd stage: Exponential detector

Unsolicited traffic Subnets usually has many unused IP addresses Bell Labs use these unused addresses as a network telescope Unsolicited packet: Packets sent to the unused IP addresses Usage: Arrival process of unsolicited packets Arrival of new sources that send these packets

Unsolicited Packets vs. Sources Stream of all unsolicited packets “ Scan ” count t t-sample stream t stream of unsolicited packets from external sources that have not been observed in the previous t seconds “ Scanner ” count - Inter-arrival time

Unsolicited packets vs. sources - Inter-arrival time

Effect of worms without worms Inter arrival-time should be exponentially distributed Poisson Distribution

Algorithm Change Detection Maximum Likelihood Inference of Worm Propagation Rate Complete Algorithm

Change Detection using CUSUM S n : CUSUM X n : T n – T n-1, inter-arrival time While S n exceeds a threshold h, stage 2 is triggered if the mean of X n shifts from μ to something smaller than μ−pμ at sample n w then S n will tend to accumulate positive increments after n w and thus eventually cross the threshold h and signal a change.

A fresh scanner arrival can be modeled as a non- stationary Poisson process Considering the ‘ background ’ traffic and simply assuming that the worm starts at 0 (t w =0 ) T n0 : the most resent time that S i >0 (before CUSUM signal) T j = T n0+j – T n0, inter-arrival time relative to n 0 We can observe only T 1, …, T n, instead of T 1, … T n Maximum Likelihood Inference

normal distributed with mean 0 and variance 1 [20] under the null hypothesis r = r0 r 0 : maximal rate that can be ignored Purpose of 2nd stage: testing that whether r is abnormally large or not

Complete Worm Detection Algorithm

Estimation #1 - Slammer

Estimation #2 - Witty

Estimation #3 - Nimda

Estimation #4 - Blaster

Estimation - Result

Conclusion Devised a fast and robust worm detection algorithm without any payload signatures Applied the algorithm with REAL data to demonstrate the effectiveness Future work next page...

Future work Evaluate from a variety of Internet locations Reduce computational complexity Reduce false signal rate of the CUSUM To make MLE computing invoked less frequently Find new MLE algorithms

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.