Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu
Outline Introduction Algorithm Design CUSUM Maximum Likelihood Inference of Worm Propagation Rate Algorithm Evaluation Conclusion
Requirement of worm detections High -speed: Fast worms: making damage within minutes Accuracy: False positives: alarm without worms False negatives: worms without alarms Avoiding both Robustness: Working well for various worms with different propagation characteristics
Introduction Motivation: Proposing detecting methods with above requirements Method of work: Monitoring unused IP addresses Unsolicited traffic Using unsolicited packets as input to worm detection algorithms Result: Proposing a two-step algorithm 1st stage: CUSUM counting 2nd stage: Exponential detector
Unsolicited traffic Subnets usually has many unused IP addresses Bell Labs use these unused addresses as a network telescope Unsolicited packet: Packets sent to the unused IP addresses Usage: Arrival process of unsolicited packets Arrival of new sources that send these packets
Unsolicited Packets vs. Sources Stream of all unsolicited packets “ Scan ” count t t-sample stream t stream of unsolicited packets from external sources that have not been observed in the previous t seconds “ Scanner ” count - Inter-arrival time
Unsolicited packets vs. sources - Inter-arrival time
Effect of worms without worms Inter arrival-time should be exponentially distributed Poisson Distribution
Algorithm Change Detection Maximum Likelihood Inference of Worm Propagation Rate Complete Algorithm
Change Detection using CUSUM S n : CUSUM X n : T n – T n-1, inter-arrival time While S n exceeds a threshold h, stage 2 is triggered if the mean of X n shifts from μ to something smaller than μ−pμ at sample n w then S n will tend to accumulate positive increments after n w and thus eventually cross the threshold h and signal a change.
A fresh scanner arrival can be modeled as a non- stationary Poisson process Considering the ‘ background ’ traffic and simply assuming that the worm starts at 0 (t w =0 ) T n0 : the most resent time that S i >0 (before CUSUM signal) T j = T n0+j – T n0, inter-arrival time relative to n 0 We can observe only T 1, …, T n, instead of T 1, … T n Maximum Likelihood Inference
normal distributed with mean 0 and variance 1 [20] under the null hypothesis r = r0 r 0 : maximal rate that can be ignored Purpose of 2nd stage: testing that whether r is abnormally large or not
Complete Worm Detection Algorithm
Estimation #1 - Slammer
Estimation #2 - Witty
Estimation #3 - Nimda
Estimation #4 - Blaster
Estimation - Result
Conclusion Devised a fast and robust worm detection algorithm without any payload signatures Applied the algorithm with REAL data to demonstrate the effectiveness Future work next page...
Future work Evaluate from a variety of Internet locations Reduce computational complexity Reduce false signal rate of the CUSUM To make MLE computing invoked less frequently Find new MLE algorithms