Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Slides:

Advertisements

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Advertisements

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Design and Implementation of SIP-aware DDoS Attack Detection System.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.

IP Addressing INTW What is an IP address? An unique identifier for a computer or device (host) on a TCP/IP network A 32-bit binary number usually.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

FlowScan at the University of Wisconsin Perry Brunelli, Network Services.

IP ADDRESSING, SUBNETTING & VLSM 1. Decimal vs. Binary Numbers – Decimal numbers are represented by the numbers 0 through 9. – Binary numbers are represented.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

Open-Eye Georgios Androulidakis National Technical University of Athens.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Early Detection of DDoS Attacks against SDN Controllers

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Security System for KOREN/APII-Testbed

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Defending against Hitlist Worms using NASR Khanh Nguyen.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Data Streaming in Computer Networking

Worm Origin Identification Using Random Moonwalks

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.

Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson

CSE551: Introduction to Information Security

Statistical based IDS background introduction

Introduction to Internet Worm

PCAV: Evaluation of Parallel Coordinates Attack Visualization

Presentation transcript:

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo Park, Heejo Lee

Index Overview The relation of between worm and randomness The relation of between randomness and rank ADUR (Anomaly Detection Using Randomness check) Evaluation

Overview The Worm uses random generator to choose target host. The sequence of traffics, generated by random generator, has randomness. We can express the sequence of traffics on the matrix. The value of rank of the matrix can decide whether the sequence of traffics has randomness or not. Moreover, the exclusive-or operation can minimize false alarm rate Internet The normal state Source and destination address of packets has normal pattern The internet is infected by worm The worm propagation state Source and destination address of packets has randomness Infected

The relation of between worm and randomness Scanning methodDetailExample Hitlist scanningUse list of vulnerable host A sudden increase of outgoing connection Warhol Topological scanningGathering the information of target on infected host. A sudden increase of outgoing connection Morris Local scanningA sudden increase non-response packet and rejection of connection request present a various IP range Code red, Nimda Permutation scanningGenerated non-use query on server A sudden increase of outgoing connection Slammer The ADUR model detects worms by checking the pattern of scanning methods. The ordinary worms generate random traffics to choose target hosts.

The relation of between randomness and rank The rank is the number of leading one of upper triangle matrix. We measure the randomness by the use of rank the 99.99% of the value of rank of binary random metrics is more than 60. If the binary matrix is random, the probability of the value of rank follows above equation. Where, matrix, is the value of rank

ADUR classification about normal or abnormal network state Calculate rank Expression of traffic on the matrix Excusive-or operation

ADUR : expression of traffics The network traffic, source and destination IP address, can be expressed on matrix

ADUR : exclusive-or operation The exclusive-or operation deletes normal traffic. The exclusive-or operation can minimize false alarm rate is the value of rank at time

ADUR : classification about normal or abnormal network state is the matrix for incoming packets on the network. is the matrix for outgoing packets on the network. R( M ) is the rank of the matrix M. Normal Attacked (Flowing) Infected (Ebbing) Attacked and infected (Flooding)

Evaluation The AAWP(Analytical Active Worm Propagation) model : the total number of vulnerable machines in the internet When the number of initial infected hosts is 10000, the number of infected hosts is increasing exponentially. : the size of IPv4 space used by the worm to scan : the number of infected hosts at time tick : the scan rate

Evaluation The variation of the rank value per time tick The value of rank of normal traffics has a uniform boundary.

Evaluation The variation of the rank value where random connection increases one per each time tick when time tick is 20. If there are 25 random connections on the network, the rank becomes larger than 60. It is detected by ADUR whether the network is infected or attacked by the worm.

Evaluation ADUR model can detect worm propagation early. The number of infected hosts modeled by AAWP as a function of time tick. The corresponding value of rank when worms spread with the AAWP model.

Evaluation The change of the rank by the Slammer worm correctly shows clear distinction from the normal condition Corresponding 2-D graph to the left, which also shows the infected subnet location Rank distribution for a /16 network, where only one host is infected by Slammer

The state of network (Normal) This is the normal state of network. The value of rank of traffic matrix has small value boundary. In this state, not warning. Because this state is normal state. normal

The state of network (Normal_nmap) This is the nmap state of network. the nmap state is port scan state of one host. In this state, only the number of packets on the network increases. But the sequence of destination address has not randomness. So, the blue line is only increase. In this state, not warning. Because this state is not the propagation state of worm. nmap normal

The state of network (Normal_P2P) This is the P2P state of network. the P2P state is transmitted heavy traffic over the network. In this state, only the amount of bytes of packets on the network increases. But the sequence of destination address has not randomness. So, the green line is only increase. In this state, not warning. Because this state is not the propagation state of worm. nmap normal P2P

The state of network (Flowing) In this state, warning. Because this state is the propagation state of worm. This is the flowing state of network. The flowing state is attacked state by other network infected worm. In this state, the randomness on incoming traffics only increase. So, the value of rank of incoming traffics only increase. normal flowing

The state of network (Ebbing) This is the ebbing state of network. The ebbing state is infected state by worm. In this state, the randomness on outgoing traffics only increase. So, the value of rank of outgoing traffics only increase. normal ebbing

The state of network (Flooding) This is the flooding state of network. The flooding state is attacked state by other network infected worm and infected state by worm. In this state, the randomness on incoming and outgoing traffics only increase. So, the value of rank of incoming and outgoing traffics only increase. normal flooding

Conclusion The ADUR mechanism is to detect the spreading of Internet worms through checking the randomness of traffic The ADUR can detect unknown worms in an early stage The ADUR gives additional information such as infected subnet locations when a worm is detected.

Thank you Q & A