1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central Florida Orlando, FL Web:

2 Worm propagation process Find new targets  IP random scanning Compromise targets  Exploit vulnerability Newly infected join infection army

3 Worm research motivation Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected DDOS attack (shut down domain windowsupdate.com ) Witty (Mar. 2004) : 12,000 infected in half an hour Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days Infection faster than human response !

4 How to defend against worm attack? Automaticresponse required Automatic response required First, understanding worm behavior  Basis for worm detection/defense Next, early warning of an unknown worm  Detection based on worm model  Prediction of worm damage scale Last, autonomous defense  Dynamic quarantine  Self-tuning defense

5 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

6 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

7 Simple worm propagation model address space, size  N : total vulnerable I t : infected by time t  N-I t vulnerable at time t scan rate (per host),   Prob. of a scan hitting vulnerable # of increased infected in a unit time

8 Simple worm propagation

9 Code Red worm modeling Simple worm model matches observed Code Red data “ Ideal ” network condition  No human countermeasures  No network congestions  First model work to consider these [CCS’02]

10 Witty worm modeling Witty’s destructive behavior: 1). Send 20,000 UDP scans to 20,000 IP addresses 2). Write 65KB in a random point in hard disk  Consider an infected computer:  Constant bandwidth  constant time to send 20,000 scans  Random point writing  infected host crashes with prob.  Crashing time approximate by Exponential distribution ( )

11 Witty worm modeling hours Memoryless property : # of crashed infected computers at time t # of vulnerable at t *Witty trace provided by U. Michigan “Internet Motion Sensor”

12 Advanced worm modeling — hitlist, routing worm Hitlist worm — increase I 0  Contains a list of known vulnerable hosts  Infects hit-list hosts first, then randomly scans Routing worm — decrease   Only scan BGP routable space  BGP table information:  =.32 £ 2 32  32% of IPv4 space is Internet routable Lasts less than a minute

13 Hitlist, routing worm Code Red style worm  = 358/min N = 360,000 hitlist, I(0) = 10,000 routing,  =.29 £ 2 32

14 Botnet-based Diurnal Modeling Diurnal property of online infectious hosts  Determined by time zone North America Europe Eastern Asia

15 Worm Propagation Diurnal Model Divide Internet hosts into groups  Each group has hosts in one or several nearby time zones  same diurnal property Consider modeling in one group: : diurnal shaping function (fraction of online hosts) : # of infected : # of online infected : # of susceptible : # of online susceptible

16 Optimal Worm Releasing Time based on Diurnal Model Diurnal property affects a worm’s speed Speed prediction derived based on diurnal model

17 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

18 Monitor:  Worm scans to unused IPs  TCP/SYN packets  UDP packets  Also called “darknet” How to detect an unknown worm at its early stage? Unused IP space Monitored traffic Internet noisy Monitored data is noisy Local network

19 Worm anomaly  other anomalies?  A worm has its own propagation dynamics Deterministic models appropriate for worms Reflection Can we take advantage of worm model to detect a worm?

20 1% 2% Worm model in early stage Initial stage exhibits exponential growth

21 “Trend Detection”  Detect traffic trend, not burst Trend: worm exponential growth trend at the beginning Detection: estimated exponential rate  be a positive, constant value Worm traffic Non-worm burst traffic Exponential rate  on-line estimation Monitored illegitimate traffic rate

22 Why exponential growth at the beginning? Attacker’s incentive: infect as many as possible before people’s counteractions If not, a worm does not reach its spreading speed limit Slow spreading worm detected by other ways  Security experts manual check  Honeypot, …

23 Model for estimate of worm exponential growth rate  Exponential model: : monitoring noise Z t : # of monitored scans at time t yield

24 Estimation by Kalman Filter System: where Kalman Filter for estimation of X t :

25 Code Red simulation experiments Population: N=360,000, Infection rate:  = 1.8/hour, Scan rate  = N(358/min, ), Initially infected: I 0 =10 Monitored IP space 2 20, Monitoring interval: 1 minute Consider background noise At 0.3% (157 min): estimate stabilizes at a positive constant value

26 Damage evaluation — Prediction of global vulnerable population N yield Accurate prediction when less than 1% of N infected

27 Monitoring 2 14 IP space ( p =4 £ ) Damage evaluation — Estimation of global infected population I t : fraction of address space monitored : cumulative # of observed infected hosts by time t : per host scan rate : Prob. an infected to be observed by the monitor in a unit time # of unobserved Infected by t # of newly observed (t  t+1)

28 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

29 Autonomous defense principles Principle #1  Preemptive Quarantine  Compared to attack potential damage, we some are willing to tolerate some false alarm cost  Quarantine upon suspicious, confirm later  Basis for our Dynamic Quarantine [ WORM’03 ] Principle #2  Adaptive Adjustment  More serious attack, more aggressive defense  At any time t, minimize: (attack damage cost) + (false alarm cost)

30 Self-tuning defense against various network attacks Principle #2 : Adaptive Adjustment  More severe attack, more aggressive defense Self-tuning defense system designs:  SYN flood Distributed Denial-of-Service (DDoS) attack  Internet worm infection  DDoS attack with no source address spoofing

31 Motivation of self-tuning defense : False positive prob. blocking normal traffic : False negative prob. missing attack traffic : Detection sensitivity Q: Which operation point is “ good ” ? Severe attack Light attack A: All operation points are good Optimal one depends on attack severity  : Fraction of attack in traffic 1 0 1

32 Estimation of attack severity  Filter Passed Incoming Dropped : Fraction of detected traffic # of incoming normal traffic # of incoming attack traffic Unbiased

33 Self-tuning defense design Filter Passed Incoming Self-tuning optimization Attack estimation Discrete time k  k+1 Optimization: Fraction of passed attack Fraction of dropped normal : Cost of dropping a normal traffic : Cost of passing an attack traffic

34 Self-tuning defense structure More severe attack, more aggressive defense Self-tuning defense Detection Defense AttackSeverity OperationSettings

35 Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

36 Worm research contribution Worm modeling:  Two-factor model: Human counteractions; network congestion  Diurnal modeling; worm scanning strategies modeling Early detection:  Detection based on “exponential growth trend”  Estimate/predict worm potential damage Autonomous defense:  Dynamic quarantine (interviewed by NPR)  Self-tuning defense (patent filed by AT&T) -based worm modeling and defense