1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Slides:



Advertisements
Similar presentations
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Midterm 1. Quiz 2 Posted on DEN Same as quiz 1 Due by Wed 3/16 Should be taken after you complete your Firewalls lab Grading: If you take both quizzes.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Introduction to Honeypot, Botnet, and Security Measurement
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
1 How to 0wn the Internet in Your Spare Time First paper in Internet worm research  Right after Code Red in July 2001, very important Showed that a simple.
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
1 CAP6133: Advanced Topics in Computer Security and Computer Forensics (spring’08) Class Overview Dr. Cliff Zou.
Term Project Description CAP6135 Spring Term Project Two students form a group to do term project together – A research oriented term project.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Cooperative Response Strategies for Large Scale Attack Mitigation D. Nojiri, J. Rowe, K. Levitt Univ of California Davis DARPA Info Survivability Conference.
2016/3/13 1 Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Worms 1. Viruses don’t break into your computer – they are invited by you – They cannot spread unless you run infected application or click on infected.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Author: Matthew M. Williamson, HP Labs Bristol
Epidemic spreading in complex networks with degree correlations
Internet Worm propagation
Modeling and Measuring Botnets
Modeling Botnet Propagation Using Time Zones
Local Worm Detection using Honeypots Justin Miller Jan 25, 2007
Mapping Internet Sensors With Probe Response Attacks
THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System
Intrusion Detection system
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson
CSE551: Introduction to Information Security
Introduction to Internet Worm
Presentation transcript:

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th ACM Conference on Computer and Communication Security (CCS'03), 2003 Presenter: Cliff C. Zou (01/12/2006)

2 Monitor:  Worm scans to unused IPs  TCP/SYN packets  UDP packets How to detect an unknown worm at its early stage? Unused IP space Monitored traffic Internet noisy Monitored data is noisy Local network

3 Worm anomaly  other anomalies?  A worm has its own propagation dynamics Deterministic models appropriate for worms Reflection Can we take advantage of worm model to detect a worm?

4 1% 2% Worm model in early stage Initial stage exhibits exponential growth

5 “Trend Detection”  Detect traffic trend, not burst Trend: worm exponential growth trend at the beginning Detection: the exponential rate should be a positive, constant value Worm traffic Non-worm traffic burst Exponential rate  on-line estimation Monitored illegitimate traffic rate

6 Why exponential growth at the beginning? The law of natural growth  reproduction  When interference is negligible (beginning phase) Attacker’s incentive: infect as many as possible before people’s counteractions If not, a worm does not reach its spreading speed limit Slow spreading worm detected by other ways  Security experts manual check  Honeypot, …

7 Model for estimate of worm exponential growth rate  Exponential model: : monitoring noise Z t : # of monitored scans at time t yield

8 Estimation by Kalman Filter System: where Kalman Filter for estimation of X t :

9 Code Red simulation experiments Population: N=360,000, Infection rate:  = 1.8/hour, Scan rate  = N(358/min, ), Initially infected: I 0 =10 Monitored IP space 2 20, Monitoring interval: 1 minute Consider background noise At 0.3% (157 min): estimate stabilizes at a positive constant value

10 Damage evaluation — Prediction of global vulnerable population N yield Accurate prediction when less than 1% of N infected

11 Monitoring 2 14 IP space ( p =4 £ ) Damage evaluation — Estimation of global infected population I t : fraction of address space monitored : cumulative # of observed infected hosts by time t : per host scan rate : Prob. an infected to be observed by the monitor in a unit time # of unobserved Infected by t # of newly observed (t  t+1)

12 What’s the paper’s contribution? A novel approach in anomaly detection  Popular approach is based on static threshold  Paper exploits worm dynamics  Dynamics in a series of time Worm potential damage prediction  Estimate global infected based on local info  Predict global vulnerable population

13 Why this paper can be published? Different approach from popular ways  Model-based anomaly detection  Fresh view point --- interesting Solid (fancy) mathematic background  Math is appropriate  A pure experimental report is not (good) enough for academic paper Timely appearance  Catch a promising/hot topic ASAP  Rely on: advisors, (conference) paper, tech news, colleagues,

14 What’s the paper’s weakness? Early detection provides limited information  Does not provide signature for worm defense  Does not (accurately) identify global infected hosts Require a large empty IP space for monitoring  Not very good for individual local network Worm damage prediction results are accurate only for uniform-scan worms  Many worms using biased scanning strategies

15 How to improve the paper? I have improved CCS’03 conference paper and published in IEEE Tran. on Networking Detect a worm earlier  Conference paper uses simple worm model, TON’s uses exponential model (several times faster) Consider the limitation of monitoring system  TON’s paper adds analysis/experiments of the monitoring problem for non-uniform scan worms

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.