Presentation is loading. Please wait.

Presentation is loading. Please wait.

Very Fast containment of Scanning Worms Presented by Vinay Makula.

Published byMalcolm Bryant Modified over 8 years ago

Similar presentations

Presentation on theme: "Very Fast containment of Scanning Worms Presented by Vinay Makula."— Presentation transcript:

1 Very Fast containment of Scanning Worms Presented by Vinay Makula

2 Introduction Computer Worms: malicious, self propagating programs Containment: limit a worm’s spread by isolating it in a small subsection of the network

3 Worm Containment Detecting infected machines and preventing them from contacting further hosts Implementation aspects: Breaking network into small pieces called cells Lowering false positives

4 Scanning Worms Operate by picking random addresses, attempting to infect them Linear scanning (Ex. Blaster) Fully random (Ex. Code Red) Bias toward local addresses (Ex. Code Red II & Nimda) Permutation scanning

5 Scanning Worms Properties: Most scanning attempts result in failure Infected machines will institute many connection attempts Containment: Seeks a class of behavior rather than specific worm signatures

6 Epidemic Threshold Worm-suppression device must necessarily allow some scanning before it triggers a response Worm may find a victim during that time

7 Epidemic Threshold The epidemic threshold depends on: The sensitivity of the containment response devices The density of vulnerable machines on the network The degree to which the worm is able to target its efforts into the correct network, and even into the current cell

8 Sustained Scanning Threshold If worm scans slower than sustained scanning threshold, the detector will not trigger In this implementation threshold set to 1 scan per minute.

9 Scan Suppression Respond to detected portscans by blocking future scanning attempts Two types of Portscans: Horizontal – search for identical service on large number of machines Vertical – examine an individual machine to discover running services

10 Threshold Random Walk (TRW) The algorithm operates by using an oracle to determine if a connection will fail or succeed A successfully completed connection will drive the random walk upwards A failure to connect drives the random walk downwards

11 Scan detection algorithm Advantages Suitable for both hardware and software implementation No changes in the false positive rate Disadvantages Increased false negative rate Worms can still evade detection

12 Hardware Implementation Constraints: Memory access speed During transmission of minimum-sized gigabit Ethernet packet, need to access a DRAM at 8 different locations or 4 accesses for full duplex Use SRAM to solve the problem but it is more expensive

13 Hardware Implementation Memory size SRAM currently only hold a few tens of megabytes DRAM can hold up to a gigabyte Try to keep memory size small (5MB) so that both are options

14 Approximate Cache The information we’d like to store can exceed the fixed volume of memory Hence use approximate cache: for which collisions cause imperfections Advantages: Keep the memory bounded Allow for very simple lookups

15 Attacking the Cache Predicting the hash Create collisions to evict or combine data to cause false positives or negatives Flooding the Cache Massive amounts of normal data to hide the true attack

16 Approximation of TRW Track connections and addresses using approximate caches Track success and failure of connection attempts to New address New address to old ports Old ports at old addresses Track addresses indefinitely

17 The Structure

18 The structure Connection Cache: It tracks whether the connection has been established in either direction Address Cache: It keeps tracks of detected addresses, and records in “count” the difference between number of failed and successful connections

19 Condition 1

20 Condition 2

21 Condition 3

22 Blocking and special cases If count is greater than a predefined threshold, it is blocked Only already existing connections are maintained Dropped unless session already exists TCP RST, RST+ACK, SYN+ACK, FIN, FIN+ACK

23 Evaluation A gigabit link connects 6000 hosts connected to the internet The link sustains 50-100Mbps and 8-15K packets/sec In a day: 20M external connection attempts 2M internally initiated connection attempts Main trace: Lasted 72 minutes 44M packets were generated of which, 48052 external hosts, and 131K internal addresses Captured using Tcpdump

24 Evaluation All outbound connections over a threshold of 5 were flagged by the algorithm

25 Evaluation Additional alerts on the outbound traffic generated when sensitivity was increased

26 Cooperation Every containment device knows how many blocks the other containment devices currently have Each device use the above information to adjust its response threshold

27 Cooperation Reduces Threshold by where θ controls how aggressively to reduce T and X is the number of other blocks in place

28 Attacking the Containment Attacker can create false positives Trigger responses which wouldn’t otherwise occur False positive create a DOS target Attacker can create false negatives to slip by the defenses

29 Inadvertent False positives Two types: Resulting from artifacts of the detection routines Resulting from benign scanning

30 Malicious False negatives Instead of the worm scanning, it propagates through different means: topological, passive etc. Worms can operate below scanning threshold to avoid detection Scan for liveliness of the port Obtaining multiple network addresses

31 Malicious False positives Attacker can spoof packets to frame other hosts in the same cell Spoofing can be prevented using MAC addresses Setup HTTP proxies and mail filtering to detect and block malicious content

32 Attacking the algorithm Exploit the approximate cache’s hash and permutation function Exploit the vulnerability of a two-sided evasion technique

33 Two-sided evasion Requires two computers, one on each side of the containment device, generating normal traffic on a multitude of ports A worm could use this evasion technique, making up for each failed attempt by creating a successful connection between cooperating machines

34 Related Work Network Security Monitor Snort Bro Leckie Forescout Mirage Networks

35 Future Work Implementing the system in hardware and deploying it Integrating the algorithm in into software based IDS Obtain complete enterprise-trace Developing optimal communication strategies

36 Conclusions Demonstrated a highly sensitive scan detection and suppression algorithm suitable for worm containment Able to detect scanning for fewer than 10 attempts for a highly sensitive machine and for a normal machine in 30 attempts Cooperation between containment devices provides an improved performance

Download ppt "Very Fast containment of Scanning Worms Presented by Vinay Makula."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.

Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Port Scanning.

Port Scanning.
MITACS-PINTS Prediction In Interacting Systems Project Leader : Michael Kouriztin.

MITACS-PINTS Prediction In Interacting Systems Project Leader : Michael Kouriztin.
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Similar presentations

Ads by Google