1. Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Cliff Changchun Zou
Assistant professor
School of Computer Science
University of Central Florida
Orlando, FL
Web:

2. Worm propagation process
Find new targets
IP random scanning
Compromise targets
Exploit vulnerability
Newly infected join infection army

3. Worm research motivation
Code Red (Jul. 2001) : 360,000 infected in 14 hours
Slammer (Jan. 2003) : 75,000 infected in 10 minutes Congested parts of Internet (ATMs down…)
Blaster (Aug. 2003) : 150,000 ~ 8 million infected DDOS attack (shut down domain windowsupdate.com)
Witty (Mar. 2004) : 12,000 infected in half an hour Attack vulnerability in ISS security products
Sasser (May 2004) : 500,000 infected within two days
Infection faster than human response !

4. How to defend against worm attack?
Automatic response required
First, understanding worm behavior
Basis for worm detection/defense
Next, early warning of an unknown worm
Detection based on worm model
Prediction of worm damage scale
Last, autonomous defense
Dynamic quarantine
Self-tuning defense

5. Outline Worm propagation modeling Early warning of an unknown worm
Autonomous defense
Summary and current work

6. Outline Worm propagation modeling Early warning of an unknown worm
Autonomous defense
Summary and current work

7. Simple worm propagation model
address space, size W
N : total vulnerable
It : infected by time t
N-It vulnerable at time t
scan rate (per host), h W
Prob. of a scan
hitting vulnerable
# of increased
infected in a unit time

8. Simple worm propagation

9. Code Red worm modeling
Simple worm model matches observed Code Red data
“Ideal” network condition
No human countermeasures
No network congestions
First model work to consider these [CCS’02]

10. Witty worm modeling Witty’s destructive behavior:
1). Send 20,000 UDP scans to 20,000 IP addresses
2). Write 65KB in a random point in hard disk
Consider an infected computer:
Constant bandwidth  constant time to send 20,000 scans
Random point writing  infected host crashes with prob.
Crashing time approximate by
Exponential distribution ( )

11. Witty worm modeling hours # of vulnerable at t
: # of crashed infected computers at time t
Memoryless
property
# of vulnerable at t
hours
*Witty trace provided by U. Michigan “Internet Motion Sensor”

12. Advanced worm modeling — hitlist, routing worm
Hitlist worm — increase I0
Contains a list of known vulnerable hosts
Infects hit-list hosts first, then randomly scans
Lasts less than a minute
Routing worm — decrease W
Only scan BGP routable space
BGP table information: W = .32£ 232
32% of IPv4 space is Internet routable

13. Hitlist, routing worm Code Red style worm h = 358/min N = 360,000
hitlist, I(0) = 10,000
routing, W=.29£ 232

14. Botnet-based Diurnal Modeling
North America
Europe
Eastern Asia
Diurnal property of online infectious hosts
Determined by time zone

15. Worm Propagation Diurnal Model
Divide Internet hosts into groups
Each group has hosts in one or several nearby time zones  same diurnal property
Consider modeling in one group:
: diurnal shaping function (fraction of online hosts)
: # of infected
: # of online infected
: # of online susceptible
: # of susceptible

16. Optimal Worm Releasing Time based on Diurnal Model
Diurnal property affects a worm’s speed
Speed prediction derived based on diurnal model

17. Outline Worm propagation modeling Early warning of an unknown worm
Autonomous defense
Summary and current work

18. How to detect an unknown worm at its early stage?
Monitor:
Worm scans to unused IPs
TCP/SYN packets
UDP packets
Also called “darknet”
Internet
Monitored
traffic
Monitored data is noisy
Unused
IP space
Local network

19. Can we take advantage of worm model to detect a worm?
Reflection
Worm anomaly  other anomalies?
A worm has its own propagation dynamics
Deterministic models appropriate for worms
Can we take advantage of worm model to detect a worm?

20. Worm model in early stage1% 2%
Initial stage exhibits exponential growth

21. “Trend Detection”  Detect traffic trend, not burst
Trend: worm exponential growth trend at the beginning
Detection: estimated exponential rate a be a positive, constant value
Monitored illegitimate traffic rate
Worm traffic
Non-worm burst traffic
Exponential rate a on-line estimation

22. Why exponential growth at the beginning?
Attacker’s incentive: infect as many as possible before people’s counteractions
If not, a worm does not reach its spreading speed limit
Slow spreading worm detected by other ways
Security experts manual check
Honeypot, …

23. Model for estimate of worm exponential growth rate a
Exponential model:
: monitoring noise
Zt : # of monitored scans at time t
yield

24. Estimation by Kalman Filter
System:
where
Kalman Filter for estimation of Xt :

25. Code Red simulation experiments
Population: N=360,000, Infection rate: a = 1.8/hour,
Scan rate h = N(358/min, 1002), Initially infected: I0=10
Monitored IP space 220, Monitoring interval: 1 minute
Consider background noise
At 0.3% (157 min): estimate stabilizes at a positive constant value

26. Damage evaluation — Prediction of global vulnerable population N
yield
Accurate prediction when less than 1% of N infected

27. Damage evaluation — Estimation of global infected population It
Monitoring 214 IP space
(p=4£ 10-6)
: cumulative # of observed
infected hosts by time t
: per host scan rate
: fraction of address space
monitored
: Prob. an infected to be observed
by the monitor in a unit time
# of unobserved
Infected by t
# of newly
observed
(tt+1)

28. Outline Worm propagation modeling Early warning of an unknown worm
Autonomous defense
Summary and current work

29. Autonomous defense principles
Principle #1  Preemptive Quarantine
Compared to attack potential damage, we
are willing to tolerate some false alarm cost
Quarantine upon suspicious, confirm later
Basis for our Dynamic Quarantine [WORM’03]
Principle #2  Adaptive Adjustment
More serious attack, more aggressive defense
At any time t, minimize:
(attack damage cost) + (false alarm cost)

30. Self-tuning defense against various network attacks
Principle #2 : Adaptive Adjustment
More severe attack, more aggressive defense
Self-tuning defense system designs:
SYN flood Distributed Denial-of-Service (DDoS) attack
Internet worm infection
DDoS attack with no source address spoofing

31. Motivation of self-tuning defense1
: False positive prob.
blocking normal traffic
Severe attack
: False negative prob.
missing attack traffic
: Detection sensitivity
Light attack
: Fraction of attack in traffic
Q: Which operation point is “good”?
A: All operation points are good
Optimal one depends on attack severity p

32. Estimation of attack severity p
Incoming
Filter
Passed
Dropped
: Fraction of detected traffic
# of incoming
normal traffic
attack traffic
Unbiased

33. Self-tuning defense design
Incoming
Filter
Passed
Self-tuning
optimization
Attack
estimation
Discrete time k  k+1
Optimization:
Fraction of
passed attack
dropped normal
: Cost of dropping a normal traffic
: Cost of passing an attack traffic

34. Self-tuning defense structure
Attack
Severity
Operation
Settings
Detection
Defense
More severe attack, more aggressive defense

35. Outline Worm propagation modeling Early warning of an unknown worm
Autonomous defense
Summary and current work

36. Worm research contribution
Worm modeling:
Two-factor model: Human counteractions; network congestion
Diurnal modeling; worm scanning strategies modeling
Early detection:
Detection based on “exponential growth trend”
Estimate/predict worm potential damage
Autonomous defense:
Dynamic quarantine (interviewed by NPR)
Self-tuning defense (patent filed by AT&T)
-based worm modeling and defense