Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Internet Worm

Published byDavid Cain Modified over 4 years ago

Similar presentations

Presentation on theme: "Introduction to Internet Worm"— Presentation transcript:

1 Introduction to Internet Worm
Cliff C. Zou

2 Common forms of malware
“Malware” --- malicious software Viruses Worms Trojan horses Appear to be good but perform malicious actions Spyware, adware spam, phishing

3 What is an Internet worm?
A code that replicates itself over a computer network on its own and usually performs malicious actions Exploit a vulnerability in some remote computers OS, installed software has the vulnerability Runs on compromised computers without permission from their users Jump from one computer to another through the Internet Automatic spreading without any human intervention Basic difference from “viruses”

4 Worm propagation process
Find new targets IP random scanning Send TCP/SYN or UDP packet Compromise targets Exploit vulnerability Newly infected join infection army

5 Worm research motivation
Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected DDOS attack (shut down domain windowsupdate.com) Witty (Mar. 2004) : 12,000 infected in half an hour Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days Infection faster than human response !

6 How to defend against Internet worm attack?
Automatic response required First, understanding worm behavior Basis for worm detection/defense Similar to epidemic spreading Next, worm detection Automatic (catch worm speed) Unknown worm (no known signature) Last, must have autonomous defense False alarm? More advanced worm? (e.g., polymorphic worm)

7 Internet Worm Modeling
Internet worm propagation is similar to epidemic spreading Borrow models from epidemiology area Modify models based on worm’s behaviors Simple epidemic model: It: # of infected N: # of total population

8 Simple worm propagation model
address space, size W N : total vulnerable It : infected by time t N-It vulnerable at time t scan rate (per host), h W Prob. of a scan hitting vulnerable # of increased infected in a unit time

9 Worm modeling papers references
“How to own the Internet in your spear time” First modeling paper after Code Red (most important paper) “On the Performance of Internet Worm Scanning Strategies” “Epidemic spreading in complex networks with degree correlations”

10 Internet worm detection
Detection of unknown worm No signature is known before a worm’s break out Different forms of worm detection Detect a worm’s breakout in the Internet Minimum, does not provide further information Detect infected hosts in the global Internet Help filtering, protect local networks Detect local infected hosts Help maintenance; stop major damage before too late Automatic signature generation Most valuable; directly help worm filtering

11 Worm detection papers references
“Monitoring and Early Warning for Internet Worms” “Fast Portscan Detection Using Sequential Hypothesis Testing” “Cooperative Response Strategies for Large Scale Attack Mitigation” “Automated Worm Fingerprinting”

12 Internet worm defense Can catch a worm’s rapid speed?
Automatic, quick enough “Internet Quarantine: Requirements for Containing Self-Propagating Code” Acceptable false alarm cost? Major reason for slow deployment of automatic worm defense systems People tend to forget worms until hit hard “Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code”

13 Advanced worms  Polymorphic worms
Worm changes its code as it spreads out Use encryption to hide code signature Use code transformation technique for change Make it harder to automatically generate signature Two papers (attack/defense): “Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic” “Polygraph: Automatic Signature Generation for Polymorphic Worms”

Download ppt "Introduction to Internet Worm"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Computer Viruses.

Computer Viruses.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Computer Viruses By Patsy Speer What is a Virus? Malicious programs that cause damage to your computer, files and information They slow down the internet.

Computer Viruses By Patsy Speer What is a Virus? Malicious programs that cause damage to your computer, files and information They slow down the internet.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.

Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.
 a crime committed on a computer network, esp. the Internet.

 a crime committed on a computer network, esp. the Internet.
Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.

Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Similar presentations

Ads by Google