Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts"— Presentation transcript:

1 Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts lgao@ecs.umass.edu http://www-unix.ecs.umass.edu/~lgao Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat

2 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 2 Traffic Analyzer Traffic Analyzer Traffic Analyzer Black Hole Black Hole Black Hole Detection Center Monitoring Component Monitoring Architecture

3 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 3 What to monitor?  Inactive addresses  Inactive ports  # of victims  Total scan traffic  # of flows  Distribution of destination addresses  Outbound traffic  ?

4 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 4 How to monitor?  Aggregate data from inactive addresses and ports  Address space  Address and port selection  Learn trend and determine anomalies  Selectively monitoring  Adaptive monitoring  Feedback based

5 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 5 Potential Issues  Spoofed IP  Multi-vector worm  Aggressive scan  Stealth scan  Detecting only large scale attack

6 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 6 Analytical Active Worm Propagation (AAWP) Model  T: size of the address space worm scans  N: total number of vulnerable hosts in the space  S: scan rate  n i: number of infected machines at time i

7 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 7 Monitoring Random Scan

8 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 8 Detection Time vs. Monitoring Space

9 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 9 Local Subnet Scan  The worms preferentially scan for targets on the “local” address space  Nimda worm: 50% of the time, choose an address with the same first two octets 25% of the time, choose an address with the same first octet 25% of the time, choose a random address AAWP model is extended to understand the characteristics of local subnet scanning

10 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 10 Compare Local Subnet Scan with Random Scan

11 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 11 More Malicious Scan  Random Scan Wastes too much power Easier to get caught  More malicious scan techniques Probing hosts are chosen more carefully?

12 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 12 Scan Methods  Selective Scan  Routable Scan  Divide-Conquer Scan  Hybrid Scan

13 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 13 Selective Scan  Randomly selected destinations  Selective Random Scan Slapper worm Picks 162 /8 networks  Benefit: Simplicity, small program size

14 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 14 Selective Scan

15 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 15 Routable Scan  Scan only routable addresses from global BGP table  How to reduce the payload? 112K prefixes  merge address segments, and use 2^16 threshold = 15.4 KB database Only 20% segments contribute 90% addresses  3KB database  Further compression

16 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 16 Spread of Routable Scan

17 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 17 Monitoring Routable Scan

18 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 18 Divide-Conquer Scan  An extension to routable scan  Each time a new host gets infected, it will get half of the address space.  Susceptible to single point of failure  Possible overlapping address space

19 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 19 Divide-Conquer Scan

20 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 20 Monitoring Divide-Conquer Scan

21 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 21 Hybrid Scan  A combination of the simple scan methods above  For example: Routable + Hitlist + Local Subnet Scan Divide-Conquer + Hitlist

22 DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 22 More Details  See Modeling the Spread of Active Worms, Z.Chen, L. Gao, K. Kwiat, INFOCOM 2003 at http://www-unix.ecs.umass.edu/~lgao/paper/AAWP.pdf An Effective Architecture and algorithm for Detecting Worms with Various Scan Techniques, J. Wu, S. Vangala, L.Gao, K.Kwiat, at http://rio.ecs.umass.edu/gao/paper/final.pdf

Download ppt "Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts"

Similar presentations

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Zhichun Li Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS 2003.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Zhichun Li Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS 2003.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
University of Massachusetts at Amherst 1 Flooding Attacks by Exploiting Persistent Forwarding Loops Jianhong Xia, Lixin Gao and Teng Fei University of.

University of Massachusetts at Amherst 1 Flooding Attacks by Exploiting Persistent Forwarding Loops Jianhong Xia, Lixin Gao and Teng Fei University of.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Similar presentations

Ads by Google