Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Published byClaire Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo."— Presentation transcript:

1 Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo Park, Heejo Lee (hyundo95@korea.ac.kr, heejo@korea.ac.kr)

2 Index Overview The relation of between worm and randomness The relation of between randomness and rank ADUR (Anomaly Detection Using Randomness check) Evaluation

3 Overview The Worm uses random generator to choose target host. The sequence of traffics, generated by random generator, has randomness. We can express the sequence of traffics on the matrix. The value of rank of the matrix can decide whether the sequence of traffics has randomness or not. Moreover, the exclusive-or operation can minimize false alarm rate Internet The normal state Source and destination address of packets has normal pattern The internet is infected by worm The worm propagation state Source and destination address of packets has randomness Infected

4 The relation of between worm and randomness Scanning methodDetailExample Hitlist scanningUse list of vulnerable host A sudden increase of outgoing connection Warhol Topological scanningGathering the information of target on infected host. A sudden increase of outgoing connection Morris Local scanningA sudden increase non-response packet and rejection of connection request present a various IP range Code red, Nimda Permutation scanningGenerated non-use query on server A sudden increase of outgoing connection Slammer The ADUR model detects worms by checking the pattern of scanning methods. The ordinary worms generate random traffics to choose target hosts.

5 The relation of between randomness and rank The rank is the number of leading one of upper triangle matrix. We measure the randomness by the use of rank the 99.99% of the value of rank of binary random metrics is more than 60. If the binary matrix is random, the probability of the value of rank follows above equation. Where, matrix, is the value of rank

6 ADUR classification about normal or abnormal network state Calculate rank Expression of traffic on the matrix Excusive-or operation

7 ADUR : expression of traffics The network traffic, source and destination IP address, can be expressed on matrix

8 ADUR : exclusive-or operation The exclusive-or operation deletes normal traffic. The exclusive-or operation can minimize false alarm rate is the value of rank at time

9 ADUR : classification about normal or abnormal network state is the matrix for incoming packets on the network. is the matrix for outgoing packets on the network. R( M ) is the rank of the matrix M. Normal Attacked (Flowing) Infected (Ebbing) Attacked and infected (Flooding)

10 Evaluation The AAWP(Analytical Active Worm Propagation) model : the total number of vulnerable machines in the internet When the number of initial infected hosts is 10000, the number of infected hosts is increasing exponentially. : the size of IPv4 space used by the worm to scan : the number of infected hosts at time tick : the scan rate

11 Evaluation The variation of the rank value per time tick The value of rank of normal traffics has a uniform boundary.

12 Evaluation The variation of the rank value where random connection increases one per each time tick when time tick is 20. If there are 25 random connections on the network, the rank becomes larger than 60. It is detected by ADUR whether the network is infected or attacked by the worm.

13 Evaluation ADUR model can detect worm propagation early. The number of infected hosts modeled by AAWP as a function of time tick. The corresponding value of rank when worms spread with the AAWP model.

14 Evaluation The change of the rank by the Slammer worm correctly shows clear distinction from the normal condition Corresponding 2-D graph to the left, which also shows the infected subnet location Rank distribution for a /16 network, where only one host is infected by Slammer

15 The state of network (Normal) This is the normal state of network. The value of rank of traffic matrix has small value boundary. In this state, not warning. Because this state is normal state. normal

16 The state of network (Normal_nmap) This is the nmap state of network. the nmap state is port scan state of one host. In this state, only the number of packets on the network increases. But the sequence of destination address has not randomness. So, the blue line is only increase. In this state, not warning. Because this state is not the propagation state of worm. nmap normal

17 The state of network (Normal_P2P) This is the P2P state of network. the P2P state is transmitted heavy traffic over the network. In this state, only the amount of bytes of packets on the network increases. But the sequence of destination address has not randomness. So, the green line is only increase. In this state, not warning. Because this state is not the propagation state of worm. nmap normal P2P

18 The state of network (Flowing) In this state, warning. Because this state is the propagation state of worm. This is the flowing state of network. The flowing state is attacked state by other network infected worm. In this state, the randomness on incoming traffics only increase. So, the value of rank of incoming traffics only increase. normal flowing

19 The state of network (Ebbing) This is the ebbing state of network. The ebbing state is infected state by worm. In this state, the randomness on outgoing traffics only increase. So, the value of rank of outgoing traffics only increase. normal ebbing

20 The state of network (Flooding) This is the flooding state of network. The flooding state is attacked state by other network infected worm and infected state by worm. In this state, the randomness on incoming and outgoing traffics only increase. So, the value of rank of incoming and outgoing traffics only increase. normal flooding

21 Conclusion The ADUR mechanism is to detect the spreading of Internet worms through checking the randomness of traffic The ADUR can detect unknown worms in an early stage The ADUR gives additional information such as infected subnet locations when a worm is detected.

22 Thank you Q & A

Download ppt "Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.

Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Similar presentations

Ads by Google