Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Published byBlaze French Modified over 8 years ago

Similar presentations

Presentation on theme: "1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,"— Presentation transcript:

1 1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation, 63(7), 700-723, July 2006 Presenter: Cliff Zou for CDA6133, Spring’08

2 2 Motivation Hackers have tried various scanning strategies in their scan-based worms  Uniform scan  Code Red, Slammer  Local preference scan  Code Red II  Sequential scan  Blaster Possible scanning strategies:  Target preference scan (selective attack from a routing worm)  Divide-and-conquer scan How do they affect a worm’s propagation?  Mean value analysis ( based on law of large number )  Numerical solutions; Simulation studies.

3 3 Epidemic Model Introduction Model for homogeneous system Model for interacting groups : # of infectious : infection ability : # of hosts : scan rate For worm modeling: : scanning space

4 4 Infinitesimal Analysis of Epidemic Model From time t to t+  :  Vulnerable hosts [N-I(t)]; infected hosts I(t).  An infected host infects vulnerable hosts.  Negligible of Prob. “two scans hitting the same vulnerable host”.  Newly infected hosts:  Negligible of Prob. “two infected hosts infect the same vulnerable host”. Thus I(t+  ) is : # of hosts : scan rate : scanning space : # of infectious : small time interval Prob. p of a worm copy hitting a specific IP address during  :

5 5 Uniform Scan Worm Traditional worm: Code Red, Slammer  Uniformly scans the entire IPv4 space (  = 2 32 ) Hit-list worm – increase I(0): [Staniford et al. 2002]  Knowing IP addresses of a fraction of vulnerable hosts.  Has a large number of initially infected hosts I(0). Routing worm – decrease  : [Zou et al. 2003]  Using BGP routing table to only scan BGP routable space.  Currently, only 32% of IPv4 space is routable.  Has a bigger infection ability 

6 6 Hitlist, routing worm Code Red style worm  = 358/min N = 360,000 hitlist, I(0) = 10,000 routing,  =.29 £ 2 32 Defense: Crucial to prevent attackers from  Identifying IP addresses of a large number of vulnerable hosts  Flash worm, Hit-list worm  Obtaining address information to reduce a worm’s scanning space  Routing worm

7 7 Local Preference Scan Worm Model: epidemic in interacting groups Analysis: assume K “/n” networks  Prob. p : uniformly scan local “/n” network  Prob. ( 1-p ): uniformly scan others Conclusions:  Vulnerable hosts uniformly distributed:  No difference as long as the worm spreads out to every network.  Vulnerable hosts not uniformly distributed:  Analysis: hosts uniformly distributed in m out of K networks  Local preference scan increases a worm’s speed.

8 8  Local preference scan increases speed (when vulnerable hosts are not uniformly distributed)  Local scan on Class A ( “/8”) networks: p*  1  Local scan on Class B ( “/16” ) networks: p*  0.85  Code Red II: p =0.5 (Class A), p =0.375 (Class B)  Smaller than p* Local Preference Scan Worm Class A local scan (K=256, m=116) Class B local scan (K=2 16, m=116 £ 2 8 )

9 9 Sequential Scan Worm Sequential scan:  Sequentially scans IP addresses from a starting point.  Blaster worm selects its starting point locally with p =0.4  Such local preference slows down worm propagation.  Reason: child worm copies are more likely to be wasted on repeating their parents’ scanning trails. Sequential scan is equivalent to uniform scan when  Vulnerable hosts uniformly distributed in IPv4 space.  The worm selects starting point uniformly.

10 10 Simulations agree with our analyses. Analysis limitation (mean value analysis):  No consideration of variability. Sequential Scan Worm Simulation Study Comparison of uniform scan, sequential scan with/without local preference (100 simulation runs; vulnerable hosts uniformly distributed in entire IPv4 space)

11 11 Sequential Scan Worm Simulation Study Observations:  Local preference in selecting starting point is a bad idea.  Mean value analysis cannot analyze variability. Uniform scan, sequential scan with/without local preference (100 simulation runs) Vulnerable hosts uniformly distributed in BGP routable IP space (28.6% of IPv4 space)

12 12 Witty worm modeling Witty’s destructive behavior: 1). Send 20,000 UDP scans to 20,000 IP addresses 2). Write 65KB in a random point in hard disk  Consider an infected computer:  Constant bandwidth  constant time to send 20,000 scans  Random point writing  infected host crashes with prob.  Crashing time approximate by Exponential distribution ( )

13 13 Witty worm modeling hours Memoryless property : # of crashed infected computers at time t # of vulnerable at t *Witty trace provided by U. Michigan “Internet Motion Sensor”

14 14 Two Guidelines in Defense Prevent attackers from  Identifying IP addresses of a large number of vulnerable hosts  Flash worm, Hit-list worm  Obtaining address information to reduce a worm’s scanning space  Routing worm Worm monitoring system  IP space coverage is not the only issue  Should monitor as many as possible well distributed IP blocks  non-uniform scan worm

15 15 Summary Modeling basis:  Law of large number; mean value analysis; infinitesimal analysis.  Epidemic model: Conclusions:  All about worm scanning space   or density of vulnerable population)   Flash worm, Hit-list worm, Routing worm  Local preference, divide-and-conquer, selective attack  Monitoring challenge: sequential scan worm

16 16 Contributions Provided comprehensive analysis of worm propagation with different scanning strategies  Uniform scan, local preference scan, sequential scan, BGP routing scan, hit-list..  Revealed the underlying connections between different worm scanning strategies  Host distribution, scanning space  Provided several defense guidelines

17 17 Weaknesses Mean-value analysis, not suitable for small-scale worm propagation Mathematical analysis makes some assumptions  Host uniform distribution, equal scan rate No consideration of topology  Not suitable for email virus, P2P worm, etc. No model on defense systems Didn’t provide practical defense systems  Only basic guidelines, intuitive clear

18 18 How to improve Stochastic modeling for small-scale propagation Topological modeling Present detailed defense methods

Download ppt "1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,"

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.

1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.

Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.

On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Similar presentations

Ads by Google