modeling, early detection, and mitigation of internet worm attacks
Post on 10-Feb-2016
35 Views
Preview:
DESCRIPTION
TRANSCRIPT
1
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Cliff C. ZouAssistant professorSchool of Computer ScienceUniversity of Central FloridaOrlando, FLEmail: czou@cs.ucf.eduWeb: http://www.cs.ucf.edu/~czou
2
Worm propagation process Find new targets
IP random scanning
Compromise targets Exploit
vulnerability Newly infected
join infection army
3
Worm research motivation Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes
Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected
DDOS attack (shut down domain windowsupdate.com) Witty (Mar. 2004) : 12,000 infected in half an hour
Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days
Infection faster than human response !
4
How to defend against worm attack?
AutomaticAutomatic response requiredresponse required First, understanding worm behavior
Basis for worm detection/defense Next, early warning of an unknown worm
Detection based on worm model Prediction of worm damage scale
Last, autonomous defense Dynamic quarantine Self-tuning defense
5
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
6
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
7
Simple worm propagation model
address space, size N : total vulnerable It : infected by time t
N-It vulnerable at time t scan rate (per host),
Prob. of a scanhitting vulnerable
# of increased infected in a unit time
8
Simple worm propagation
0 100 200 300 400 500 6000
1
2
3
4
5 x 105
Time t
It
9
0
100000
200000
300000
400000
500000
600000
2 4 6 8 10 12 14 16 18
Time (hour)
# of monitored scansModel
Code Red worm modeling
Simple worm model matches observed Code Red data
“Ideal” network condition No human countermeasures No network congestions First model work to consider these
[CCS’02]
10
Witty worm modeling Witty’s destructive behavior:
1). Send 20,000 UDP scans to 20,000 IP addresses2). Write 65KB in a random point in hard disk
Consider an infected computer: Constant bandwidth constant time to send 20,000 scans Random point writing infected host crashes with prob.
Crashing time approximate by Exponential distribution ( )Exponential distribution ( )
11
Witty worm modeling
hours
Memoryless property
: # of crashed infected computers at time t
4:30 8:00 12:00 16:00 20:00 00:00 04:000
2000
4000
6000
8000
10000
12000
Time (UTC) in March 20 ~ 21, 2004
It
Witty traceModel
# of vulnerable at t
# of vulnerable at t
*Witty trace provided by U. Michigan “Internet Motion Sensor”
12
Advanced worm modeling — hitlist, routing worm
Hitlist worm — increase I0 Contains a list of known vulnerable hosts Infects hit-list hosts first, then randomly scans
Routing worm — decrease Only scan BGP routable space BGP table information: = .32£ 232
32% of IPv4 space is Internet routable
Lasts less than a minute
13
Hitlist, routing worm Code Red style
worm = 358/min N = 360,000 hitlist, I(0) =
10,000 routing, =.29£ 232
0
50000
100000
150000
200000
250000
300000
350000
400000
0 100 200 300 400 500 600Time (minutes)
No.
infe
cted
Code Red wormHit-list wormRouting wormHitlist routing worm
14
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
15
Monitor: Worm scans to
unused IPs TCP/SYN packets UDP packets
How to detect an unknown worm at its early stage?
Unused IP space
Monitoredtraffic
Internet
Monitored data is noisynoisy Local network
16
Worm anomaly other anomalies? A worm has its own propagation dynamics
Deterministic models appropriate for worms
Reflection
Can we take advantage of worm model to detect a
worm?
17
0 100 200 300100
102
104
106
Time t
It1% 2%
0 200 400 6000
1
2
3
4
5 x 105
Time t
It
Worm model in early stage
Initial stage exhibits exponential growth
18
“Trend Detection” Detect traffic trend, not burst
Trend: worm exponential growth trend at the beginningDetection: estimated exponential rate be a positive, constant value
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Worm traffic-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Non-worm burst traffic
Exponential rate on-line estimation
0
10
20
30
40
50
60
10 20 30 40 500
10
20
30
40
50
60
10 20 30 40 50
Monitored illegitimate traffic rate
19
Why exponential growth at the beginning?
Attacker’s incentive: infect as many as possible before people’s counteractions
If not, a worm does not reach its spreading speed limit
Slow spreading worm detected by other ways Security experts manual check Honeypot, …
20
Model for estimate of wormexponential growth rate
Exponential model:
: monitoring noise
Zt : # of monitored scans at time t
yield
21
Code Red simulation experimentsPopulation: N=360,000, Infection rate: = 1.8/hour, Scan rate = N(358/min, 1002), Initially infected: I0=10Monitored IP space 220, Monitoring interval: 1 minuteConsider background noise
At 0.3% (157 min): estimate stabilizes at a positive constant value
100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute)
It
128 150 170 190 210 230 2500
0.05
0.1
0.15
0.2
Time t (minute)
Real value of Estimated value of
22
Damage evaluation — Prediction of global vulnerable population N
yield
128 150 170 190 210 230 2500
1
2
3
4
5
6 x 105
Time t (minute)
Est
imat
ed p
opul
atio
n N
Accurate prediction when less than 1% of N infected
23
100 200 300 400 500 600 7000
1
2
3
4 x 105
Time t (minute)#
of in
fect
ed h
osts
Real infected ItObserved CtEstimated It
Monitoring 214 IP space(p=4£ 10-6)
Damage evaluation — Estimation of global infected population It
: fraction of address space monitored
: cumulative # of observed infected hosts by time t: per host scan rate
: Prob. an infected to be observed by the monitor in a unit time
# of unobservedInfected by t
# of newlyobserved (tt+1)
24
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
25
Autonomous defense principles
Principle #1 Preemptive Quarantine Compared to attack potential damage, we are willing to tolerate somesome false alarm cost Quarantine upon suspicious, confirm later Basis for our Dynamic Quarantine [WORM’03]
Principle #2 Adaptive Adjustment More serious attack, more aggressive defense At any time t, minimize:
(attack damage cost) + (false alarm cost)
26
Self-tuning defense against various network attacks
Principle #2 : Adaptive Adjustment More severe attack, more aggressive defense
Self-tuning defense system designs: SYN flood Distributed Denial-of-Service (DDoS) attack Internet worm infection DDoS attack with no source address spoofing
27
Motivation of self-tuning defense
: False positive prob. blocking normal traffic
: False negative prob. missing attack traffic
: Detection sensitivity
Q: Which operation point is “good”?
Severe attackSevere attack
Light attackLight attack
A: All operation points are good Optimal one depends on attack severity
: Fraction of attack in traffic
1
0 1
28
Self-tuning defense designFilter PassedIncoming
Self-tuningoptimization
Attackestimation
Discrete time k k+1
Optimization:Fraction of
passed attackFraction of
dropped normal: Cost of dropping a normal traffic: Cost of passing an attack traffic
29
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
30
Worm research contribution
Worm modeling: Two-factor model: Human counteractions; network
congestion Diurnal modeling; worm scanning strategies modeling
Early detection: Detection based on “exponential growth trend” Estimate/predict worm potential damage
Autonomous defense: Dynamic quarantine (interviewed by NPR) Self-tuning defense (patent filed by AT&T)
Email-based worm modeling and defense
top related