modeling/detecting the spread of active worms
Post on 12-Jan-2016
22 Views
Preview:
DESCRIPTION
TRANSCRIPT
Modeling/Detecting the Spread of Active Worms
Lixin Gao Dept. Of Electrical & Computer Engineering
Univ. of Massachusetts
lgao@ecs.umass.edu
http://www-unix.ecs.umass.edu/~lgao
Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
2Local Subnet
IDS
Network
Black Hole Detector
Detector
Black Hole
Detector
Local Subnet
Local IDS
Local Subnet
Local IDS
Black Hole
Detector
Local Subnet
Local IDS
Local Subnet
IDSIDSLocal Subnet
Local IDS
Local Subnet
Local IDS
IDS
Traffic AnalyzerTraffic AnalyzerTraffic AnalyzerTraffic Analyzer
TrafficAnalyzer Traffic
Analyzer
BlackHole
BlackHole
BlackHole
Detection CenterMonitoring Component
Monitoring Architecture
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
3
What to monitor? Inactive addresses Inactive ports # of victims Total scan traffic # of flows Distribution of destination addresses Outbound traffic ?
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
4
How to monitor? Aggregate data from inactive addresses and
ports Address space Address and port selection Learn trend and determine anomalies Selectively monitoring Adaptive monitoring Feedback based
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
5
Potential Issues Spoofed IP Multi-vector worm Aggressive scan Stealth scan Detecting only large scale attack
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
6
Analytical Active Worm Propagation (AAWP) Model T: size of the address space worm scans N: total number of vulnerable hosts in the
space S: scan rate
ni: number of infected machines at time i
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
7
Monitoring Random Scan
0 5 10 15 20 250
0.5
1
1.5
2
2.5
3
3.5
4 x 105
time (hour)
nu
mb
er
of
infe
cte
d n
od
es
simulated Code Red v2 like worm224 addresses monitored220 addresses monitored216 addresses monitored28 addresses monitored
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
8
Detection Time vs. Monitoring Space
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
9
Local Subnet Scan The worms preferentially scan for targets on
the “local” address space Nimda worm: 50% of the time, choose an address with the same first two octets 25% of the time, choose an address with the same first octet 25% of the time, choose a random address
AAWP model is extended to understand the characteristics of local subnet scanning
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
10
Compare Local Subnet Scan with Random Scan
0 1000 2000 3000 4000 5000 6000 7000 80000
1
2
3
4
5
6
7
8
9
10 x 104
time tick (second)
nu
mb
er
of
infe
cte
d n
od
es
random scanninglocal subnet scanning like Nimda worm
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
11
More Malicious Scan Random Scan
Wastes too much power Easier to get caught
More malicious scan techniques Probing hosts are chosen more carefully?
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
12
Scan Methods Selective Scan Routable Scan Divide-Conquer Scan Hybrid Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
13
Selective Scan Randomly selected destinations Selective Random Scan
Slapper worm Picks 162 /8 networks
Benefit: Simplicity, small program size
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
14
Selective Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
15
Routable Scan Scan only routable addresses from global BGP
table How to reduce the payload?
112K prefixes merge address segments, and use 2^16 threshold = 15.4 KB database
Only 20% segments contribute 90% addresses 3KB database
Further compression
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
16
Spread of Routable Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
17
Monitoring Routable Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
18
Divide-Conquer Scan An extension to routable scan Each time a new host gets infected, it will get
half of the address space. Susceptible to single point of failure Possible overlapping address space
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
19
Divide-Conquer Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
20
Monitoring Divide-Conquer Scan
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
21
Hybrid Scan A combination of the simple scan methods
above For example:
Routable + Hitlist + Local Subnet Scan Divide-Conquer + Hitlist
DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003
22
More Details See
Modeling the Spread of Active Worms, Z.Chen, L. Gao, K. Kwiat, INFOCOM 2003 at
http://www-unix.ecs.umass.edu/~lgao/paper/AAWP.pdf An Effective Architecture and algorithm for Detecting
Worms with Various Scan Techniques, J. Wu, S. Vangala, L.Gao, K.Kwiat, at
http://rio.ecs.umass.edu/gao/paper/final.pdf
top related