modeling, early detection, and mitigation of internet worm attacks
DESCRIPTION
Modeling, Early Detection, and Mitigation of Internet Worm Attacks. Cliff C. Zou Assistant professor School of Computer Science University of Central Florida Orlando, FL Email: [email protected] Web: http://www.cs.ucf.edu/~czou. Worm propagation process. Find new targets - PowerPoint PPT PresentationTRANSCRIPT
1
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Cliff C. ZouAssistant professorSchool of Computer ScienceUniversity of Central FloridaOrlando, FLEmail: [email protected]: http://www.cs.ucf.edu/~czou
2
Worm propagation process Find new targets
IP random scanning
Compromise targets Exploit
vulnerability Newly infected
join infection army
3
Worm research motivation Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes
Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected
DDOS attack (shut down domain windowsupdate.com) Witty (Mar. 2004) : 12,000 infected in half an hour
Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days
Infection faster than human response !
4
How to defend against worm attack?
AutomaticAutomatic response requiredresponse required First, understanding worm behavior
Basis for worm detection/defense Next, early warning of an unknown worm
Detection based on worm model Prediction of worm damage scale
Last, autonomous defense Dynamic quarantine Self-tuning defense
5
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
6
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
7
Simple worm propagation model
address space, size N : total vulnerable It : infected by time t
N-It vulnerable at time t scan rate (per host),
Prob. of a scanhitting vulnerable
# of increased infected in a unit time
8
Simple worm propagation
0 100 200 300 400 500 6000
1
2
3
4
5 x 105
Time t
It
9
0
100000
200000
300000
400000
500000
600000
2 4 6 8 10 12 14 16 18
Time (hour)
# of monitored scansModel
Code Red worm modeling
Simple worm model matches observed Code Red data
“Ideal” network condition No human countermeasures No network congestions First model work to consider these
[CCS’02]
10
Witty worm modeling Witty’s destructive behavior:
1). Send 20,000 UDP scans to 20,000 IP addresses2). Write 65KB in a random point in hard disk
Consider an infected computer: Constant bandwidth constant time to send 20,000 scans Random point writing infected host crashes with prob.
Crashing time approximate by Exponential distribution ( )Exponential distribution ( )
11
Witty worm modeling
hours
Memoryless property
: # of crashed infected computers at time t
4:30 8:00 12:00 16:00 20:00 00:00 04:000
2000
4000
6000
8000
10000
12000
Time (UTC) in March 20 ~ 21, 2004
It
Witty traceModel
# of vulnerable at t
# of vulnerable at t
*Witty trace provided by U. Michigan “Internet Motion Sensor”
12
Advanced worm modeling — hitlist, routing worm
Hitlist worm — increase I0 Contains a list of known vulnerable hosts Infects hit-list hosts first, then randomly scans
Routing worm — decrease Only scan BGP routable space BGP table information: = .32£ 232
32% of IPv4 space is Internet routable
Lasts less than a minute
13
Hitlist, routing worm Code Red style
worm = 358/min N = 360,000 hitlist, I(0) =
10,000 routing, =.29£ 232
0
50000
100000
150000
200000
250000
300000
350000
400000
0 100 200 300 400 500 600Time (minutes)
No.
infe
cted
Code Red wormHit-list wormRouting wormHitlist routing worm
14
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
15
Monitor: Worm scans to
unused IPs TCP/SYN packets UDP packets
How to detect an unknown worm at its early stage?
Unused IP space
Monitoredtraffic
Internet
Monitored data is noisynoisy Local network
16
Worm anomaly other anomalies? A worm has its own propagation dynamics
Deterministic models appropriate for worms
Reflection
Can we take advantage of worm model to detect a
worm?
17
0 100 200 300100
102
104
106
Time t
It1% 2%
0 200 400 6000
1
2
3
4
5 x 105
Time t
It
Worm model in early stage
Initial stage exhibits exponential growth
18
“Trend Detection” Detect traffic trend, not burst
Trend: worm exponential growth trend at the beginningDetection: estimated exponential rate be a positive, constant value
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Worm traffic-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Non-worm burst traffic
Exponential rate on-line estimation
0
10
20
30
40
50
60
10 20 30 40 500
10
20
30
40
50
60
10 20 30 40 50
Monitored illegitimate traffic rate
19
Why exponential growth at the beginning?
Attacker’s incentive: infect as many as possible before people’s counteractions
If not, a worm does not reach its spreading speed limit
Slow spreading worm detected by other ways Security experts manual check Honeypot, …
20
Model for estimate of wormexponential growth rate
Exponential model:
: monitoring noise
Zt : # of monitored scans at time t
yield
21
Code Red simulation experimentsPopulation: N=360,000, Infection rate: = 1.8/hour, Scan rate = N(358/min, 1002), Initially infected: I0=10Monitored IP space 220, Monitoring interval: 1 minuteConsider background noise
At 0.3% (157 min): estimate stabilizes at a positive constant value
100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute)
It
128 150 170 190 210 230 2500
0.05
0.1
0.15
0.2
Time t (minute)
Real value of Estimated value of
22
Damage evaluation — Prediction of global vulnerable population N
yield
128 150 170 190 210 230 2500
1
2
3
4
5
6 x 105
Time t (minute)
Est
imat
ed p
opul
atio
n N
Accurate prediction when less than 1% of N infected
23
100 200 300 400 500 600 7000
1
2
3
4 x 105
Time t (minute)#
of in
fect
ed h
osts
Real infected ItObserved CtEstimated It
Monitoring 214 IP space(p=4£ 10-6)
Damage evaluation — Estimation of global infected population It
: fraction of address space monitored
: cumulative # of observed infected hosts by time t: per host scan rate
: Prob. an infected to be observed by the monitor in a unit time
# of unobservedInfected by t
# of newlyobserved (tt+1)
24
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
25
Autonomous defense principles
Principle #1 Preemptive Quarantine Compared to attack potential damage, we are willing to tolerate somesome false alarm cost Quarantine upon suspicious, confirm later Basis for our Dynamic Quarantine [WORM’03]
Principle #2 Adaptive Adjustment More serious attack, more aggressive defense At any time t, minimize:
(attack damage cost) + (false alarm cost)
26
Self-tuning defense against various network attacks
Principle #2 : Adaptive Adjustment More severe attack, more aggressive defense
Self-tuning defense system designs: SYN flood Distributed Denial-of-Service (DDoS) attack Internet worm infection DDoS attack with no source address spoofing
27
Motivation of self-tuning defense
: False positive prob. blocking normal traffic
: False negative prob. missing attack traffic
: Detection sensitivity
Q: Which operation point is “good”?
Severe attackSevere attack
Light attackLight attack
A: All operation points are good Optimal one depends on attack severity
: Fraction of attack in traffic
1
0 1
28
Self-tuning defense designFilter PassedIncoming
Self-tuningoptimization
Attackestimation
Discrete time k k+1
Optimization:Fraction of
passed attackFraction of
dropped normal: Cost of dropping a normal traffic: Cost of passing an attack traffic
29
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
30
Worm research contribution
Worm modeling: Two-factor model: Human counteractions; network
congestion Diurnal modeling; worm scanning strategies modeling
Early detection: Detection based on “exponential growth trend” Estimate/predict worm potential damage
Autonomous defense: Dynamic quarantine (interviewed by NPR) Self-tuning defense (patent filed by AT&T)
Email-based worm modeling and defense