an integrated approach to detection of fast and slow scanning worms asiaccs’09 frank akujobi,...
TRANSCRIPT
An Integrated Approach to Detection
of Fast and Slow Scanning Worms
ASIACCS’09
Frank Akujobi,
Ioannis Lambadaris,
Evangelos Kranakis(Carleton Univ, CA)
2009/12/25 Speaker: Li-Ming Chen 2
Challenges to the Current Network-based Anomaly Detection Techniques Designed for (suitable for detecting) FAST worms Lack the capability to detect SLOW worms
Although some approaches are designed to detect BOTH fast and slow worms, E.g., [1] adaptively adjusts the threshold to monitor the outgoing t
raffic of an end-host E.g., [16] proposes a multi-resolution approach
But the DRAWBACKS are: High rate of false positive and false negative Provide less information for forensic analysis Not all the anomalous behaviors can be seen in the network level
[1] J. Agosta, et al, “An adaptive anomaly detector for worm detection,” in SYSML’07.[16] V. Sekar, et al, “A Multi-resolution Approach for Worm Detection and Containment,” in DSN’06.
2009/12/25 Speaker: Li-Ming Chen 3
Proposed Integrated Approach Utilizes host-based anomaly detection, and performs
correlation on network traffic profiles
Why use host-based AIDS (Anomaly IDS)? More accurate, can detect slow worms Since host-based AIDS aims to detect the attempted alternation
of the predefined system states of an endpoint
However host-based AIDS can NOT determine the actual traffic flow responsible for the intrusion, (especially during multiple simultaneous attacks) the proposed approach still tries to keep network traffic
profiles as verifiable evidence
2009/12/25 Speaker: Li-Ming Chen 4
(Threat Model) Worm AttackSingle or multiple attackerslaunch scanning worms on several targets
In each cell, there are some DEs (Detector Endpoints, host-based AIDS)
Correlates capturedtraffic profiles on the gateway router
2009/12/25 Speaker: Li-Ming Chen 5
Overview the Integrated Approach
Det
ectio
n P
hase
Cor
rela
tion
Pha
se
My Comment:Actually, this paper only focuses on analysis;the methods behind detection and correlation are weak or ignored without explanation!(at the end of the window)
2009/12/25 Speaker: Li-Ming Chen 6
Fast Worm Detection
When an FDA detects an intrusion: 1). the FDA notifies other FDAs (within the same cell)
2). other FDAs start real-time recording of profiles for ALL incoming network traffic for a pre-set capture interval, tf.
3). at the END of the window, all FDAs in the cell transfer their records to their upstream GR (to the FCE)
Profile: {srcIP, dstPort, proto, payload}
My Comment:• AIDS is just a “function unit” to trigger the profile collection for further correlation and analysis.• Does not mention how the AIDS works!
2009/12/25 Speaker: Li-Ming Chen 7
Slow Worm Detection
Unlike FDAs, the SDAs do NOT wait for an notification!
SDAs perform continuous real-time capturing of profiles of ALL incoming network traffic in epochs of interval ts. Once an SDA detects an intrusion, it will capture the na
ture of attempted alternation… At the END of window, all SDAs in the cell transfer th
eir records to their upstream GR (to the adaptive profiler)
My Comment:• An SDA records profiles on a “single” DE not too much data.• Besides, the recorded Uj will further reduced by adaptive profiler !
2009/12/25 Speaker: Li-Ming Chen 8
Detection Windows and Adaptive Profiler
X32
U2
Filter out fast scanningintrusion profiles; SCE only processes the rest profiles!
My Comment:Does not mention howto decide the width ofthe windows…
Note: FDA waits for notification,SDA continuously collects profiles.
2009/12/25 Speaker: Li-Ming Chen 9
Bayesian-based Correlation Bayesian theorem:
Expresses the posteriori probability (i.e. after evidence A is observed) of a hypothesis Bi in terms of the priori probabilities of Bi and A.
jjj
iiiii BPBAP
BPBAP
AP
BPBAPABP
)()|(
)()|(
)(
)()|()|(
2009/12/25 Speaker: Li-Ming Chen 10
Fast Worm Correlation
P(Bi|A) can be computed by using Bayesian theorem, represents how responsible profile i is for the observed intrusion.
Bi: a specific profile iNij: # of Bi recorded by j-th DEIij: indication function, the observation of Bi by j-th DE
(FCE 所收集到的 profile 中, Bi 所佔的比例 )
(given the measure of profile Bi, fast worm A 發生的機率 ) if Bi is observed on all FDA, then P(A|Bi) = 1
m: # of DEy: # of different profile
2009/12/25 Speaker: Li-Ming Chen 11
Fast Worm Correlation (cont’d)
(only 1 profile recorded)
(more than 1 profile recorded)
(Intrusion A 發生時, Bi 所佔的比例 )
(no profile recorded)
(for all y)
2009/12/25 Speaker: Li-Ming Chen 12
Slow Worm Correlation
(similar to Fast Worm Correlation)Si: a specific profile i ( )Mij: # of Si recorded by j-th DELij: indication function, the observation of Si by j-th DE
ji YS m: # of DEn: # of different profilex: # of witness SDA
( 並非考慮全部的 DE ,僅考慮有偵測到 slow worm H 的 SDA 個數 )
2009/12/25 Speaker: Li-Ming Chen 13
Slow Worm Correlation (cont’d)
(Intrusion H 發生時, Si 所佔的比例 )
Note: Slow Worm Correlation does notuse threshold !!
My Comment:Too trivial, what about normal traffic!?
2009/12/25 Speaker: Li-Ming Chen 14
Analysis of Detection Interval Detection interval: the expected time required for
detecting fast and slow scanning worms The performance
Used to bound the detection probability (or the probability of false detection) in next section According to Markov’s inequality
2009/12/25 Speaker: Li-Ming Chen 15
Fast Worm Detection Interval, tfd
]]|[[][][ GtEEtEtE fvfvfd
r
mWmWr
mWW
r
mmWr
W
rrmWr
mmWmWr
W
mWr
m
mWr
m
2
1
2
))(0(
1)
21(
1)(
11110
• tfv: the sum of inter-infection intervals until ALL FDAs have experienced
worm scan hits• Assume the scanning of host in the target cell is a Poisson process
with rate r hosts/second• G: # of scanned non-DEs before ALL m DEs are successfully scanned
(W: cell size)
2009/12/25 Speaker: Li-Ming Chen 16
Slow Worm Detection Interval, tsd• tsv: the sum of inter-infection intervals until at least one DE experiences
a worm scan hit.• Assume the scanning of host in the target cell is a Poisson process
with rate r hosts/minute• Z: # of hosts scanned until the first DE is scanned
mr
W
ZtEE
tEtE
sv
svsd
]]|[[
][][
2009/12/25 Speaker: Li-Ming Chen 17
Average Detection Interval
tfd
(fast scanning worm)
(m = 4)
(slow scanning worm)
(W = 128)tsd
2009/12/25 Speaker: Li-Ming Chen 18
Markov’s Inequality
Markov’s inequality gives an upper bound for the probability that a non-negative function of a r.v. is greater than or equal to some positive constant.
In this paper, authors use Markov’s inequality to measure the “detection probability” (if given an upper bound for the “detection interval”)
a
XEaX
][}Pr{
Expected detection interval
Assigned upper bound(1 – CDF)
2009/12/25 Speaker: Li-Ming Chen 19
Fast Worm Detection Probability
1/(W – m)
~ EXP( (m + G)/r )
(W + m)/2r
t
tE fd ][
)( ttP fd
(W = 254)(m = 4)t = 20 (upper bound)
2009/12/25 Speaker: Li-Ming Chen 20
Slow Worm Detection Probability
~ EXP( Z/r )
1)1( z
W
m
W
m(GEO. r.v.)
W/mr(W = 128)(m = 4)(t = 20)
(W = 128)(r = 3)(t = 20)
2009/12/25 Speaker: Li-Ming Chen 21
Experimentation and Evaluation Synthesized worm scanning traffic:
Modify blaster worm source code Emulate multiple simultaneous fast and slow scanning
worms (!?) For effectiveness, the malicious
attacks randomly scanned hosts in one
target network before selecting another
target network.
My Comment:Without considering normal traffic !?Scan one network at a time advantages over the proposed approach!
2009/12/25 Speaker: Li-Ming Chen 22
Experiment Results
(fast worm detection interval)(threshold = 0.15)
(slow worm detection interval)
• Measure average detection interval
2009/12/25 Speaker: Li-Ming Chen 23
Experiment Results (cont’d)• The results from the correlation algorithms
(threshold)
(fast)
(slow)
2009/12/25 Speaker: Li-Ming Chen 24
Conclusion
Propose a unique integrated detection technique capable of detecting and identifying simultaneous fast and slow scanning worms Combine (1) host-based AIDS, (2) a self-adapting profiler,
(3) Bayesian inference Use sample mean excess function to determine app
ropriate thresholds for detecting fast worms Present analysis of detection interval Develop probability models for worm detection interv
al Experimenting on live testbed