an integrated approach to detection of fast and slow scanning worms asiaccs’09 frank akujobi,...

An Integrated Approach to Detection

of Fast and Slow Scanning Worms

ASIACCS’09

Frank Akujobi,

Ioannis Lambadaris,

Evangelos Kranakis(Carleton Univ, CA)

2009/12/25 Speaker: Li-Ming Chen 2

Challenges to the Current Network-based Anomaly Detection Techniques Designed for (suitable for detecting) FAST worms Lack the capability to detect SLOW worms

Although some approaches are designed to detect BOTH fast and slow worms, E.g., [1] adaptively adjusts the threshold to monitor the outgoing t

raffic of an end-host E.g., [16] proposes a multi-resolution approach

But the DRAWBACKS are: High rate of false positive and false negative Provide less information for forensic analysis Not all the anomalous behaviors can be seen in the network level

[1] J. Agosta, et al, “An adaptive anomaly detector for worm detection,” in SYSML’07.[16] V. Sekar, et al, “A Multi-resolution Approach for Worm Detection and Containment,” in DSN’06.


Proposed Integrated Approach Utilizes host-based anomaly detection, and performs

correlation on network traffic profiles

Why use host-based AIDS (Anomaly IDS)? More accurate, can detect slow worms Since host-based AIDS aims to detect the attempted alternation

of the predefined system states of an endpoint

However host-based AIDS can NOT determine the actual traffic flow responsible for the intrusion, (especially during multiple simultaneous attacks) the proposed approach still tries to keep network traffic

profiles as verifiable evidence


(Threat Model) Worm AttackSingle or multiple attackerslaunch scanning worms on several targets

In each cell, there are some DEs (Detector Endpoints, host-based AIDS)

Correlates capturedtraffic profiles on the gateway router


Overview the Integrated Approach

Det

ectio

n P

hase

Cor

rela

tion

Pha

se

My Comment:Actually, this paper only focuses on analysis;the methods behind detection and correlation are weak or ignored without explanation!(at the end of the window)


Fast Worm Detection

When an FDA detects an intrusion: 1). the FDA notifies other FDAs (within the same cell)

2). other FDAs start real-time recording of profiles for ALL incoming network traffic for a pre-set capture interval, tf.

3). at the END of the window, all FDAs in the cell transfer their records to their upstream GR (to the FCE)

Profile: {srcIP, dstPort, proto, payload}

My Comment:• AIDS is just a “function unit” to trigger the profile collection for further correlation and analysis.• Does not mention how the AIDS works!


Slow Worm Detection

Unlike FDAs, the SDAs do NOT wait for an notification!

SDAs perform continuous real-time capturing of profiles of ALL incoming network traffic in epochs of interval ts. Once an SDA detects an intrusion, it will capture the na

ture of attempted alternation… At the END of window, all SDAs in the cell transfer th

eir records to their upstream GR (to the adaptive profiler)

My Comment:• An SDA records profiles on a “single” DE not too much data.• Besides, the recorded Uj will further reduced by adaptive profiler !


Detection Windows and Adaptive Profiler

X32

U2

Filter out fast scanningintrusion profiles; SCE only processes the rest profiles!

My Comment:Does not mention howto decide the width ofthe windows…

Note: FDA waits for notification,SDA continuously collects profiles.


Bayesian-based Correlation Bayesian theorem:

Expresses the posteriori probability (i.e. after evidence A is observed) of a hypothesis Bi in terms of the priori probabilities of Bi and A.

jjj

iiiii BPBAP

BPBAP

AP

BPBAPABP

)()|(

)()|(

)(

)()|()|(


Fast Worm Correlation

P(Bi|A) can be computed by using Bayesian theorem, represents how responsible profile i is for the observed intrusion.

Bi: a specific profile iNij: # of Bi recorded by j-th DEIij: indication function, the observation of Bi by j-th DE

(FCE 所收集到的 profile 中， Bi 所佔的比例 )

(given the measure of profile Bi, fast worm A 發生的機率 ) if Bi is observed on all FDA, then P(A|Bi) = 1

m: # of DEy: # of different profile


Fast Worm Correlation (cont’d)

(only 1 profile recorded)

(more than 1 profile recorded)

(Intrusion A 發生時， Bi 所佔的比例 )

(no profile recorded)

(for all y)


Slow Worm Correlation

(similar to Fast Worm Correlation)Si: a specific profile i ( )Mij: # of Si recorded by j-th DELij: indication function, the observation of Si by j-th DE

ji YS m: # of DEn: # of different profilex: # of witness SDA

( 並非考慮全部的 DE ，僅考慮有偵測到 slow worm H 的 SDA 個數 )


Slow Worm Correlation (cont’d)

(Intrusion H 發生時， Si 所佔的比例 )

Note: Slow Worm Correlation does notuse threshold !!

My Comment:Too trivial, what about normal traffic!?


Analysis of Detection Interval Detection interval: the expected time required for

detecting fast and slow scanning worms The performance

Used to bound the detection probability (or the probability of false detection) in next section According to Markov’s inequality


Fast Worm Detection Interval, tfd

]]|[[][][ GtEEtEtE fvfvfd

r

mWmWr

mWW

r

mmWr

W

rrmWr

mmWmWr

W

mWr

m

mWr

m

2

1

2

))(0(

1)

21(

1)(

11110

• tfv: the sum of inter-infection intervals until ALL FDAs have experienced

worm scan hits• Assume the scanning of host in the target cell is a Poisson process

with rate r hosts/second• G: # of scanned non-DEs before ALL m DEs are successfully scanned

(W: cell size)


Slow Worm Detection Interval, tsd• tsv: the sum of inter-infection intervals until at least one DE experiences

a worm scan hit.• Assume the scanning of host in the target cell is a Poisson process

with rate r hosts/minute• Z: # of hosts scanned until the first DE is scanned

mr

W

ZtEE

tEtE

sv

svsd

]]|[[

][][


Average Detection Interval

tfd

(fast scanning worm)

(m = 4)

(slow scanning worm)

(W = 128)tsd


Markov’s Inequality

Markov’s inequality gives an upper bound for the probability that a non-negative function of a r.v. is greater than or equal to some positive constant.

In this paper, authors use Markov’s inequality to measure the “detection probability” (if given an upper bound for the “detection interval”)

a

XEaX

][}Pr{

Expected detection interval

Assigned upper bound(1 – CDF)


Fast Worm Detection Probability

1/(W – m)

~ EXP( (m + G)/r )

(W + m)/2r

t

tE fd ][

)( ttP fd

(W = 254)(m = 4)t = 20 (upper bound)


Slow Worm Detection Probability

~ EXP( Z/r )

1)1( z

W

m

W

m(GEO. r.v.)

W/mr(W = 128)(m = 4)(t = 20)

(W = 128)(r = 3)(t = 20)


Experimentation and Evaluation Synthesized worm scanning traffic:

Modify blaster worm source code Emulate multiple simultaneous fast and slow scanning

worms (!?) For effectiveness, the malicious

attacks randomly scanned hosts in one

target network before selecting another

target network.

My Comment:Without considering normal traffic !?Scan one network at a time advantages over the proposed approach!


Experiment Results

(fast worm detection interval)(threshold = 0.15)

(slow worm detection interval)

• Measure average detection interval


Experiment Results (cont’d)• The results from the correlation algorithms

(threshold)

(fast)

(slow)


Conclusion

Propose a unique integrated detection technique capable of detecting and identifying simultaneous fast and slow scanning worms Combine (1) host-based AIDS, (2) a self-adapting profiler,

(3) Bayesian inference Use sample mean excess function to determine app

ropriate thresholds for detecting fast worms Present analysis of detection interval Develop probability models for worm detection interv

al Experimenting on live testbed

an integrated approach to detection of fast and slow scanning worms asiaccs’09 frank akujobi,...

Documents