Download - Summary From the Last Lecture
Well-publicized wormsWorm propagation curveScanning strategies (uniform, permutation,
hitlist, subnet)
1
Summary From the Last Lecture
Three factors define worm spread:o Size of vulnerable population
Prevention – patch vulnerabilities, increase heterogeneity
o Rate of infection (scanning and propagation strategy) Deploy firewalls Distribute worm signatures
o Length of infectious period Patch vulnerabilities after the outbreak
Worm Defense
This depends on several factors:o Reaction timeo Containment strategy – address blacklisting and
content filteringo Deployment scenario – where is response
deployedEvaluate effect of containment 24 hours
after the onset
How Well Can Containment Do?
“Internet Quarantine: Requirements for Containing Self-Propagating Code”, Proceedings of INFOCOM 2003, D. Moore, C. Shannon, G. Voelker, S. Savage
How Well Can Containment Do?Code Red
Idealized deployment: everyone deploysdefenses after given period
How Well Can Containment Do?Depending on Worm Aggressiveness
Idealized deployment: everyone deploysdefenses after given period
How Well Can Containment Do?Depending on Deployment Pattern
Reaction time needs to be within minutes, if not seconds
We need to use content filteringWe need to have extensive deployment on
key points in the Internet
How Well Can Containment Do?
Monitor outgoing connection attempts to new hosts
When rate exceeds 5 per second, put the remaining requests in a queue
When number of requests in a queue exceeds 100 stop all communication
Detecting and Stopping Worm Spread
“Implementing and testing a virus throttle”, Proceedings of Usenix Security Symposium 2003,J. Twycross, M. Williamson
Detecting and Stopping Worm Spread
Detecting and Stopping Worm Spread
Organizations share alerts and worm signatures with their “friends” o Severity of alerts is increased as more infection
attempts are detectedo Each host has a severity threshold after which it
deploys responseAlerts spread just like worm does
o Must be faster to overtake worm spreado After some time of no new infection detections,
alerts will be removed
Cooperative Strategies for Worm Defense
“Cooperative Response Strategies for Large-Scale Attack Mitigation”, Proceedings of DISCEX 2003, D. Norjiri, J. Rowe, K. Levitt
As number of friends increases, response is faster
Propagating false alarms is a problem
Cooperative Strategies for Worm Defense
Early detection would give time to react until the infection has spread
The goal of this paper is to devise techniques that detect new worms as they just start spreading
Monitoring:oMonitor and collect worm scan traffic oObservation data is very noisy so we have to
filter new scans from Old worms’ scans Port scans by hacking toolkits
Early Worm Detection
C. C. Zou, W. Gong, D. Towsley, and L. Gao. "The Monitoring and Early Detection of Internet Worms," IEEE/ACM Transactions on Networking.
Detection: oTraditional anomaly detection: threshold-based
Check traffic burst (short-term or long-term). Difficulties: False alarm rate
o“Trend Detection” Measure number of infected hosts and use it
to detect worm exponential growth trend at the beginning
Early Worm Detection
Worms uniformly scan the InternetoNo hitlists but subnet scanning is allowed
Address space scanned is IPv4
Assumptions
Simple epidemic model:
Worm Propagation Model)(** tt
t INIdtdI
−=β
Detect wormhere. Shouldhave exp.
spread
Monitoring System
Provides comprehensive observation data on a worm’s activities for the early detection of the worm
Consists of :oMalware Warning Center (MWC)oDistributed monitors
Ingress scan monitors – monitor incoming traffic going to unused addresses
Egress scan monitors – monitor outgoing traffic
Monitoring System
Ingress monitors collect:oNumber of scans received in an intervaloIP addresses of infected hosts that have
sent scans to the monitorsEgress monitors collect:oAverage worm scan rate
Malware Warning Center (MWC) monitors:oWorm’s average scan rateoTotal number of scans monitoredoNumber of infected hosts observed
Monitoring System
MWC collects and aggregates reports from distributed monitors
If total number of scans is over a threshold for several consecutive intervals, MWC activates the Kalman filter and begins to test the hypothesis that the number of infected hosts follows exponential distribution
Worm Detection
Population: N=360,000, Infection rate: = 1.8/hour, Scan rate = 358/min, Initially infected: I0=10 Monitored IP space 220, Monitoring interval: = 1 minute
Code Red Simulation
Infected hosts estimation
Population: N=100,000 Scan rate = 4000/sec, Initially infected: I0=10 Monitored IP space 220, Monitoring interval: = 1 second
Slammer Simulation
Infected hosts estimation
Worms spread very fast (minutes, seconds)oNeed automatic mitigation
If this is a new worm, no signature existsoMust apply behaviour-based anomaly detectionoBut this has a false-positive problem! We don’t
want to drop legitimate connections!Dynamic quarantine o“Assume guilty until proven innocent” oForbid network access to suspicious hosts for a
short timeoThis significantly slows down the worm spread
Dynamic Quarantine
C. C. Zou, W. Gong, and D. Towsley. "Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense," ACM CCS Workshop on Rapid
Malcode (WORM'03),
Behavior-based anomaly detection can point out suspicious hostsoNeed a technique that slows down worm
spread but doesn’t hurt legitimate traffic mucho“Assume guilty until proven innocent”
technique will briefly drop all outgoing connection attempts (for a specific service) from a suspicious host
oAfter a while just assume that host is healthy, even if not proven so
oThis should slow down worms but cause only transient interruption of legitimate traffic
Dynamic Quarantine
Assume we have some anomaly detection program that flags a host as suspiciousoQuarantine this hostoRelease it after time ToThe host may be quarantined multiple times if
the anomaly detection raises an alarmoSince this doesn’t affect healthy hosts’
operation a lot we can have more sensitive anomaly detection technique
Dynamic Quarantine
An infectious host is quarantined after time units
A susceptible host is falsely quarantined after time units
Quarantine time is T, after that we release the host
A few new categories:oQuarantined infectious R(t)oQuarantined susceptible Q(t)
Dynamic Quarantine
1
1λ
2
1λ
Initially 75,000 vulnerable hostsQuarantine rate of infectious host is
per secondo Infectious host will be quarantined after 5
seconds on average Quarantine rate of susceptible host is
per secondoThere are 2 false alarms per host per day
T=10 seconds
Simulation Setup
2.01 =λ
00002315.02 =λ
Slammer With DQ
DQ With Large T?
T=10sec T=30sec
DQ And Patching?
Patch Only Quarantined Hosts
Cleaning I(t) Cleaning R(t)