1 Introduction to Honeypot, measurement, and vulnerability exploits Cliff C. Zou CAP6133 02/06/06.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant...
-
Upload
francis-watkins -
Category
Documents
-
view
221 -
download
0
description
Transcript of 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant...
![Page 1: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/1.jpg)
1
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Cliff C. ZouAssistant professorSchool of Computer ScienceUniversity of Central FloridaOrlando, FLEmail: [email protected]: http://www.cs.ucf.edu/~czou
![Page 2: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/2.jpg)
2
Worm propagation process Find new targets
IP random scanning
Compromise targets Exploit
vulnerability Newly infected
join infection army
![Page 3: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/3.jpg)
3
Worm research motivation Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes
Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected
DDOS attack (shut down domain windowsupdate.com) Witty (Mar. 2004) : 12,000 infected in half an hour
Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days
Infection faster than human response !
![Page 4: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/4.jpg)
4
How to defend against worm attack?
AutomaticAutomatic response requiredresponse required First, understanding worm behavior
Basis for worm detection/defense Next, early warning of an unknown worm
Detection based on worm model Prediction of worm damage scale
Last, autonomous defense Dynamic quarantine Self-tuning defense
![Page 5: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/5.jpg)
5
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
![Page 6: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/6.jpg)
6
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
![Page 7: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/7.jpg)
7
Simple worm propagation model
address space, size N : total vulnerable It : infected by time t
N-It vulnerable at time t scan rate (per host),
Prob. of a scanhitting vulnerable
# of increased infected in a unit time
![Page 8: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/8.jpg)
8
Simple worm propagation
0 100 200 300 400 500 6000
1
2
3
4
5 x 105
Time t
It
![Page 9: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/9.jpg)
9
0
100000
200000
300000
400000
500000
600000
2 4 6 8 10 12 14 16 18
Time (hour)
# of monitored scansModel
Code Red worm modeling
Simple worm model matches observed Code Red data
“Ideal” network condition No human countermeasures No network congestions First model work to consider these
[CCS’02]
![Page 10: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/10.jpg)
10
Witty worm modeling Witty’s destructive behavior:
1). Send 20,000 UDP scans to 20,000 IP addresses2). Write 65KB in a random point in hard disk
Consider an infected computer: Constant bandwidth constant time to send 20,000 scans Random point writing infected host crashes with prob.
Crashing time approximate by Exponential distribution ( )Exponential distribution ( )
![Page 11: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/11.jpg)
11
Witty worm modeling
hours
Memoryless property
: # of crashed infected computers at time t
4:30 8:00 12:00 16:00 20:00 00:00 04:000
2000
4000
6000
8000
10000
12000
Time (UTC) in March 20 ~ 21, 2004
It
Witty traceModel
# of vulnerable at t
# of vulnerable at t
*Witty trace provided by U. Michigan “Internet Motion Sensor”
![Page 12: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/12.jpg)
12
Advanced worm modeling — hitlist, routing worm
Hitlist worm — increase I0 Contains a list of known vulnerable hosts Infects hit-list hosts first, then randomly scans
Routing worm — decrease Only scan BGP routable space BGP table information: = .32£ 232
32% of IPv4 space is Internet routable
Lasts less than a minute
![Page 13: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/13.jpg)
13
Hitlist, routing worm Code Red style
worm = 358/min N = 360,000 hitlist, I(0) =
10,000 routing, =.29£ 232
0
50000
100000
150000
200000
250000
300000
350000
400000
0 100 200 300 400 500 600Time (minutes)
No.
infe
cted
Code Red wormHit-list wormRouting wormHitlist routing worm
![Page 14: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/14.jpg)
14
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
![Page 15: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/15.jpg)
15
Monitor: Worm scans to
unused IPs TCP/SYN packets UDP packets
How to detect an unknown worm at its early stage?
Unused IP space
Monitoredtraffic
Internet
Monitored data is noisynoisy Local network
![Page 16: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/16.jpg)
16
Worm anomaly other anomalies? A worm has its own propagation dynamics
Deterministic models appropriate for worms
Reflection
Can we take advantage of worm model to detect a
worm?
![Page 17: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/17.jpg)
17
0 100 200 300100
102
104
106
Time t
It1% 2%
0 200 400 6000
1
2
3
4
5 x 105
Time t
It
Worm model in early stage
Initial stage exhibits exponential growth
![Page 18: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/18.jpg)
18
“Trend Detection” Detect traffic trend, not burst
Trend: worm exponential growth trend at the beginningDetection: estimated exponential rate be a positive, constant value
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Worm traffic-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Non-worm burst traffic
Exponential rate on-line estimation
0
10
20
30
40
50
60
10 20 30 40 500
10
20
30
40
50
60
10 20 30 40 50
Monitored illegitimate traffic rate
![Page 19: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/19.jpg)
19
Why exponential growth at the beginning?
Attacker’s incentive: infect as many as possible before people’s counteractions
If not, a worm does not reach its spreading speed limit
Slow spreading worm detected by other ways Security experts manual check Honeypot, …
![Page 20: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/20.jpg)
20
Model for estimate of wormexponential growth rate
Exponential model:
: monitoring noise
Zt : # of monitored scans at time t
yield
![Page 21: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/21.jpg)
21
Code Red simulation experimentsPopulation: N=360,000, Infection rate: = 1.8/hour, Scan rate = N(358/min, 1002), Initially infected: I0=10Monitored IP space 220, Monitoring interval: 1 minuteConsider background noise
At 0.3% (157 min): estimate stabilizes at a positive constant value
100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute)
It
128 150 170 190 210 230 2500
0.05
0.1
0.15
0.2
Time t (minute)
Real value of Estimated value of
![Page 22: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/22.jpg)
22
Damage evaluation — Prediction of global vulnerable population N
yield
128 150 170 190 210 230 2500
1
2
3
4
5
6 x 105
Time t (minute)
Est
imat
ed p
opul
atio
n N
Accurate prediction when less than 1% of N infected
![Page 23: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/23.jpg)
23
100 200 300 400 500 600 7000
1
2
3
4 x 105
Time t (minute)#
of in
fect
ed h
osts
Real infected ItObserved CtEstimated It
Monitoring 214 IP space(p=4£ 10-6)
Damage evaluation — Estimation of global infected population It
: fraction of address space monitored
: cumulative # of observed infected hosts by time t: per host scan rate
: Prob. an infected to be observed by the monitor in a unit time
# of unobservedInfected by t
# of newlyobserved (tt+1)
![Page 24: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/24.jpg)
24
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
![Page 25: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/25.jpg)
25
Autonomous defense principles
Principle #1 Preemptive Quarantine Compared to attack potential damage, we are willing to tolerate somesome false alarm cost Quarantine upon suspicious, confirm later Basis for our Dynamic Quarantine [WORM’03]
Principle #2 Adaptive Adjustment More serious attack, more aggressive defense At any time t, minimize:
(attack damage cost) + (false alarm cost)
![Page 26: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/26.jpg)
26
Self-tuning defense against various network attacks
Principle #2 : Adaptive Adjustment More severe attack, more aggressive defense
Self-tuning defense system designs: SYN flood Distributed Denial-of-Service (DDoS) attack Internet worm infection DDoS attack with no source address spoofing
![Page 27: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/27.jpg)
27
Motivation of self-tuning defense
: False positive prob. blocking normal traffic
: False negative prob. missing attack traffic
: Detection sensitivity
Q: Which operation point is “good”?
Severe attackSevere attack
Light attackLight attack
A: All operation points are good Optimal one depends on attack severity
: Fraction of attack in traffic
1
0 1
![Page 28: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/28.jpg)
28
Self-tuning defense designFilter PassedIncoming
Self-tuningoptimization
Attackestimation
Discrete time k k+1
Optimization:Fraction of
passed attackFraction of
dropped normal: Cost of dropping a normal traffic: Cost of passing an attack traffic
![Page 29: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/29.jpg)
29
Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work
![Page 30: 1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.](https://reader036.fdocuments.net/reader036/viewer/2022062306/5a4d1af17f8b9ab05997e837/html5/thumbnails/30.jpg)
30
Worm research contribution
Worm modeling: Two-factor model: Human counteractions; network
congestion Diurnal modeling; worm scanning strategies modeling
Early detection: Detection based on “exponential growth trend” Estimate/predict worm potential damage
Autonomous defense: Dynamic quarantine (interviewed by NPR) Self-tuning defense (patent filed by AT&T)
Email-based worm modeling and defense