1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don...
-
Upload
eustace-lee -
Category
Documents
-
view
219 -
download
0
description
Transcript of 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don...
![Page 1: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/1.jpg)
1
Monitoring and Early Warning
for Internet WormsAuthors:
Cliff C. Zou, Lixin Gao, Weibo Gong, Don TowsleyUniv. Massachusetts, Amherst
Publish: 10th ACM Conference on Computer and
Communication Security (CCS'03), 2003 Presenter:
Cliff C. Zou (01/12/2006)
![Page 2: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/2.jpg)
2
Monitor: Worm scans to
unused IPs TCP/SYN packets UDP packets
How to detect an unknown worm at its early stage?
Unused IP space
Monitoredtraffic
Internet
Monitored data is noisynoisy Local network
![Page 3: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/3.jpg)
3
Worm anomaly other anomalies? A worm has its own propagation dynamics
Deterministic models appropriate for worms
Reflection
Can we take advantage of worm model to detect a
worm?
![Page 4: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/4.jpg)
4
0 100 200 300100
102
104
106
Time t
It1% 2%
0 200 400 6000
1
2
3
4
5 x 105
Time t
It
Worm model in early stage
Initial stage exhibits exponential growth
![Page 5: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/5.jpg)
5
“Trend Detection” Detect traffic trend, not burst
Trend: worm exponential growth trend at the beginningDetection: the exponential rate should be a positive, constant value
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Worm traffic
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Non-worm traffic burst
Exponential rate on-line estimation
Monitored illegitimate traffic rate
![Page 6: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/6.jpg)
6
Why exponential growth at the beginning?
The law of natural growth reproduction When interference is negligible (beginning phase)
Attacker’s incentive: infect as many as possible before people’s counteractions
If not, a worm does not reach its spreading speed limit
Slow spreading worm detected by other ways Security experts manual check Honeypot, …
![Page 7: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/7.jpg)
7
Model for estimate of wormexponential growth rate
Exponential model:
: monitoring noise
Zt : # of monitored scans at time t
yield
![Page 8: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/8.jpg)
8
Estimation by Kalman Filter
System: where
Kalman Filter for estimation of Xt :
![Page 9: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/9.jpg)
9
Code Red simulation experimentsPopulation: N=360,000, Infection rate: = 1.8/hour, Scan rate = N(358/min, 1002), Initially infected: I0=10Monitored IP space 220, Monitoring interval: 1 minuteConsider background noise
At 0.3% (157 min): estimate stabilizes at a positive constant value
100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute)
It
128 150 170 190 210 230 2500
0.05
0.1
0.15
0.2
Time t (minute)
Real value of Estimated value of
![Page 10: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/10.jpg)
10
Damage evaluation — Prediction of global vulnerable population N
yield
128 150 170 190 210 230 2500
1
2
3
4
5
6 x 105
Time t (minute)
Est
imat
ed p
opul
atio
n N
Accurate prediction when less than 1% of N infected
![Page 11: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/11.jpg)
11
100 200 300 400 500 600 7000
1
2
3
4 x 105
Time t (minute)#
of in
fect
ed h
osts
Real infected ItObserved CtEstimated It
Monitoring 214 IP space(p=4£ 10-6)
Damage evaluation — Estimation of global infected population It
: fraction of address space monitored
: cumulative # of observed infected hosts by time t: per host scan rate
: Prob. an infected to be observed by the monitor in a unit time
# of unobservedInfected by t
# of newlyobserved (tt+1)
![Page 12: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/12.jpg)
12
What’s the paper’s contribution?
A novel approach in anomaly detection Popular approach is based on static
threshold Paper exploits worm dynamics
Dynamics in a series of time Worm potential damage prediction
Estimate global infected based on local info Predict global vulnerable population
![Page 13: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/13.jpg)
13
Why this paper can be published?
Different approach from popular ways Model-based anomaly detection Fresh view point --- interesting
Solid (fancy) mathematic background Math is appropriate A pure experimental report is not (good) enough
for academic paper Timely appearance
Catch a promising/hot topic ASAP Rely on: advisors, (conference) paper, tech news,
colleagues,
![Page 14: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/14.jpg)
14
What’s the paper’s weakness?
Early detection provides limited information Does not provide signature for worm defense Does not (accurately) identify global infected
hosts Require a large empty IP space for
monitoring Not very good for individual local network
Worm damage prediction results are accurate only for uniform-scan worms Many worms using biased scanning strategies
![Page 15: 1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b577f8b9ab0599a9b7d/html5/thumbnails/15.jpg)
15
How to improve the paper?
I have improved CCS’03 conference paper and published in IEEE Tran. on Networking
Detect a worm earlier Conference paper uses simple worm model,
TON’s uses exponential model (several times faster)
Consider the limitation of monitoring system TON’s paper adds analysis/experiments of the
monitoring problem for non-uniform scan worms