1

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Cliff C. ZouAssistant professorSchool of Computer ScienceUniversity of Central FloridaOrlando, FLEmail: czou@cs.ucf.eduWeb: http://www.cs.ucf.edu/~czou

2

Worm propagation process Find new targets

IP random scanning

Compromise targets Exploit

vulnerability Newly infected

join infection army

3

Worm research motivation Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes

Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected

DDOS attack (shut down domain windowsupdate.com) Witty (Mar. 2004) : 12,000 infected in half an hour

Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days

Infection faster than human response !

4

How to defend against worm attack?

AutomaticAutomatic response requiredresponse required First, understanding worm behavior

Basis for worm detection/defense Next, early warning of an unknown worm

Detection based on worm model Prediction of worm damage scale

Last, autonomous defense Dynamic quarantine Self-tuning defense

5

Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

6

Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

7

Simple worm propagation model

address space, size N : total vulnerable It : infected by time t

N-It vulnerable at time t scan rate (per host),

Prob. of a scanhitting vulnerable

# of increased infected in a unit time

8

Simple worm propagation

0 100 200 300 400 500 6000

1

2

3

4

5 x 105

Time t

It

9

0

100000

200000

300000

400000

500000

600000

2 4 6 8 10 12 14 16 18

Time (hour)

# of monitored scansModel

Code Red worm modeling

Simple worm model matches observed Code Red data

“Ideal” network condition No human countermeasures No network congestions First model work to consider these

[CCS’02]

10

Witty worm modeling Witty’s destructive behavior:

1). Send 20,000 UDP scans to 20,000 IP addresses2). Write 65KB in a random point in hard disk

Consider an infected computer: Constant bandwidth constant time to send 20,000 scans Random point writing infected host crashes with prob.

Crashing time approximate by Exponential distribution ( )Exponential distribution ( )

11

Witty worm modeling

hours

Memoryless property

: # of crashed infected computers at time t

4:30 8:00 12:00 16:00 20:00 00:00 04:000

2000

4000

6000

8000

10000

12000

Time (UTC) in March 20 ~ 21, 2004

It

Witty traceModel

# of vulnerable at t

# of vulnerable at t

*Witty trace provided by U. Michigan “Internet Motion Sensor”

12

Advanced worm modeling — hitlist, routing worm

Hitlist worm — increase I0 Contains a list of known vulnerable hosts Infects hit-list hosts first, then randomly scans

Routing worm — decrease Only scan BGP routable space BGP table information: = .32£ 232

32% of IPv4 space is Internet routable

Lasts less than a minute

13

Hitlist, routing worm Code Red style

worm = 358/min N = 360,000 hitlist, I(0) =

10,000 routing, =.29£ 232

0

50000

100000

150000

200000

250000

300000

350000

400000

0 100 200 300 400 500 600Time (minutes)

No.

infe

cted

Code Red wormHit-list wormRouting wormHitlist routing worm

14

Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

15

Monitor: Worm scans to

unused IPs TCP/SYN packets UDP packets

How to detect an unknown worm at its early stage?

Unused IP space

Monitoredtraffic

Internet

Monitored data is noisynoisy Local network

16

Worm anomaly other anomalies? A worm has its own propagation dynamics

Deterministic models appropriate for worms

Reflection

Can we take advantage of worm model to detect a

worm?

17

0 100 200 300100

102

104

106

Time t

It1% 2%

0 200 400 6000

1

2

3

4

5 x 105

Time t

It

Worm model in early stage

Initial stage exhibits exponential growth

18

“Trend Detection” Detect traffic trend, not burst

Trend: worm exponential growth trend at the beginningDetection: estimated exponential rate be a positive, constant value

0

10

20

30

40

50

60

10 20 30 40 50

-0.1

-0.05

0

0.05

0.1

0.15

0.2

10 20 30 40 50

Worm traffic-0.1

-0.05

0

0.05

0.1

0.15

0.2

10 20 30 40 50-0.1

-0.05

0

0.05

0.1

0.15

0.2

10 20 30 40 50

Non-worm burst traffic

Exponential rate on-line estimation

0

10

20

30

40

50

60

10 20 30 40 500

10

20

30

40

50

60

10 20 30 40 50

Monitored illegitimate traffic rate

19

Why exponential growth at the beginning?

Attacker’s incentive: infect as many as possible before people’s counteractions

If not, a worm does not reach its spreading speed limit

Slow spreading worm detected by other ways Security experts manual check Honeypot, …

20

Model for estimate of wormexponential growth rate

Exponential model:

: monitoring noise

Zt : # of monitored scans at time t

yield

21

Code Red simulation experimentsPopulation: N=360,000, Infection rate: = 1.8/hour, Scan rate = N(358/min, 1002), Initially infected: I0=10Monitored IP space 220, Monitoring interval: 1 minuteConsider background noise

At 0.3% (157 min): estimate stabilizes at a positive constant value

100 200 300 400 500 600 7000

0.5

1

1.5

2

2.5

3

3.5x 105

Time t (minute)

It

128 150 170 190 210 230 2500

0.05

0.1

0.15

0.2

Time t (minute)

Real value of Estimated value of

22

Damage evaluation — Prediction of global vulnerable population N

yield

128 150 170 190 210 230 2500

1

2

3

4

5

6 x 105

Time t (minute)

Est

imat

ed p

opul

atio

n N

Accurate prediction when less than 1% of N infected

23

100 200 300 400 500 600 7000

1

2

3

4 x 105

Time t (minute)#

of in

fect

ed h

osts

Real infected ItObserved CtEstimated It

Monitoring 214 IP space(p=4£ 10-6)

Damage evaluation — Estimation of global infected population It

: fraction of address space monitored

: cumulative # of observed infected hosts by time t: per host scan rate

: Prob. an infected to be observed by the monitor in a unit time

# of unobservedInfected by t

# of newlyobserved (tt+1)

24

Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

25

Autonomous defense principles

Principle #1 Preemptive Quarantine Compared to attack potential damage, we are willing to tolerate somesome false alarm cost Quarantine upon suspicious, confirm later Basis for our Dynamic Quarantine [WORM’03]

Principle #2 Adaptive Adjustment More serious attack, more aggressive defense At any time t, minimize:

(attack damage cost) + (false alarm cost)

26

Self-tuning defense against various network attacks

Principle #2 : Adaptive Adjustment More severe attack, more aggressive defense

Self-tuning defense system designs: SYN flood Distributed Denial-of-Service (DDoS) attack Internet worm infection DDoS attack with no source address spoofing

27

Motivation of self-tuning defense

: False positive prob. blocking normal traffic

: False negative prob. missing attack traffic

: Detection sensitivity

Q: Which operation point is “good”?

Severe attackSevere attack

Light attackLight attack

A: All operation points are good Optimal one depends on attack severity

: Fraction of attack in traffic

1

0 1

28

Self-tuning defense designFilter PassedIncoming

Self-tuningoptimization

Attackestimation

Discrete time k k+1

Optimization:Fraction of

passed attackFraction of

dropped normal: Cost of dropping a normal traffic: Cost of passing an attack traffic

29

Outline Worm propagation modeling Early warning of an unknown worm Autonomous defense Summary and current work

30

Worm research contribution

Worm modeling: Two-factor model: Human counteractions; network

congestion Diurnal modeling; worm scanning strategies modeling

Early detection: Detection based on “exponential growth trend” Estimate/predict worm potential damage

Autonomous defense: Dynamic quarantine (interviewed by NPR) Self-tuning defense (patent filed by AT&T)

Email-based worm modeling and defense