1 monitoring and early warning for internet worms authors: cliff c. zou, lixin gao, weibo gong, don...
DESCRIPTION
3 Worm anomaly other anomalies? A worm has its own propagation dynamics Deterministic models appropriate for worms Reflection Can we take advantage of worm model to detect a worm?TRANSCRIPT
1
Monitoring and Early Warning
for Internet WormsAuthors:
Cliff C. Zou, Lixin Gao, Weibo Gong, Don TowsleyUniv. Massachusetts, Amherst
Publish: 10th ACM Conference on Computer and
Communication Security (CCS'03), 2003 Presenter:
Cliff C. Zou (01/12/2006)
2
Monitor: Worm scans to
unused IPs TCP/SYN packets UDP packets
How to detect an unknown worm at its early stage?
Unused IP space
Monitoredtraffic
Internet
Monitored data is noisynoisy Local network
3
Worm anomaly other anomalies? A worm has its own propagation dynamics
Deterministic models appropriate for worms
Reflection
Can we take advantage of worm model to detect a
worm?
4
0 100 200 300100
102
104
106
Time t
It1% 2%
0 200 400 6000
1
2
3
4
5 x 105
Time t
It
Worm model in early stage
Initial stage exhibits exponential growth
5
“Trend Detection” Detect traffic trend, not burst
Trend: worm exponential growth trend at the beginningDetection: the exponential rate should be a positive, constant value
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Worm traffic
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Non-worm traffic burst
Exponential rate on-line estimation
Monitored illegitimate traffic rate
6
Why exponential growth at the beginning?
The law of natural growth reproduction When interference is negligible (beginning phase)
Attacker’s incentive: infect as many as possible before people’s counteractions
If not, a worm does not reach its spreading speed limit
Slow spreading worm detected by other ways Security experts manual check Honeypot, …
7
Model for estimate of wormexponential growth rate
Exponential model:
: monitoring noise
Zt : # of monitored scans at time t
yield
8
Estimation by Kalman Filter
System: where
Kalman Filter for estimation of Xt :
9
Code Red simulation experimentsPopulation: N=360,000, Infection rate: = 1.8/hour, Scan rate = N(358/min, 1002), Initially infected: I0=10Monitored IP space 220, Monitoring interval: 1 minuteConsider background noise
At 0.3% (157 min): estimate stabilizes at a positive constant value
100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute)
It
128 150 170 190 210 230 2500
0.05
0.1
0.15
0.2
Time t (minute)
Real value of Estimated value of
10
Damage evaluation — Prediction of global vulnerable population N
yield
128 150 170 190 210 230 2500
1
2
3
4
5
6 x 105
Time t (minute)
Est
imat
ed p
opul
atio
n N
Accurate prediction when less than 1% of N infected
11
100 200 300 400 500 600 7000
1
2
3
4 x 105
Time t (minute)#
of in
fect
ed h
osts
Real infected ItObserved CtEstimated It
Monitoring 214 IP space(p=4£ 10-6)
Damage evaluation — Estimation of global infected population It
: fraction of address space monitored
: cumulative # of observed infected hosts by time t: per host scan rate
: Prob. an infected to be observed by the monitor in a unit time
# of unobservedInfected by t
# of newlyobserved (tt+1)
12
What’s the paper’s contribution?
A novel approach in anomaly detection Popular approach is based on static
threshold Paper exploits worm dynamics
Dynamics in a series of time Worm potential damage prediction
Estimate global infected based on local info Predict global vulnerable population
13
Why this paper can be published?
Different approach from popular ways Model-based anomaly detection Fresh view point --- interesting
Solid (fancy) mathematic background Math is appropriate A pure experimental report is not (good) enough
for academic paper Timely appearance
Catch a promising/hot topic ASAP Rely on: advisors, (conference) paper, tech news,
colleagues,
14
What’s the paper’s weakness?
Early detection provides limited information Does not provide signature for worm defense Does not (accurately) identify global infected
hosts Require a large empty IP space for
monitoring Not very good for individual local network
Worm damage prediction results are accurate only for uniform-scan worms Many worms using biased scanning strategies
15
How to improve the paper?
I have improved CCS’03 conference paper and published in IEEE Tran. on Networking
Detect a worm earlier Conference paper uses simple worm model,
TON’s uses exponential model (several times faster)
Consider the limitation of monitoring system TON’s paper adds analysis/experiments of the
monitoring problem for non-uniform scan worms