1 monitoring and early warning for internet worms authors: cliff c. zou, lixin gao, weibo gong, don...

1

Monitoring and Early Warning

for Internet WormsAuthors:

Cliff C. Zou, Lixin Gao, Weibo Gong, Don TowsleyUniv. Massachusetts, Amherst

Publish: 10th ACM Conference on Computer and

Communication Security (CCS'03), 2003 Presenter:

Cliff C. Zou (01/12/2006)

2

Monitor: Worm scans to

unused IPs TCP/SYN packets UDP packets

How to detect an unknown worm at its early stage?

Unused IP space

Monitoredtraffic

Internet

Monitored data is noisynoisy Local network

3

Worm anomaly other anomalies? A worm has its own propagation dynamics

Deterministic models appropriate for worms

Reflection

Can we take advantage of worm model to detect a

worm?

4

0 100 200 300100

102

104

106

Time t

It1% 2%

0 200 400 6000

1

2

3

4

5 x 105

Time t

It

Worm model in early stage

Initial stage exhibits exponential growth

5

“Trend Detection” Detect traffic trend, not burst

Trend: worm exponential growth trend at the beginningDetection: the exponential rate should be a positive, constant value

0

10

20

30

40

50

60

10 20 30 40 50

-0.1

-0.05

0

0.05

0.1

0.15

0.2

10 20 30 40 50

Worm traffic

0

10

20

30

40

50

60

10 20 30 40 50

-0.1

-0.05

0

0.05

0.1

0.15

0.2

10 20 30 40 50

0

10

20

30

40

50

60

10 20 30 40 50

-0.1

-0.05

0

0.05

0.1

0.15

0.2

10 20 30 40 50

Non-worm traffic burst

Exponential rate on-line estimation

Monitored illegitimate traffic rate

6

Why exponential growth at the beginning?

The law of natural growth reproduction When interference is negligible (beginning phase)

Attacker’s incentive: infect as many as possible before people’s counteractions

If not, a worm does not reach its spreading speed limit

Slow spreading worm detected by other ways Security experts manual check Honeypot, …

7

Model for estimate of wormexponential growth rate

Exponential model:

: monitoring noise

Zt : # of monitored scans at time t

yield

8

Estimation by Kalman Filter

System: where

Kalman Filter for estimation of Xt :

9

Code Red simulation experimentsPopulation: N=360,000, Infection rate: = 1.8/hour, Scan rate = N(358/min, 1002), Initially infected: I0=10Monitored IP space 220, Monitoring interval: 1 minuteConsider background noise

At 0.3% (157 min): estimate stabilizes at a positive constant value

100 200 300 400 500 600 7000

0.5

1

1.5

2

2.5

3

3.5x 105

Time t (minute)

It

128 150 170 190 210 230 2500

0.05

0.1

0.15

0.2

Time t (minute)

Real value of Estimated value of

10

Damage evaluation — Prediction of global vulnerable population N

yield

128 150 170 190 210 230 2500

1

2

3

4

5

6 x 105

Time t (minute)

Est

imat

ed p

opul

atio

n N

Accurate prediction when less than 1% of N infected

11

100 200 300 400 500 600 7000

1

2

3

4 x 105

Time t (minute)#

of in

fect

ed h

osts

Real infected ItObserved CtEstimated It

Monitoring 214 IP space(p=4£ 10-6)

Damage evaluation — Estimation of global infected population It

: fraction of address space monitored

: cumulative # of observed infected hosts by time t: per host scan rate

: Prob. an infected to be observed by the monitor in a unit time

# of unobservedInfected by t

# of newlyobserved (tt+1)

12

What’s the paper’s contribution?

A novel approach in anomaly detection Popular approach is based on static

threshold Paper exploits worm dynamics

Dynamics in a series of time Worm potential damage prediction

Estimate global infected based on local info Predict global vulnerable population

13

Why this paper can be published?

Different approach from popular ways Model-based anomaly detection Fresh view point --- interesting

Solid (fancy) mathematic background Math is appropriate A pure experimental report is not (good) enough

for academic paper Timely appearance

Catch a promising/hot topic ASAP Rely on: advisors, (conference) paper, tech news,

colleagues,

14

What’s the paper’s weakness?

Early detection provides limited information Does not provide signature for worm defense Does not (accurately) identify global infected

hosts Require a large empty IP space for

monitoring Not very good for individual local network

Worm damage prediction results are accurate only for uniform-scan worms Many worms using biased scanning strategies

15

How to improve the paper?

I have improved CCS’03 conference paper and published in IEEE Tran. on Networking

Detect a worm earlier Conference paper uses simple worm model,

TON’s uses exponential model (several times faster)

Consider the limitation of monitoring system TON’s paper adds analysis/experiments of the

monitoring problem for non-uniform scan worms