Widespread Internet Attacks: Modeling and Defense

1
Widespread Internet Attacks Modeling and Defense
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Xun Wang Advisor Dong Xuan Department of
Computer Science and Engineering The Ohio State
University
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2
Outline

• Widespread Internet attacks
• What are widespread Internet attacks?
• Widespread Internet attacks are evolving.
• Defend against widespread Internet attacks are
  important.
• Complete work
• Effectiveness of Secure Overlay Forwarding
  Systems under Intelligent DDoS Attacks
• Modeling and Detection of Varying Scan Rate Worms
• Current work
• Camouflaging Probe Response Attacks and
  Countermeasures
• Future Work
• Conclusion

3
Widespread Internet Attacks

• Distributed and large scale spreading attacks in
  the Internet
• Active Worm attacks
• Distributed Denial of Service (DDoS) attacks
• Spam
• Spyware and etc.
• Major threats to the Internet (active worms and
  DDoS attacks)
• Code-Red worm in July 2001 infected more than
  350,000 Microsoft IIS servers.
• DDoS outbreak in October 2002 shut down 7 of the
  13 DNS root servers in the Internet.
• Slammer worm in January 2003 that infected nearly
  75,000 Microsoft SQL servers.
• MyDoom worm in February 2004 infected lots of
  hosts which automatically and successfully DDoS
  attacked a few popular websites.

4
Evolution of Attacks v.s. Defense

• Widespread Internet attacks are evolving.
• Smart attacks take advantage of the mechanisms
  of defense systems.
• Camouflaging attacks attempt to evade detection.
• Hybrid attacks combine different types of
  attacks together.
• Well organized attacks organization of
  compromised hosts for various types of attacks.
• Existing defense against them might not be
  enough.
• Understanding of them, prediction of their
  evolution and effective defense against them are
  important and imperative.

5
Complete and Current Work on Widespread Internet
Attacks

• Complete and current work on modeling of new
  widespread Internet attacks and defense against
  them

6
Complete Work I

• Effectiveness of Secure Overlay Forwarding
  Systems under Intelligent DDoS Attacks

7
Effectiveness of Secure Overlay Forwarding
Systems under Intelligent DDoS Attacks

• The overlay systems serve as intermediate
  forwarding systems between the clients and the
  server to defend against DDoS attacks
• We generalize this kind of overlay systems as
  Secure Overlay Forwarding Systems (SOFS).
• Intelligent DDoS attacks
• We define intelligent DDoS attacks which aim to
  infer architectures of the SOFS systems to launch
  more efficient attacks.
• Optimal SOFS configuration
• We present guideline to build resilient SOFS.

8
Secure Overlay Forwarding Systems (SOFS)

• Design features of SOFS
• Layering (L) the number of layers between the
  clients and server.
• Mapping degree (mi) the number of next layer
  neighbors a node on Layer i can communicate with.
• Node distribution (ni) the number of nodes on
  Layer i. n active nodes among total N overlay
  nodes (n N) are in the SOFS architecture and
  distributed across L layers.

9
Intelligent DDoS Attack Types and Capacities

• DDoS attack types
• Break-in attacks A successful break-in results
  in dysfunction of the victim node and disclosure
  of the neighbors of the victim node.
• Congestion attacks Any of the distributed attack
  methods that prevent a victim machine from
  providing services.
• DDoS attack capacities (attack resource)
• NT and NC are the maximum number of nodes the
  attacker can launch break-in and congestion
  attacks on.
• NT NC N, where N is the total number of
  overlay nodes.
• PB the probability that the attacker can
  successfully break-into a node and disclose its
  neighbors in a break-in attempt.

10
Intelligent DDoS Attack Models

• Discrete round based attack model
• The attacker launches the break-in attacks in a
  round by round fashion.
• By successively breaking-into nodes and locating
  their neighbors, the attacker can disclose more
  nodes.
• Congestion attacks happen after last round of
  break-in attacks finishes.
• Continuous attack model
• The attacker continuously breaks into SOFS nodes
  as and when their identities are revealed.
• The SOFS system employs proactive and reactive
  recoveries.
• The attacker can reuses its attack resources.

11
Discrete Round based Attack models

• One-burst round based attack model
• The attacker will spend all the break-in attack
  resources randomly and instantly in one round and
  then launch the congestion attack.
• Successive round based attack model
• The attacker exploits prior knowledge about the
  first layer nodes.
• The attacker knows PE percentage of nodes in the
  first layer prior to attack.
• Break-in attack phase is conducted in R rounds (R
  gt 1).
• The node disclosed (successfully broken-in) by
  previous round have high priority to be attempted
  to break-in at this round.

12
SOFS Performance under Intelligent DDoS Attacks

• Performance metric (PS)
• The probability that a client can find a path to
  communicate with the target server under on-going
  attacks.
• PS depends on the SOFS architecture and number of
  compromised (broken-in or congested) SOFS nodes
  on each layer.

13
Analysis of PS (1)

• Pi probability that a message can be
  successfully forwarded from Layer i-1 to Layer i.
• P(ni, si, mi) is the probability that all
  next-hop neighbors in Layer i of a node in Layer
  i-1 are compromised nodes, where si is the number
  of compromised nodes on Layer i.
• Pi 1- P(ni, si, mi)
• PS
• si bi ci Compromised nodes broken-in or
  congested
• Derivation of bi and ci is not trivial in
  discrete round based attack models, but we made
  it.

14
Analysis of PS (2)

• Optimization of SOFS configuration
• Use simulation to analyze Ps in continuous attack
  model
• Guideline from observation of evaluation results
• The design feature configurations should be
  flexible and adaptive under different
  intensities of attacks.
• When attack information is unknown, moderate
  number of layers and mapping degree, and
  increasing node distribution are recommended.
• When break-in attacks dominate, more layers and
  smaller mapping degrees are recommended. When
  congestion-based attacks dominate, less layers
  and larger mapping degrees are better.
• System recovery is always helpful to improve
  system performance under attacks.

15
Complete Work II

• Modeling and Detection of Varying Scan Rate Worms

16
Modeling and Detection of Varying Scan Rate Worms

• Active worms are evolving to evade the detection
• We define Varying Scan Rate (VSR) Worm which uses
  varying scan rate to change the traditional
  worms behavior (traffic) patterns.
• Effective detection of traditional and VSR worms
  are desired
• We propose attack target Distribution Entropy
  based dynamiC (DEC) worm detection scheme.

17
Background

• Traditional worms and their features
• Pure random scan
• Each worm instance takes part in attack all the
  time
• Constant scan rate
• Overall port scanning traffic volume implies the
  number of worm instances (infected hosts).
• Total number of worm instances and overall port
  scanning traffic volume increase exponentially
  during worm propagation.
• Network-based widespreading worm detection
• Global distributed traffic monitoring framework
• Distributed monitors and data center
• Worm port scanning and background port scanning
  traffic

18
Varying Scan Rate Worm

• Motivation
• We attempt to generalize new worms which attempt
  to evade detection.
• Varying Scan Rate (VSR) Worm
• Scan rate S(t)
• Attack probability Pa(t) is the probability that
  a worm instance takes part in worm attack (scan
  other hosts) at time t.

19
DEC Worm Detection

• Three important elements in network-based worm
  detection
• Worm detection data attack/scanning target
  addresses distribution
• Statistical property of the worm detection data
  entropy
• Worm detection decision rule Bayes decision and
  dynamic adjusted threshold
• DEC is faster and more accurate in detecting both
  traditional and VSR worms compared with existing
  worm detection schemes.

20
Current Work

• Camouflaging Probe Response Attacks and Defenses
  against Them

21
Camouflaging Probe Response Attacks and Defenses
against Them

• Widespread attackers attempt to evade motion
  sensor network (threat monitoring systems)
• We design Camouflaging Probe Response (C-Probe)
  attacks which can locate the locations of motion
  sensors accurately and anonymously. Then the
  widespread attacks can evade these located
  sensors.
• Effectiveness of C-Probe attacks
• We implement C-Probe and make experiments.
• Defense against C-Probe
• We propose some primary countermeasures.

22
Probe Response Attacks

• The attacker wants to know whether network A is
  being monitored
• 1. The attacker send probe scan (with probe mark)
  to IP addresses of network A.
• 2. IF A has motion sensors, probe
• scan will be included in the report
• that A sends to the data center.
• 3. The attacker queries the data
• center for port scan activity
• report.
• 4. If the queried report includes probe
• mark, then the attacker thinks A
• has motion sensors.

23
C-Probe Attacks

• Attackers objectives
• Anonymity Hide his probe mark and make the probe
  scan attack traffic behave like the background
  scan traffic as noise.
• Accuracy Be able to accurately recognize whether
  the reports from data center has his purposely
  injected probe mark.
• Requirements of probe mark
• Should be easily and accurately recognized by
  attacker.
• Should be hard to be detected by the defender.
• Code-based C-Probe attack
• Code is only known and be detectable by the
  attacker
• Implementation and experiment of code-based
  C-Probe Attacks

24
Countermeasures against C-Probe Attacks

• While detection of C-Probe attacks is difficult,
  proactively countermeasures can be used.
• Publish less information to all user including
  the attacker
• Limit the information access rate to slow the
  attacker
• Enforce authentication to access the information
  to exclude some attackers
• Randomize the sensor space to mislead the
  attacker
• Perturb the information to confuse the attackers
  detection.
• While these methods can increase the security of
  motion sensors, they also decrease the
  functionality of motion sensor networks.

25
Future Work

• Time correlations in worm behaviors and its usage
  in worm detection
• Utilization of geographic information and image
  recognition techniques in worm detection
• Well organized widespread Internet attacks and
  the countermeasures against them

26
Time Correlation in Worm Behaviors

• Fundamental features in worm behaviors
• Time correlation in port scanning traffic pattern
  related to each worm instance
• A worm instance must be the victim of worm port
  scan first, then it becomes a source of port
  scanning traffic.
• Time correlation in port scanning traffic pattern
  related to a victim network of worm attacks
• A victim network first receives (imports) a large
  amount of port scanning traffic. Then after some
  hosts in the network get infected, this network
  generates (exports) a large amount of port
  scanning traffic.
• These time correlations can be used to detect the
  worm as long as the worm is self-propagating.

27
Geographic Visualization of Worm Propagation and
Image Recognition

• Geographic visualization of port scanning traffic
• Port scan activity report sent to motion sensor
  network data center has geographic information.
• Visualize the port scan activity with geographic
  information
• Port scanning traffic volumes ? light levels
• Geographic information ? coordinates
• Import and export traffic ? different colors
• Worm detection then becomes recognition of image
  with worm port scanning traffic.
• Worm detection problem becomes an image pattern
  and image changing pattern recognition problem.

28
Well Organized Widespread Internet Attacks

• Botnet
• Composed of the victims (bots) reaped from
  different viruses, worms and trojans.
• Bots communicate with a bot controller usually
  through an Internet Relay Chat (IRC) channel.
• Botnets can be used to issue various widespread
  attacks, sometimes for profit.
• Attackers use IRC to control botnets centralized
  controller is easy to be detected
• Botnets can use distributed organization, such as
  P2P.
• Botnets can apply anonymity techniques to hide
  the controller.
• Defense against organized widespread Internet
  attacks.

29
Conclusion

• Widespread Internet attacks are among the major
  threats to current and future Internet.
• Understanding their mechanisms and predicting
  potential evolution of them are important.
• More effective defenses (detections and response
  actions) are desired to fight against existing
  and future attacks.

30
Other Research Work

• Physical attacks in sensor networks
• Optimal deployment of sensor networks under blind
  physical attacks
• Search-based physical attacks and defense against
  them
• Hybrid physical attacks

31

• QA
• Thank You !