Monitoring and Early Warning for Internet Worms - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Monitoring and Early Warning for Internet Worms

Description:

Monitor worm scan traffic (non-legitimate traffic). Connections to nonexistent IP addresses. ... Detect traffic trend, not burst. Trend: worm exponential ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 18
Provided by: tennisE
Category:

less

Transcript and Presenter's Notes

Title: Monitoring and Early Warning for Internet Worms


1
Monitoring and Early Warning for Internet Worms
  • Cliff C. Zou, Lixin Gao, Weibo Gong, Don
    Towsley
  • Univ. Massachusetts, Amherst

2
How to detect an unknown worm at its early
stage?
  • Monitoring
  • Monitor worm scan traffic (non-legitimate
    traffic).
  • Connections to nonexistent IP addresses.
  • Connections to unused ports.
  • Observation data is very noisy.
  • Old worms scans.
  • Port scans by hacking toolkits.
  • Detecting
  • Anomaly detection for unknown worms
  • Traditional anomaly detection threshold-based
  • Check traffic burst (short-term or long-term).
  • Difficulties False alarms threshold tuning.

3
Trend Detection ? Detect traffic trend, not
burst
Trend worm exponential growth trend at the
beginning Detection the exponential rate should
be a positive, constant value
Monitored illegitimate traffic rate
Exponential rate a on-line estimation
Non-worm traffic burst
4
Why exponential growth at the beginning?
  • The law of natural growth ? reproduction
  • Exponential growth fastest growth pattern when
  • Negligible interference (beginning phase).
  • All objects have similar reproductive capability.
  • Large-scale system law of large number.
  • Fast worm has exponential growth pattern
  • Attackers incentive infect as many as possible
    before counteractions.
  • If not, a worm does not reach its spreading speed
    limit.
  • Slow spreading worms can be detected by other
    ways.

5
Worm modeling simple epidemic model
of susceptible
of infectious
Total of hosts
Infectious ability
of contacts ? I ? S
Simple epidemic model
It
Discrete model
with exponential rate
6
Why use simple epidemic model?
  • Can model most scan-based worms.
  • We can use other worm models as well with minor
    modifications (such as exponential model).

Figures from D. Moore, V. Paxson, S.
Savage, C. Shannon, S. Staniford, N. Weaver,
Inside the Slammer Worm, IEEE Security
Privacy, July 2003.
7
Kalman Filter Estimation
  • Equivalent to Recursive Least Square Estimator
  • Give estimation at each discrete time.
  • Robust to noise.
  • System Discrete-time simple epidemic model
  • System state
  • Worm infection rate a. (a bN, exponential
    growth rate at beginning)
  • Epidemic parameter b. (worm infectious ability)
  • Measurement from monitors
  • Ci cumulative of observed infected, Zi
    of scans at time i.

8
Kalman Filter Estimation
System
where
Kalman Filter for estimation of Xt
9
Code Red simulation experiments
  • Population N360,000, Infection
    rate a 1.8/hour,
  • Scan rate h N(358/min, 1002), Initially
    infected I010
  • Monitored IP space 220,
    Monitoring interval D 1 minute
  • Consider background noise

Before 2 (223 min) estimate is already
stabilized and oscillating a little
around a positive constant value
10
SQL Slammer simulation experiments
Population N100,000, Monitored IP space 220,
Scan rate h N(4000/sec, 20002), Initially
infected I010 Monitoring interval D 1
second, Consider background noise
Before 1 (45 sec) estimate is already
stabilized and
oscillating around a positive constant value
11
Early detection of Blaster
  • Blaster sequentially scans from a starting IP
    address
  • 40 from local Class C address.
  • 60 from a random IP address.
  • It follows simple epidemic model.

12
Bias correction for uniform-scan worms
  • Bernoulli trial for a worm to hit monitors
    (hitting prob. p ).

Bias correction
Average scan rate
Monitoring 214 IP space
Monitoring 217 IP space
Bias correction can provide unbiased estimate of
It
13
Prediction of Vulnerable population size N
Direct from Kalman filter
?
Alternative method
h A worm sends out h scans per D time
(derived from egress scan monitor)
?
Estimation of population N
14
Use exponential growth model
At the early stage
?
?
Early stage of worm propagation
Model 2 Autoregressive (AR) model
?
Model 3 Transformed linear model
?
15
Comparison between three estimation models
Epidemic model
AR exponential model
Transformed linear model
  • Observations
  • AR exponential model is smoother than epidemic
    model
  • Transformed linear model gives best results
  • Detect a worm when it infects about 0.5
    population

16
Simple analysis of three estimation models
  • Why AR exponential model is smoother than
    epidemic model?
  • Introduced errors from measurement data
  • Epidemic model
  • AR exponential model
  • Why transformed linear model is better than AR
    model?

assume
AR exponential model
Transformed linear model
where
17
Summary
  • Trend detection non-threshold-based methodology
  • Principle detect traffic trend, not burst
  • Pros Robust to background noise ? low false
    alarm rate
  • Cons Rely on worm model, representation of
    measurement data
  • Epidemic model, exponential model
  • Using low-pass filter on noisy observation data
  • For uniform-scan worms
  • Bias correction
  • Forecasting N
    ( IPv4 )


?
Routing worm
?
Average scan rate
Infection rate
scanning IP space
cumulative of observed infectious
scan hitting prob.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Monitoring and Early Warning for Internet Worms" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!