Comparison of Worm Detection Strategies

1
Comparison of Worm Detection Strategies

• Sarma Vangala

2
List of Mechanisms

• Countermalice enterprise level
• Reverse Sequential Hypothesis testing using rate
  limiting (RSHT)
• Destination Source Correlation (DSC)

3
Containment of Scanning Worms in Enterprise
networks

• Looking at how many scans must go out of a cell
  before an IP address is contained/blocked
• Using cell based detection helps in detecting
  better preferably want one host per cell
• Worm should concentrate more on local subnet than
  on outside

4
Comparison of Countermalice and VNBA

• Enterprise level
• Able to contain host before T scans go out
• T dependent on of vulnerable hosts
• Observing traffic to active and inactive hosts
• Based on creating a score of how many
  destinations contacted and how many are not
  replied
• Containment stops traffic going out

• Global
• Infection contained before p infected? P
  difficult to determine
• P dependent on scan rate and of vulnerable
  hosts
• Observing for patterns to active and inactive
  hosts
• Based on the idea a worm infected host contacts
  inactive addresses
• Containment stops traffic coming in

5
Calculations/Analysis

• Idea used if we can keep the avg. of hosts
  infected by any host less than one containment
  can be easily done and worm does not spread to
  uncontrollable limits or has already spread
• Calculations of of vulnerable population
  infected

• Idea used Quick surge in the number of victims
  is bad
• Calculations of of infected nodes below a bound
  (unsuccessful) value depends on noise in the
  trace

6
Problems

• Random or Routable only
• Determining vulnerability is difficult
• What is an unsuccessful scan? How are scan and
  non-scan packets differentiated

• Random or Routable only
• Determining N and s is difficult
• Multiple parameters required

7
Reverse Seq. Hypothesis testing and credit based
rate limiting

• Detection Observe a sequence of connection
  attempts by a host every hit/fail moves the
  threshold by a unit up/down 2 thresholds to
  determine if host is benign or malicious
• Give credit to hosts that connect successfully
• Based on the idea of slowing down hosts that do
  malicious scanning

8
Comparison of RSHT and VNBA

• Active hosts and their unsuccessful connection
  attempts
• Adaptive threshold increases or decreases based
  on a connection being a hit or a miss
• Global or enterprise
• Need no learning mechanism
• Can set the desired detection performance and
  false alarm levels
• Parameters (?0 , ?1 ) dependent on noise
• Rate limiting to benefit benign hosts

• Inactive hosts contacted by victims
• Adaptive threshold varying with number of newly
  detected victims
• Global or enterprise
• Needs learning of victims in everyday traffic
• No such advantage and determining is difficult
• Parameters (N, s) dependent on noise in traffic
• No such mechanism

9
Calculations/Analysis

• Preset values of detection performance and false
  alarms
• Set ?0 and ?1 No way of determining these
• Ability to detect benign scanners

• No preset detection performance levels false
  alarms difficult to determine
• Set N and s No way of determining these
• Need multiple parameters to detect these

10
Problems

• Slowly scanning worms can be detected so long as
  the scanning is random or routable
• Need only count the number of victims not
  dealing with containment here
• problems with noise if attackers can some how
  make the noise towards the inactive hosts high,
  parameters and detection times vary
• Detected using multiple parameters to reduce
  false alarms
• Gamma, r and k dependent on traces
• Faster the worm faster the detection
• Most importantly based on the observation that
  scans should generally not go to the inactive
  address space

• Slowly scanning worms avoid detection
• Must maintain state of each host
• Not dealing with cases where the network is
  unreachable
• Cannot detect in the cases of DDoS attacks and
  other scenarios
• Failed to detect an instance of MyDoom which
  Virus throttle did.
• Not exactly described why they chose the
  parameters to compare with Williamson
• Needs more first contact connections to discover
  Code Red II claiming it a fast scanner. What
  about Slammer then?
• Most importantly based on observation that
  benign hosts get more hits than malicious ones

11
Destination Source Correlation

• Observe the number of connections coming in and
  going out of a port
• Track the destination address inside network and
  source address for each port if scan from same
  port of destination host to others increment
  counter if counter gt trained threshold alert
• Three Bloom filters for every port, D(i-1), D(i)
  and S(i) gt for every tick note victims IP
  address and scan rate if scan rate deviates from
  normal profile then alert
• No idea of what the training algorithm is
  mechanism not explained, abnormal using
  Chebyshevs inequality

12
DSC Vs. VNBA

• Local networks
• Can figure out the IP addresses and ports where
  the attack is
• Faster scan gt faster filling up of the Bloom
  filter gt threshold reached faster gt faster
  detection
• Divide conquer scans detected (assumption here is
  that connection profile is different which might
  not be so) actually it must be written as
  detection of worms sending scans to only active
  address space
• HoneyStat to gather statistical data information
  about attacks

• Global
• Do nothing after detection cannot tell who is
  infected and who is not
• Faster scan leads to a faster detection
• Cannot detect scans sent only to active address
  space (ex. Complete scan)

13
Calculations/Analysis

• False positives on the addresses incorrectly
  determined as worm victims due to Bloom filter.
• False positives due to DDoS and other types of
  network attacks not considered
• Both active and inactive hosts
• Both for TCP and UDP
• Size of Bloom filter needed 61,440 bytes 60
  kB/port (not a very good number)

• No comments depends on the hardware we use
• Treated by using multiple parameters
• Inactive hosts reveal info
• Both for TCP and UDP
• Not calculated yet