Title: An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques
1An Effective Architecture and Algorithm for
Detecting Worms with Various Scan Techniques
- Sarma Vangala
- Department of Electrical Computer Engineering,
- University of Massachusetts, Amherst, MA.
- Joint work with J.Wu, L. Gao and K.Kwiat
2Introduction
- Self-propagating malicious code
- Spread fast (Nimda), DDoS attacks (Blaster)
- Millions of dollars in cost
- Find targets - scan
- More information to carry ? slower spread
3Motivation
- Can worms choose targets more carefully to spread
effectively? - Is there an effective architecture to detect
worms in large scale attacks?
4Contributions
- New scan techniques
- - Routable scan
- - Divide-Conquer scan
- - Complete scan
- Worm detection
- - Architecture
- - Victim Number Based algorithm
5Overview
- Various scanning techniques
- Worm detection architecture
- Victim Number Based algorithm
- Performance of the detection algorithm
- Conclusions
6AAWP Model
- N Total of vulnerable machines
- T of scan targets
- s Scan rate
- ni infected upto tick i
- ni1 ni N-ni1-(1-1/T)sni
7Selective Random Scan
- Select addresses belonging to existing machines
- Remove reserved or unallocated (Bogon list, IANA
IP v4 AAM) - Slapper worm (only 162 /8 prefixes)
- Faster spread
8Spread of Selective Random Scan
9Routable Scan
- Scan routable addresses from global BGP tables
- Disadvantage large code size
- How to reduce it ?
10Code Size of Routable Scan
- Route Views UOregon BGP table
- 112K ? 17918 address segments (merging)
- 17916 ? 1926 (? 15.4kB database, 216 threshold)
- 1926 ? ? 3kB (20 segments contribute 90
addresses)
11Spread of Routable Scan
12Divide Conquer Scan
- Divide address space among victims
- Faster spread
- Single point of failure
- Smaller address space ? smaller code size ?
smaller scan traffic ? stealthier
13Spread of Divide Conquer Scan
14Complete Scan
- Exact list of assigned IP addresses
- Difficult to differentiate legitimate scans from
worm scans ? difficult to detect - Large code size (100M addresses ? 400MB database)
? very slow spread - Specific vulnerability - smaller
15Spread of Complete Scan
16Comparison of Various Scan Techniques
17Comparison
- Stealthier scanning not always necessary
- Speed is important (random scan not always bad)
Tradeoff needed - Combinations effective
- Blaster worm
- - 60 random
- - 40 local subnet
18Detection?
- Common properties of worms to detect?
- What architecture is needed?
- How do we say there is a worm using the
architecture?
19Further
- Worm Detection Architecture
- Abnormalities of worm incidents and Decision
rules - Victim Number Based Algorithm
20Generic Worm Detection Architecture
21Address Space Selection
- Monitor addresses being scanned by worm
- Random Scan - any address (scans every address)
- Routable and Divide Conquer - assigned addresses
22How do we say there is a worm?
- Hosts scanning specific ports of inactive
addresses - VICTIMS - Sudden increase in of VICTIMS ? Something
abnormal (maybe worm)
23Victim Decision Rules
- One Scan Decision Rule (OSDR) Too many false
alarms - Two Scan Decision Rule (TSDR)
24Victim Number Based Algorithm
- Gather scan packets (Detection Architecture)
- Decide if victims (Decision Rules)
- Set adaptive threshold (Ti) for current tick i
- Is Vi1 Vi gt Ti ?
- If Yes for r continuous ticks, report
detection center
25Validation of Victim Number Based Algorithm
- Validation using traffic traces from WAND
research group - WAND trace AAWP dynamics and a /16 detection
network - More victim increase rate, faster scan
26Detection of Random Scan Worm
27Detection of Routable Scan Worm
28Detection of Divide Conquer Scan Worm
29Conclusions
- Stealthier and faster scans as attackers get more
sophisticated - Stealth not always an issue, speed does matter!
- Faster detection using simple algorithm
- Code Red Detection
- - Random Scan ( lt 4)
- - Routable Scan ( lt 1.5)
30More Information
- An Effective Architecture and algorithm for
Detecting Worms with Various Scan Techniques, J.
Wu, S. Vangala, L.Gao, K.Kwiat, at - http//www-unix.ecs.umass.edu/lgao/ndss04.pdf
- Offline svangala_at_ecs.umass.edu
31Thank You!