Potential Strategies for High Speed Active Worms: A Worst Case Analysis - PowerPoint PPT Presentation

About This Presentation
Title:

Potential Strategies for High Speed Active Worms: A Worst Case Analysis

Description:

'Email virus and worm propagation simulation' by Changchun Zou. Local Subnet Scanning ... modeling and analysis' by Changchun Zou. Function of Worm Spread ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 30
Provided by: wwwnetC
Category:

less

Transcript and Presenter's Notes

Title: Potential Strategies for High Speed Active Worms: A Worst Case Analysis


1
Potential Strategies for High Speed Active
WormsA Worst Case Analysis
  • Nicholas Weaver
  • U.C. Berkeley BRASS Group
  • nweaver_at_cs.berkeley.edu
  • Presented by Zesheng Chen
  • April 3, 2002

2
Outline
  • How fast a worm can spread
  • How long a given worm can remain a significant
    threat on the Internet

3
What is a Worm
  • A program that copies itself over computer
    networks, infecting programs and machines in
    remote locations
  • Independence upon another program, executable, or
    file to spread
  • Exponential growth
  • Examples Morris Internet Worm, Code Red, Nimda,
    Raman and Cheese, Melissa, The Love Bug ect.

4
Active Worm Vs. Passive Worm
  • Need human interaction or not
  • Mail worm is passive worm
  • How active worm works
  • This paper will focus on active worms

5
Code Reds Propagation Behavior (from David
Moores analysis)
6
Simulating Worm Spread
  • C program
  • 232 entry address space
  • A 32 bit, 6 round variant of RC5 is used to
    generate all permutations
  • http//www.cs.berkeley.edu/nweaver/warhol.c
  • http//www.cs.berkeley.edu/nweaver/division.c
  • http//www.cs.berkeley.edu/nweaver/random.c

7
Simulated Code Red v2
  • A simulated Code Red v2 like worm 500,000
    vulnerable machines, 10 scans per second, random
    scanning, starting on a single machine. Graph
    stops at 95 infection.

8
Parameters of Simulator
  • number of vulnerable machines
  • number of scans per second
  • time it takes to infect a machine
  • number infected during the hitlist phase
  • type of secondary scan (permutation, partitioned
    permutation, and random)

9
Hitlist Scanning
  • What is Hitlist
  • Why introduce Hitlist
  • How to get the hitlist
  • slow scan (Honeynet project)
  • http//project.honeynet.org
  • public surveys (Netcraft Survey)
  • http//www.netcraft.com

10
Example of Netcraft Survey
  • Web site http//uptime.netcraft.com/up/graph/
  • Query http//www-net.cs.umass.edu/security/
  • Result
  • The site www-net.cs.umass.edu is running
    Apache/1.3.11 (Unix) PHP/3.0.14 on Compaq Tru64

11
Performance Analysis of Hitlist Scanning
  • Permutation scanning, halting at 8 was used in
    all cases, 1,000,000 vulnerable hosts, 100
    scans/second, 1 second to complete infection.
    Graphs stop at 95 infection and do not include
    the time to process the hitlist.

12
Topological Scanning
  • What is topological scanning
  • E-mail worms
  • Peer to peer application
  • Using topological scanning to get the hitlist
  • Papers
  • Directed-Graph Epidemiological Models of
    Computer Viruses by J. O. Kephart and S. R.
    White
  • On Viral Propagation and the Effect of
    Immunization by Wang, C., J.C. Knight, M. Elder
  • Email virus and worm propagation simulation by
    Changchun Zou

13
Local Subnet Scanning
  • For example Code Red II and Nimda
  • Why local subnet scanning
  • Firewall
  • Similar machines in local subnet
  • Also can use local subnet scanning to get hitlist

14
Permutation Scanning
  • What is permutation scanning
  • The process of permutation scanning

15
The Effect of Permutation Scanning
  • Semi coordinated, comprehensive scan
  • Minimize duplication of effort
  • Rescan (increase staying power)
  • Partitioned permutation (further optimization)

16
Performance Analysis of Permutation Scanning
  • All cases were for 1,000,000 vulnerable hosts,
    10,000 entry hitlist, 100 scans/worm/second, 1
    second to complete infection. Graphs stop at 99
    infection and do not include the time to process
    the hitlist.

17
Effects of Halt at 2, 4 and 8 on Permutation
Scanning
  • All cases were for 1,000,000 vulnerable hosts,
    10,000 entry hitlist, 100 scans/worm/second, 1
    second to complete infection. Graphs stop at 99
    infection and do not include the time to process
    the hitlist.

18
Dormant Worms
  • Permutation scan which halts at 2, 1,000,000
    vulnerable hosts, 10,000 entry hitlist, 100
    scans/worm/second. Graph stops at 99 infection
    and do not include the time to process the
    hitlist.

19
Multimode and Dual Mode Worms
  • What are multimode worms
  • Such as Morris worm and Nimda
  • How multimode worms interact with permutation
    scanning
  • classic multimode worm
  • dual mode worm

20
Performance of Multimode and Dual Mode Worms
  • For all cases, there are 10,000 entry hitlist
    (for the common exploit), permutation scanning
    (halt at 2.) The dual mode worms are 100
    scans/worm/second, with the multimode worm being
    50 scans/second (but scanning for both holes).

21
Other Policy to Increase Staying Power
  • Countering counterattacks
  • antiworms
  • countering antiworms
  • Distributed control and update mechanisms
  • Goner mail worm
  • (initial) degree of connectivity

22
Example of Initial Degree of Connectivity
  • 1M vulnerable hosts
  • Using permutation scanning (with no halting)
  • Result

Cases Degree of connectivity
When 95 infection is achieved 4
When 99 infection is achieved 5.5
Permutation based rescan Add 2 to each
23
Defense
  • Software
  • prevent the common hole from developing
  • such as buffer overflow
  • fine grained access controls
  • host based intrusion detection
  • Protocol
  • isolating infected and comprised machines
    from the net
  • tracking and punishing those responsible for
    outbreak

24
Contribution
  • Present Hitlist concept
  • Permutation scanning

25
Discussion
  • Philosophy keep secret or disclose
  • Extreme example of hitlist
  • Flash Worms Thirty Seconds to Infect the
    Internet by Stuart Staniford, Gary Grim, Roelof
    Jonkman
  • Other stategies
  • The Future of Internet Worms by Jose Nazario
  • Other factors
  • Code Red worm propagation modeling and analysis
    by Changchun Zou

26
Function of Worm Spread
  • No. of infected machines
  • f (no. of vulnerable machines, no. of hitlist,
    scan rate, the time to infect a machine)
  • No death rate or patch rate

27
Effects of the Fraction of Vulnerable Machines
  • All entries are for a hitlist of 10,000
    machines, 100 scans/worm/second, permutation
    scanning (no halting). Graphs stop at 99
    infection and do not include the time to process
    the hitlist.

28
Effects of the Scanning Speed
  • All entries are for a hitlist of 10,000
    machines, 1M vulnerable hosts, and permutation
    scanning (no halting). Graphs stop at 99
    infection and do not include the time to process
    the hitlist.

29
More Information
  • Refer to
  • http//www.research.ibm.com/antivirus/index.htm
  • http//www.cs.berkeley.edu/nweaver/warhol.html
  • http//www.cs.virginia.edu/survive/research/virus
    .html
  • http//tennis.ecs.umass.edu/czou/research.htm
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Potential Strategies for High Speed Active Worms: A Worst Case Analysis" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!