An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques

Description:

An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques ... Can worms choose targets more carefully to spread effectively? ... – PowerPoint PPT presentation

Number of Views:113
Avg rating:3.0/5.0
Slides: 32
Provided by: sarmav
Category:

less

Transcript and Presenter's Notes

Title: An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques


1
An Effective Architecture and Algorithm for
Detecting Worms with Various Scan Techniques
  • Sarma Vangala
  • Department of Electrical Computer Engineering,
  • University of Massachusetts, Amherst, MA.
  • Joint work with J.Wu, L. Gao and K.Kwiat

2
Introduction
  • Self-propagating malicious code
  • Spread fast (Nimda), DDoS attacks (Blaster)
  • Millions of dollars in cost
  • Find targets - scan
  • More information to carry ? slower spread

3
Motivation
  • Can worms choose targets more carefully to spread
    effectively?
  • Is there an effective architecture to detect
    worms in large scale attacks?

4
Contributions
  • New scan techniques
  • - Routable scan
  • - Divide-Conquer scan
  • - Complete scan
  • Worm detection
  • - Architecture
  • - Victim Number Based algorithm

5
Overview
  • Various scanning techniques
  • Worm detection architecture
  • Victim Number Based algorithm
  • Performance of the detection algorithm
  • Conclusions

6
AAWP Model
  • N Total of vulnerable machines
  • T of scan targets
  • s Scan rate
  • ni infected upto tick i
  • ni1 ni N-ni1-(1-1/T)sni

7
Selective Random Scan
  • Select addresses belonging to existing machines
  • Remove reserved or unallocated (Bogon list, IANA
    IP v4 AAM)
  • Slapper worm (only 162 /8 prefixes)
  • Faster spread

8
Spread of Selective Random Scan
9
Routable Scan
  • Scan routable addresses from global BGP tables
  • Disadvantage large code size
  • How to reduce it ?

10
Code Size of Routable Scan
  • Route Views UOregon BGP table
  • 112K ? 17918 address segments (merging)
  • 17916 ? 1926 (? 15.4kB database, 216 threshold)
  • 1926 ? ? 3kB (20 segments contribute 90
    addresses)

11
Spread of Routable Scan
12
Divide Conquer Scan
  • Divide address space among victims
  • Faster spread
  • Single point of failure
  • Smaller address space ? smaller code size ?
    smaller scan traffic ? stealthier

13
Spread of Divide Conquer Scan
14
Complete Scan
  • Exact list of assigned IP addresses
  • Difficult to differentiate legitimate scans from
    worm scans ? difficult to detect
  • Large code size (100M addresses ? 400MB database)
    ? very slow spread
  • Specific vulnerability - smaller

15
Spread of Complete Scan
16
Comparison of Various Scan Techniques
17
Comparison
  • Stealthier scanning not always necessary
  • Speed is important (random scan not always bad)
    Tradeoff needed
  • Combinations effective
  • Blaster worm
  • - 60 random
  • - 40 local subnet

18
Detection?
  • Common properties of worms to detect?
  • What architecture is needed?
  • How do we say there is a worm using the
    architecture?

19
Further
  • Worm Detection Architecture
  • Abnormalities of worm incidents and Decision
    rules
  • Victim Number Based Algorithm

20
Generic Worm Detection Architecture
21
Address Space Selection
  • Monitor addresses being scanned by worm
  • Random Scan - any address (scans every address)
  • Routable and Divide Conquer - assigned addresses

22
How do we say there is a worm?
  • Hosts scanning specific ports of inactive
    addresses - VICTIMS
  • Sudden increase in of VICTIMS ? Something
    abnormal (maybe worm)

23
Victim Decision Rules
  • One Scan Decision Rule (OSDR) Too many false
    alarms
  • Two Scan Decision Rule (TSDR)

24
Victim Number Based Algorithm
  • Gather scan packets (Detection Architecture)
  • Decide if victims (Decision Rules)
  • Set adaptive threshold (Ti) for current tick i
  • Is Vi1 Vi gt Ti ?
  • If Yes for r continuous ticks, report
    detection center

25
Validation of Victim Number Based Algorithm
  • Validation using traffic traces from WAND
    research group
  • WAND trace AAWP dynamics and a /16 detection
    network
  • More victim increase rate, faster scan

26
Detection of Random Scan Worm
27
Detection of Routable Scan Worm
28
Detection of Divide Conquer Scan Worm
29
Conclusions
  • Stealthier and faster scans as attackers get more
    sophisticated
  • Stealth not always an issue, speed does matter!
  • Faster detection using simple algorithm
  • Code Red Detection
  • - Random Scan ( lt 4)
  • - Routable Scan ( lt 1.5)

30
More Information
  • An Effective Architecture and algorithm for
    Detecting Worms with Various Scan Techniques, J.
    Wu, S. Vangala, L.Gao, K.Kwiat, at
  • http//www-unix.ecs.umass.edu/lgao/ndss04.pdf
  • Offline svangala_at_ecs.umass.edu

31
Thank You!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!