On the Effectiveness of Distributed Worm Monitoring

Similar documents
Fast and Evasive Attacks: Highlighting the Challenges Ahead

On the Effectiveness of Distributed Worm Monitoring

Worm Detection, Early Warning and Response Based on Local Victim Information

Importance-Scanning Worm Using Vulnerable-Host Distribution

Yubin Li Florida International University. Zesheng Chen Florida International University. Chao Chen Indiana University Purdue University Fort Wayne

A Self-Learning Worm Using Importance Scanning

The UCSD Network Telescope

Worm Evolution Tracking via Timing Analysis

Moderated by: Moheeb Rajab Background singers: Jay and Fabian

A Closed-Form Expression for Static Worm-Scanning Strategies

Tracking Global Threats with the Internet Motion Sensor

Mapping Internet Sensors with Probe Response Attacks

Correcting Congestion-Based Error in Network Telescope s Observations of Worm Dynamics

0x1A Great Papers in Computer Security

Mapping Internet Sensors with Probe Response Attacks

Best Practices With IP Security.

ARAKIS An Early Warning and Attack Identification System

Visualizing Network Data for Intrusion Detection. Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland June 16, 2005

Online Accumulation: Reconstruction of Worm Propagation Path

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

The Evolving Threat of Internet Worms

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Leurré.com. a worldwide distributed platform to study Internet threats. Deployed and Managed by The Eurecom Institute

REQUIREMENTS ON WORM MITIGATION TECHNOLOGIES IN MANETS

Worm Detection, Early Warning and Response Based on Local Victim Information

A Multifaceted Approach to Understanding the Botnet Phenomenon

Security: Worms. Presenter: AJ Fink Nov. 4, 2004

An study of the concepts necessary to create, as well as the implementation of, a flexible data processing and reporting engine for large datasets.

UTM 5000 WannaCry Technote

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Symantec Client Security. Integrated protection for network and remote clients.

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

The Coral Project: Defending against Large-scale Attacks on the Internet. Chenxi Wang

Characterizing Dark DNS Behavior

Configuring Anomaly Detection

Spatial-Temporal Characteristics of Internet Malicious Sources

Configuring Anomaly Detection

A Firewall Network System for Worm Defense in Enterprise Networks

Worldwide Detection of Denial of Service (DoS) Attacks

Analyzing Dshield Logs Using Fully Automatic Cross-Associations

Introduction to Security. Computer Networks Term A15

Intrusion Detection by Combining and Clustering Diverse Monitor Data

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Malware Research at SMU. Tom Chen SMU

Forensic Analysis for Epidemic Attacks in Federated Networks

Darknet Traffic Monitoring using Honeypot

Standard Course Outline IS 656 Information Systems Security and Assurance

Introduction and Charge

This shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Outwitting the Witty Worm Exploiting Underlying Structure for Detailed Reconstruction of an Internet-Scale Event

StreamWorks A System for Real-Time Graph Pattern Matching on Network Traffic

Security Issues In Mobile IP

Abstract. 1 Introduction

Configuring Anomaly Detection

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Toward Understanding Distributed Blackhole Placement

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Hitlist Worm Detection using Source IP Address History

Vulnerability & Attack Injection for Web Applications

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

IPv6 Pollution Traffic Analysis

3-4 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks

How AlienVault ICS SIEM Supports Compliance with CFATS

MASSIVE MALICIOUS ACTIVITIES

Securing the Internet at the Exchange Point Fernando M. V. Ramos

Ransomware A case study of the impact, recovery and remediation events

The monitoring and early detection of Internet worms

VMware vshield App Design Guide TECHNICAL WHITE PAPER

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

ENTERPRISE WORM: SIMULATION, DETECTION, AND OPTIMAL CONTAINMENT

CompTIA Security+ Study Guide (SY0-501)

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

INDEX. browser-hijacking adware programs, 29 brute-force spam, business, impact of spam, business issues, C

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Security Gap Analysis: Aggregrated Results

DDOS Attack Prevention Technique in Cloud

Distributed Route Aggregation (DRAGON)

Usage of Honeypot to Secure datacenter in Infrastructure as a Service data

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Network Analysis of Point of Sale System Compromises

Maximizing IT Security with Configuration Management WHITE PAPER

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

Ethical Hacking and Prevention

Detecting Behavior Propagation in BGP Trace Data Brian J. Premore Michael Liljenstam David Nicol

Computer Security. Solutions

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Process System Security. Process System Security

Presentation by Brett Meyer

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Introduction to Network Discovery and Identity

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Towards Automating Analysis of Large-Scale Honeynet Events

: Administration of Symantec Endpoint Protection 14 Exam

Network Security Issues and New Challenges

IBM Zürich Research Laboratory. Billy Goat Overview. James Riordan Diego Zamboni Yann Duponchel IBM Research Zurich Switzerland IBM Corporation

ITTC High-Performance Networking The University of Kansas EECS 881 Architecture and Topology

Characterizing InternetWorm Spatial-Temporal Infection Structures

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Transcription:

On the Effectiveness of Distributed Worm Monitoring Moheeb Abu Rajab Fabian Monrose Andreas Terzis Computer Science Department Johns Hopkins University 1

Monitoring Internet Threats Threat monitoring techniques: Intrusion detection systems monitoring active networks Monitoring routable unused IP space [ Moore et al, 2002 ] Monitoring unused address space is attractive No legitimate traffic Forensic analysis and early warning CAIDA deployed the first /8 telescope 2

Single Monitor Case DoS Attack /8 Worm Scans DoS Attack DoS Backscatter Worm Scans 3

Size Matters! Size of the monitor is an important factor in providing an accurate view of a worm breakout [Moore et al, 2002] But there are several other factors yet to be explored 4

Single monitor view is too limited DoS Attack /8 Worm Scans Non-uniform scanner 5

Goals Provide a model to evaluate the performance of distributed monitoring systems in terms of: Number of monitors? Sizes of monitors and the overall IP space requirements? Provide guidelines for better design and monitor deployment practices. 6

Outline Problem and Motivation A Worm Propagation Model Population Distribution Extended worm model Distributed Worm Monitoring Distributed Telescope Model Design parameters Summary 7

Why another worm model? Previous worm models assumed that the vulnerable population is uniformly distributed over the whole IP space. Sources of non-uniformity in population distribution Un-allocated address space Highly-clustered allocated space Usage of the allocated space 8

Population distribution DShield dataset CAIDA s dataset (Witty Worm) The distribution of Vulnerable population over the IP space is far from uniform Best fits a Log-normal distribution 9

Extended Worm Propagation Model Worm propagation models must incorporate population density distribution. Especially Non-uniform scanning worms: Probability of scanning a host depends on its location relative to the infected scanner 10

Non-uniform worm propagation model Expected number of scans per /16 subnet 16 j j (/8) 2 k i = p16 sbi + p8 sbi + 24 2 p 0 sn i 2 2 16 32 2 32-2 8 2 8-2 16 2 16 n i b i (/8) b i v i P 16 P 8 P 0 11

Non-uniform worm propagation model The expected number of infected hosts per /16 subnet (AAWP Model [Chen et al,2003]) = + ( b 1 1 1 2 j j j bi + 1 bi vi i 16 The expected total infection ) Vulnerable non- infected hosts j k i 16 2 = + 1 j= 1 n i b i j 12

Impact of population distribution Number of Infected hosts vs time, for a Nimda-like worm s= 100 scans/time tick, P 16 = 0.5, P 8 =0.25, P 0 = 0.25 N= 10 6 hosts uniformly distributed Over the IP space N= 620,000 hosts extracted from DShield data set 13

Outline Problem and Motivation Better Worm Model Population Distribution Extended worm model Distributed Worm Monitoring Distributed monitoring system model Design parameters Summary 14

Using the Model--- Distributed Monitoring: What do we want to evaluate? System detection time: the time it takes the monitoring system to detect (with particular confidence) a new scanner. 15

Assumptions Single scan detection Information sharing and aggregation infrastructure among all monitors. 16

Monitors Logical Hierarchy /0 /8 M P 0 S (/0) = M + M A + M B + M C /8 M A M A P 8 M B M C S (/8) = M B + M C /16 P 16 M B M C S (/16) = M C 17

Evaluation Nimda-like scanner Three Monitor deployment scenarios: Random monitor deployment Full knowledge of population distribution Partial population knowledge 18

Evaluation (Random monitor placement) /8 940 time ticks Random Monitor placement P r = 0.999, s= 10 scans/time tick Nimda-like scanning 512 /17 230 time ticks with only 40 hosts per /16, 7100 more scans will cause infecting 2 victims before being detected 19

Evaluation ( Full vulnerable distribution knowledge) /8 940 time ticks 512 /17 9 time ticks Monitors deployed in top populated prefixes 20

Evaluation (Partial Knowledge ) /8 940 time ticks 512 /17 33 time ticks Monitors deployed randomly over the 5000 most populated /16 prefixes (contain 90% of the vulnerable population) Example: 512 monitors with 2048 IP addresses/monitor 160 time ticks 21

Practical Considerations Monitors will be deployed at different administrative domains. How many domains are needed to deploy these 512 monitors? Mapping the monitors to AS space, only 130 AS s among the top address space owners are required to achieve detection time of 160 time ticks 22

Summary Population distribution has a profound impact on worm propagation speed. Distributed Monitoring provides an improved detection time (three times faster than a single monitor of equivalent size). Even partial knowledge of the population distribution can improve detection time by roughly 30 times. Effective distributed monitoring is possible with cooperation among top address space owners. 23

Questions? 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback