Embed Size (px)
Citation preview
1
Modeling, Analysis, and Mitigation of Internet Worm Attacks
Presenter: Cliff C. Zou
Dept. of Electrical & Computer EngineeringUniversity of Massachusetts, AmherstAdvisor: Weibo Gong, Don TowsleyJoint work with Don Towsley, Weibo Gong, Lixin Gao, and Songlin Cai
2
Outline
Introduction of epidemic modelsTwo-factor worm modelEarly detection and monitoringFeedback dynamic quarantine defenseRouting worm: a fast, selective attack wormWorm scanning strategiesSummary and future work
3
Epidemic Model —Simple Epidemic Model
InfectiousI
SusceptibleScontact
# of contacts ∝ I × S
Simple epidemic model for fixed population homogeneous system:
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 105
I(t)
susceptible
infectious
: # of susceptible : # of hosts
: # of infectious : infection ability
t
4
Epidemic Model —Kermack-McKendrick Model
State transition:
: # of removed from infectious : removal rate
Epidemic threshold theorem:No outbreak happens if
susceptible infectious removed
0 10 20 30 40
1
2
3
4
5
6
7
8
9
10 x 105
γ=0γ=βN/16γ=βN/4γ=βN/2
t
where
: epidemic threshold
5
Outline
Introduction of epidemic models
Two-factor worm modelEarly detection and monitoringFeedback dynamic quarantine defenseRouting worm: a fast, selective attack wormWorm scanning strategiesSummary and future work
6
Internet Worm Modeling —Consider Human Countermeasures
Human countermeasures: Clean and patch: download cleaning program, patches.Filter: put filters on firewalls, gateways.Disconnect computers.
Reasons for:Suppress most new viruses/worms from outbreak. Eliminate virulent viruses/worms eventually.
Removal of both susceptible and infectious hosts.
susceptible
infectious
removed
7
Internet Worm Modeling —Two-Factor Worm Model
Factor #2: Network congestionLarge amount of scan traffic.Most scan packets with unused IP addresses ( 30% BGP routable)Effect: slowing down of worm infection ability
Two-factor worm model (extended from KM model):: Slowed down infection ability due to congestion: removal from susceptible hosts. :from infectious
8
Verification of the Two-Factor Worm Model
Conclusion: Simple epidemic model overestimates a worm’s propagationAt beginning, we can ignore these two factors.
12:00 14:00 16:00 18:00 20:00 22:00 24:000
2
4
6
8
10
12 x 104
UTC hours (July 19 - 20)
I(t)
Obs e rve d Da taTwo-fa ctor mode l
SQL Slammer *
* Figure from:D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver,“Inside the Slammer Worm”, IEEE Security & Privacy, July 2003.
Code Red
9
Summary of Two-Factor Model
Modeling Principle:We must consider the changing environment when we model a dynamic process.
Two factors affecting worm propagation:Human countermeasures.Worm’s impact on Internet infrastructure.
At the early stage of worm propagation, we can ignore these two factors.
Still use simple epidemic model.
10
Outline
Introduction of epidemic modelsTwo-factor worm model
Early detection and monitoringFeedback dynamic quarantine defenseRouting worm: a fast, selective attack wormWorm scanning strategiesSummary and future work
11
How to detect an unknown worm at its early stage?
Monitoring:Monitor worm scan traffic (non-legitimate traffic).
Connections to nonexistent IP addresses.Connections to unused ports.
Observation data is very noisynoisy.Old worms’ scans.Port scans by hacking toolkits.
Detecting:Anomaly detection for unknown worms Traditional anomaly detection: threshold-based
Check traffic burst (short-term or long-term).Difficulties: False alarms; threshold tuning.
12
“Trend Detection” Detect traffic trend, not burst
Trend: worm exponential growth trend at the beginningDetection: the exponential rate should be a positive, constant value
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Worm traffic
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
0
10
20
30
40
50
60
10 20 30 40 50
-0.1
-0.05
0
0.05
0.1
0.15
0.2
10 20 30 40 50
Non-worm traffic burst
Exponential rate α on-line estimation
Monitored illegitimate traffic rate
13
Why exponential growth at the beginning?
The law of natural growth reproductionExponential growth — fastest growth pattern when:
Negligible interference (beginning phase).All objects have similar reproductive capability.Large-scale system — law of large number.
Fast worm has exponential growth patternAttacker’s incentive: infect as many as possible before people’s counteractions.If not, a worm does not reach its spreading speed limit.Slow spreading worms can be detected by other ways.
14
Code Red simulation experiments
Population: N=360,000, Infection rate: α = 1.8/hour, Scan rate η = N(358/min, 1002), Initially infected: I0=10Monitored IP space 220, Monitoring interval: ∆ = 1 minuteConsider background noise
Before 2% (223 min): estimate is already stabilized and oscillating a little around a positive constant value
0 100 200 300 400 500 6000
0 .5
1
1 .5
2
2 .5
3
3 .5x 10 5
Time t (minute )
# of
infe
cted
hos
ts
Infe c te d ItObs e rve d Infe c te d C t
150 200 250 300 3500
0.05
0.1
0.15
0.2
0.25
Time t (minute )
Est
imat
ed in
fect
ion
rate
R e a l va lue of αEs tima te d va lue of α
15
Early detection of BlasterBlaster: sequentially scans from a starting IP address:
40% from local Class C address.60% from a random IP address.
It follows simple epidemic model.
100 200 300 400 500 600 700 8000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute )
# of
infe
cted
hos
ts
95% Code Re d5% Code R e d95% Bla s te r5% Bla s te r
0 200 400 600 8000
0.5
1
1.5
2
2.5
3
3.5 x 104
Time t (minute )
16-block monitoring1024-block monitoring
0 200 400 600 8000
0.5
1
1.5
2
2.5
3 x 104
Time t (minute )
# of
mon
itore
d sc
ans
16-block monitoring1024-block monitoringW orm propa ga tion
After using low-pass filter
16
Bias correction for uniform-scan worms
Bernoulli trial for a worm to hit monitors (hitting prob. = p ).
Bias correction:
Monitoring 217 IP space Monitoring 214 IP space
Bias correction can provide unbiased estimate of I(t)
: Average scan rate
100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute )
# of
infe
cted
hos
ts
Infected hosts ItObserved infected CtEstimated It after bias correction
100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5
4 x 105
Time t (minute )
# of
infe
cted
hos
ts
Infected hosts ItObserved infected CtEstimated It after bias correction
17
Prediction of Vulnerable population size N
50 100 150 200 250 300 350 4000
1
2
3
4
5
6 x 105
Time t (minute )
Est
imat
ed p
opul
atio
n N
R e a l popula tion s ize NFrom e s tima te d βFrom η a nd e s tima te d α
Estimation of population N
Direct from Kalman filter:
Alternative method:
η : A worm sends out η scans per ∆ time
(derived from egress scan monitor)
100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 105
18
Summary of Early Detection
Trend detection: non-threshold based methodologyPrinciple: detect traffic trend, not burstPros : Robust to background noise → low false alarm rate
Monitoring requirement for non-uniform scan worm:Monitor many well-distributed IP blocks; low-pass filter
For uniform-scan wormsBias correction:
Forecasting N: ( IPv4 )
: scan hitting prob. : cumulative # of observed infectious: scanning IP space
⇒ ⇒ Routing worm: Average scan rate: Infection rate
19
OutlineIntroduction of epidemic modelsTwo-factor worm modelEarly detection and monitoring
Feedback dynamic quarantine defenseRouting worm: a fast, selective attack wormWorm scanning strategiesSummary and future work
20
Motivation: automatic mitigation and its difficulties
Fast spreading worms pose serious challenges:SQL Slammer infected 90% within 10 minutes.Manual counteractions out of the question.
Difficulty of automatic mitigation high false alarm cost.
Anomaly detection for unknown worm.False alarms vs. detection speed.Traditional mitigation:
No quarantine at all … long-time quarantine until passing human’s inspection.
21
Principles in real-world epidemic disease control
Principle #1 Preemptive quarantineAssuming guilty before proven innocentComparing with disease potential damage, we are willing to pay for certain false alarm cost.
Principle #2 Feedback adjustmentMore serious epidemic, more aggressive quarantine action
Adaptive adjustment of the trade-off between disease damage and false alarm cost.
22
Dynamic Quarantine
Assuming guilty before proven innocentQuarantine on suspicion, release quarantine after a short time automatically ← reduce false alarm cost
Can use any host-based, subnet-based (e.g.,CounterMalice) anomaly detection system.Host or subnet based quarantine (not whole network-level quarantine).Quarantine is on suspicious port only.
A graceful automatic mitigation:No quarantine Dynamic short-time
quarantinelong-timequarantine
23
Worm detection
system
Feedback Control Dynamic Quarantine Framework (host-level)
Feedback : More suspicious, more aggressive actionPredetermined constants: ( for each TCP/UDP port)Observation variables: :# of quarantined hosts/subnets.
Worm detection and evaluation variables:
Control variables:
NetworkActivities
Worm Detection
& Evaluation
Decision & Control
Anomaly DetectionSystem
tI tt DP ,
tt HT ,
Quarantine timeAlarm threshold
ProbabilityDamage
24
Two-level Feedback Control Dynamic Quarantine Framework
Network-level quarantine (Internet scale)Dynamic quarantine is on routers/gateways of local networks.Quarantine time, alarm threshold are recommended by MWC.
Host-level quarantine (local network scale)Dynamic quarantine is on individual host or subnet in a network.Quarantine time, alarm threshold are determined by:
Local network’s worm detection system.Advisory from Malware Warning Center.
Host-level quarantine
Malware Warning Center
tt HT ,tI
Network-level quarantine
Local network
25
Host-level Dynamic Quarantine without Feedback Control
First step: no feedback control/optimizationFixed quarantine time, alarm threshold.
I(t): # of infectious S(t): # of susceptible T: Quarantine time
R(t): # of quarantined infectious Q(t): # of quarantined susceptible
λ1: quarantine rate of infectious λ2: quarantine rate of susceptible
Assumptions:removed
26
Extended Simple Epidemic Model
Before quarantine:
After quarantine:
I(t)
R(t)=p’1I(t)
S(t)
Q(t)=p’2S(t)
# of contacts ∝
Susceptible Infectious
27
Extended Simple Epidemic Model
Vulnerable population N=75,000, worm scan rate 4000/secT=4 seconds, λ1 = 1, λ2=0.000023 (twice false alarms per day per node)
Law of large number
R(t): # of quarantined infectious
Q(t): # of quarantined susceptible
0 200 400 600 800 10000
1
2
3
4
5
6
7x 104
Time t (s econd)
I(t)R(t)500 ⋅ Q(t)
0 200 400 600 800 10000
0.2
0.4
0.6
0.8
1
Tim e t (s econd)
p'1500⋅ p'2
0 200 400 600 800 10000
1
2
3
4
5
6
7
x 104
Time t (s econd)
Origina l s ys temQuarantined s ys tem
28
Summary of Feedback Dynamic Quarantine Defense
Learn the quarantine principles in real-world epidemic disease control:
Preemptive quarantine: Comparing with disease potential damage, we are willing to pay certain false alarm costFeedback adjustment: More serious epidemic, more aggressive quarantine action
Two-level feedback control dynamic quarantine frameworkOptimal control objective:
Reduce worm spreading speed, # of infected hosts.Reduce false alarm cost.
Derive worm models under open-loop dynamic quarantineEfficiently reduce worm spreading speedRaise/generate epidemic threshold
29
OutlineIntroduction of epidemic modelsTwo-factor worm modelEarly detection and monitoringFeedback dynamic quarantine defense
Routing worm: a fast, selective attack wormWorm scanning strategiesSummary and future work
30
BGP Routing Worm
Contains BGP routing prefixes:Fact: routable IP space < 30% of entire IPv4 space.
Scanning space is 28.6% of entire IPv4 space. Increasing worm’s speed by 3.5 times (Sept. 22, 2003).
Payload requirement: 175KBNon-overlapping prefixes:
Remove “128.119.85/24” if BGP contains “128.119/16”.
140602 prefixes → 62053 prefixes (Sept. 22, 2003)Big payload for Internet-scale worm propagation.
31
Class A Routing Worm
IANA provides Class A address allocationsClass A (x.0.0.0/8); 256 Class A in IPv4 space.
116 Class A networks contain all BGP routable space.Scanning space: 45.3%; payload: 116 Bytes.
Routing worm based on BGP prefixes aggregation.Trade-off: scanning space ↔ Prefix payload (“/13” ⇒ 37%, 5KB)
002/8 : IANA - Reserved003/8 : General Electric Company056/8 : U.S. Postal Service214/8 : US-DOD216/8 : ARIN 217/8 : RIPE NCC 224/8 : IANA - Multicast
32
Routing Worm Propagation Study
: # of vulnerable : Scan rate : Scanning space
where
N=360,000; η=358 scans/min; I(0)=10 ( 10,000 for the hit-list worm )
Comparison of the Code Red worm, a routing worm, a hit-list worm, and a hit-list routing worm
0 100 200 300 4000
0.5
1
1.5
2
2.5
3
3.5
4 x 105
Time t (minute )
BGP routing wormCla s s A routing wormHit-lis t worm
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5
4 x 105
Time t (minute )
Hitlis t routing wormHitlis t wormTra ditiona l worm
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5
4 x 105
Time t (minute )
BGP routing wormCla s s A routing wormTra ditiona l worm
33
Routing Worm: A Selective Attack Worm
Selective AttackDifferent behaviors on different compromised hosts.Imposes damage based on geographical information of IP addresses of compromised hosts
Geographical information of IP addressesIP address → Routing prefix → AS
AS → Company, ISP, CountryPinpoint attacking vulnerable hosts in a specific targetPotential terrorists cyberspace attacks
⇐ BGP routing table
⇐ Researches
34
Selective Attack: a Generic Attacking Technique
Imposes damage based on any information a worm can get from compromised hosts
OS (e.g. : illegal OS, OS language, time zone )Software (e.g. : installed a specific program) Hardware ( e.g. : CPU, memory, network card)
Improving propagation speedMaximize usage of each compromised host.
Multi-thread worm: generates different numbers of threads based on CPU, memory, and connection speed of compromised computers.
35
Defense: Upgrading IPv4 to IPv6
Routing worm idea: Reducing worm scanning space
Effective, easier than hit-list worm to implementDifficult to prevent:
public BGP tables and IP geographical information
Defense: Increasing worm scanning space Upgrading IPv4 to IPv6
The smallest network in IPv6 has 264 IP address space.A worm needs 40 years to infect 50% of vulnerable hosts in a network when N=1,000,000, η=100,000/sec, I(0)=1000
Limitation: for scan-based worms only
36
Summary of Routing Worm
Routing worm: a worm containing information of BGP routing prefixes in the worm code.
Routing worm: a faster spreading wormScans routable space (< 30%) instead of entire IPv4 space.Increasing propagation speed by 2 ~ 3.5 times.
Routing worm: a selective attack wormIP address → routing prefix → AS → ISP, Country
Pinpoint attacking vulnerable hosts in a specific targetSelective attack based on any information a worm can get from compromised hosts.
Defense: Increase a worm’s scanning space
⇒ IPv4 upgrade to IPv6
37
Outline
Introduction of epidemic modelsTwo-factor worm modelEarly detection and monitoringFeedback dynamic quarantine defenseRouting worm: a fast, selective attack worm
Worm scanning strategiesSummary and future work
38
Epidemic Model Introduction
Model for homogeneous system: # of infectious
: infection ability
: # of hosts
: scan rateFor worm modeling:
: scanning space⇐ Infinitesimal analysis
Model for interacting groups
39
Idealized Worm
Knows IP addresses of all vulnerable hostsPerfect worm
Cooperation among worm copies
Flash wormNo cooperation; random scan
Complete infection within seconds 0 2 4 6 8 10 12 14 160
0.5
1
1.5
2
2.5
3
3.5
4 x 105
Time t (s e cond)
# of
infe
cted
hos
ts No de la yW ith de la y
0 2 4 6 8 10 12 14 160
0.5
1
1.5
2
2.5
3
3.5
4 x 105
Time t (s e cond)
# of
infe
cted
hos
ts No de la yW ith de la y
40
Uniform Scan Worms
Defense: Crucial to prevent attackers fromIdentifying IP addresses of a large number of vulnerable hosts → Flash worm, Hit-list wormObtaining address information to reduce a worm’s scanning space → Routing worm
0 200 400 6000
0.5
1
1.5
2
2.5
3
3.5x 105
Tim e t (m inute )
# of
infe
cted
hos
ts
Hit-list routing wormRouting wormHit-list wormCode Red worm
• Hit-list worm hasa hit-list of I(0)=10,000
• Routing worm has Ω=0.286× 232
• Other parameters:N=360,000η=358/minI(0)=10
41
Local preference scan increases speed (when vulnerable hosts arenot uniformly distributed)Local scan on Class A (“/8”) networks: p* → 1Local scan on Class B (“/16”) networks: p* ≅ 0.85Code Red II: p=0.5 (Class A), p=0.375 (Class B) ⇐ Smaller than p*
Local Preference Scan Worm
Class A local scan (K=256, m=116) Class B local scan (K=216, m=116×28)
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute )
Class A routing wormPreference p=0.99Preference p=0.5Preference p=0.1Uniform scan worm
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute )
Class A routing wormPreference p=0.99Preference p=0.85Preference p=0.5Uniform scan worm
42
Sequential Scan WormSimulation Study
Local preference in selecting starting point is a bad idea.Sequential scan ≡ uniform scan (when vulnerable hosts are uniform distributed)Mean value analysis cannot analyze variability.
100 200 300 400 500 600 7000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute )
# of
infe
cted
hos
ts
Uniform s ca nUniform s e que ntia lP re fe re nce s e que ntia l
100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 105
Time t (minute )
# of
infe
cted
hos
ts
95% uniform5% uniform95% s e que ntia l5% s e que ntia l
Uniform scan, sequential scan with/without local preference (100 simulation runs)Vulnerable hosts uniformly distributed in BGP routable IP space (28.6% of IPv4 space)
43
Summary of Worm Scanning Strategies
Modeling basis:Law of large number; mean value analysis; infinitesimal analysis.Epidemic model:
Conclusions:All about worm scanning space Ω (or density of vulnerable population):
Flash worm, Hit-list worm, Routing wormLocal preference, divide-and-conquer, selective attack
44
Outline
Introduction of epidemic modelsTwo-factor worm modelEarly detection and monitoringFeedback dynamic quarantine defenseRouting worm: a fast, selective attack wormWorm scanning strategies
Summary and future work
45
Worm Research Summary Modeling and analysis:
Two-factor worm model.Human counteractions and network congestion.
Routing worm.Worm scanning strategies.
Worm defense:Early detection: detect trend, not burst.Feedback dynamic quarantine
preemptive quarantine and feedback adjustment.
Papers at: http://tennis.ecs.umass.edu/~czou
46
Future Work
Feedback dynamic quarantine defense.Enterprise network.Cost function; optimal control.
Verification on real data.Early detection.Statistical analysis.
Realistic Internet-scale worm simulation.First: distribution of on-line hosts.
