Summary From the Last Lecture
description
Transcript of Summary From the Last Lecture
![Page 1: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/1.jpg)
Well-publicized wormsWorm propagation curveScanning strategies (uniform, permutation,
hitlist, subnet)
1
Summary From the Last Lecture
![Page 2: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/2.jpg)
Three factors define worm spread:o Size of vulnerable population
Prevention – patch vulnerabilities, increase heterogeneity
o Rate of infection (scanning and propagation strategy) Deploy firewalls Distribute worm signatures
o Length of infectious period Patch vulnerabilities after the outbreak
Worm Defense
![Page 3: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/3.jpg)
This depends on several factors:o Reaction timeo Containment strategy – address blacklisting and
content filteringo Deployment scenario – where is response
deployedEvaluate effect of containment 24 hours
after the onset
How Well Can Containment Do?
“Internet Quarantine: Requirements for Containing Self-Propagating Code”, Proceedings of INFOCOM 2003, D. Moore, C. Shannon, G. Voelker, S. Savage
![Page 4: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/4.jpg)
How Well Can Containment Do?Code Red
Idealized deployment: everyone deploysdefenses after given period
![Page 5: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/5.jpg)
How Well Can Containment Do?Depending on Worm Aggressiveness
Idealized deployment: everyone deploysdefenses after given period
![Page 6: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/6.jpg)
How Well Can Containment Do?Depending on Deployment Pattern
![Page 7: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/7.jpg)
Reaction time needs to be within minutes, if not seconds
We need to use content filteringWe need to have extensive deployment on
key points in the Internet
How Well Can Containment Do?
![Page 8: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/8.jpg)
Monitor outgoing connection attempts to new hosts
When rate exceeds 5 per second, put the remaining requests in a queue
When number of requests in a queue exceeds 100 stop all communication
Detecting and Stopping Worm Spread
“Implementing and testing a virus throttle”, Proceedings of Usenix Security Symposium 2003,J. Twycross, M. Williamson
![Page 9: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/9.jpg)
Detecting and Stopping Worm Spread
![Page 10: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/10.jpg)
Detecting and Stopping Worm Spread
![Page 11: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/11.jpg)
Organizations share alerts and worm signatures with their “friends” o Severity of alerts is increased as more infection
attempts are detectedo Each host has a severity threshold after which it
deploys responseAlerts spread just like worm does
o Must be faster to overtake worm spreado After some time of no new infection detections,
alerts will be removed
Cooperative Strategies for Worm Defense
“Cooperative Response Strategies for Large-Scale Attack Mitigation”, Proceedings of DISCEX 2003, D. Norjiri, J. Rowe, K. Levitt
![Page 12: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/12.jpg)
As number of friends increases, response is faster
Propagating false alarms is a problem
Cooperative Strategies for Worm Defense
![Page 13: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/13.jpg)
Early detection would give time to react until the infection has spread
The goal of this paper is to devise techniques that detect new worms as they just start spreading
Monitoring:oMonitor and collect worm scan traffic oObservation data is very noisy so we have to
filter new scans from Old worms’ scans Port scans by hacking toolkits
Early Worm Detection
C. C. Zou, W. Gong, D. Towsley, and L. Gao. "The Monitoring and Early Detection of Internet Worms," IEEE/ACM Transactions on Networking.
![Page 14: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/14.jpg)
Detection: oTraditional anomaly detection: threshold-based
Check traffic burst (short-term or long-term). Difficulties: False alarm rate
o“Trend Detection” Measure number of infected hosts and use it
to detect worm exponential growth trend at the beginning
Early Worm Detection
![Page 15: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/15.jpg)
Worms uniformly scan the InternetoNo hitlists but subnet scanning is allowed
Address space scanned is IPv4
Assumptions
![Page 16: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/16.jpg)
Simple epidemic model:
Worm Propagation Model)(** tt
t INIdtdI
−=β
Detect wormhere. Shouldhave exp.
spread
![Page 17: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/17.jpg)
Monitoring System
![Page 18: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/18.jpg)
Provides comprehensive observation data on a worm’s activities for the early detection of the worm
Consists of :oMalware Warning Center (MWC)oDistributed monitors
Ingress scan monitors – monitor incoming traffic going to unused addresses
Egress scan monitors – monitor outgoing traffic
Monitoring System
![Page 19: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/19.jpg)
Ingress monitors collect:oNumber of scans received in an intervaloIP addresses of infected hosts that have
sent scans to the monitorsEgress monitors collect:oAverage worm scan rate
Malware Warning Center (MWC) monitors:oWorm’s average scan rateoTotal number of scans monitoredoNumber of infected hosts observed
Monitoring System
![Page 20: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/20.jpg)
MWC collects and aggregates reports from distributed monitors
If total number of scans is over a threshold for several consecutive intervals, MWC activates the Kalman filter and begins to test the hypothesis that the number of infected hosts follows exponential distribution
Worm Detection
![Page 21: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/21.jpg)
Population: N=360,000, Infection rate: = 1.8/hour, Scan rate = 358/min, Initially infected: I0=10 Monitored IP space 220, Monitoring interval: = 1 minute
Code Red Simulation
Infected hosts estimation
![Page 22: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/22.jpg)
Population: N=100,000 Scan rate = 4000/sec, Initially infected: I0=10 Monitored IP space 220, Monitoring interval: = 1 second
Slammer Simulation
Infected hosts estimation
![Page 23: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/23.jpg)
Worms spread very fast (minutes, seconds)oNeed automatic mitigation
If this is a new worm, no signature existsoMust apply behaviour-based anomaly detectionoBut this has a false-positive problem! We don’t
want to drop legitimate connections!Dynamic quarantine o“Assume guilty until proven innocent” oForbid network access to suspicious hosts for a
short timeoThis significantly slows down the worm spread
Dynamic Quarantine
C. C. Zou, W. Gong, and D. Towsley. "Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense," ACM CCS Workshop on Rapid
Malcode (WORM'03),
![Page 24: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/24.jpg)
Behavior-based anomaly detection can point out suspicious hostsoNeed a technique that slows down worm
spread but doesn’t hurt legitimate traffic mucho“Assume guilty until proven innocent”
technique will briefly drop all outgoing connection attempts (for a specific service) from a suspicious host
oAfter a while just assume that host is healthy, even if not proven so
oThis should slow down worms but cause only transient interruption of legitimate traffic
Dynamic Quarantine
![Page 25: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/25.jpg)
Assume we have some anomaly detection program that flags a host as suspiciousoQuarantine this hostoRelease it after time ToThe host may be quarantined multiple times if
the anomaly detection raises an alarmoSince this doesn’t affect healthy hosts’
operation a lot we can have more sensitive anomaly detection technique
Dynamic Quarantine
![Page 26: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/26.jpg)
An infectious host is quarantined after time units
A susceptible host is falsely quarantined after time units
Quarantine time is T, after that we release the host
A few new categories:oQuarantined infectious R(t)oQuarantined susceptible Q(t)
Dynamic Quarantine
1
1λ
2
1λ
![Page 27: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/27.jpg)
Initially 75,000 vulnerable hostsQuarantine rate of infectious host is
per secondo Infectious host will be quarantined after 5
seconds on average Quarantine rate of susceptible host is
per secondoThere are 2 false alarms per host per day
T=10 seconds
Simulation Setup
2.01 =λ
00002315.02 =λ
![Page 28: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/28.jpg)
Slammer With DQ
![Page 29: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/29.jpg)
DQ With Large T?
T=10sec T=30sec
![Page 30: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/30.jpg)
DQ And Patching?
![Page 31: Summary From the Last Lecture](https://reader036.fdocuments.in/reader036/viewer/2022062501/5681668e550346895dda5ec9/html5/thumbnails/31.jpg)
Patch Only Quarantined Hosts
Cleaning I(t) Cleaning R(t)