1 / 25

Current Calendar

Current Calendar. Faculty Positions. About. About. About. Faculty. About. About. Diversity Program. About. About. About. Current Calendar. About. Faculty Positions. Current Calendar. Diversity Program. Faculty Positions. Faculty. About. About. Diversity Program. Faculty.

flann
Télécharger la présentation

Current Calendar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Current Calendar Faculty Positions About ... About ... About ... Faculty About ... About... Diversity Program About... About ... About... Current Calendar About... Faculty Positions Current Calendar Diversity Program Faculty Positions Faculty About... About ... Diversity Program Faculty About... About ... About ... About ... Policies Grad Students Artificial Intelligence Admissions CSE Class Schedule Admissions Calendar Index Policies CSE Class Schedule Grad Students Grad Students Admissions Admissions Admissions Artificial Intelligence Calendar Index CSE Class Schedule Calendar Index Artificial Intelligence Admissions Policies Computer Graphics Users Guide Masters Program Upcoming Speakers BSCSE Upcoming Speakers Computer Graphics Computer Graphics Users Guide CSE Course Description Undergraduates Upcoming Speakers Masters Program Undergraduates Masters Program CSE Course Description Users Guide Undergraduates BSCSE CSE Course Description BSCSE BSCIS Computer Networking PhD Program Administrative Staff PhD Program BSCIS Computer Networking Help Desk (SOC) CSE Syllabi Computer Networking BSCIS PhD Program CSE Syllabi Administrative Staff Help Desk (SOC) Help Desk (SOC) Administrative Staff CSE Syllabi BACIS Computing Staff OSU Course Description Computing Staff CSE Labs Joint Programs OSU Course Description Computing Staff Software Engineering Joint Programs OSU Course Description Joint Programs CSE Labs BACIS Software Engineering BACIS Software Engineering CSE Labs OSU Registrar Staff Listing Fellowships/Financial Aid Administrative Contacts OSU Registrar Administrative Contacts Staff Listing OSU Registrar Systems Administrative Contacts Fellowships/Financial Aid CIS Minor Systems Staff Listing Fellowships/Financial Aid CIS Minor Systems CIS Minor Courses Directory of Personnel Technical Reports Courses Technical Reports Directory of Personnel Technical Reports Courses Courses Directory of Personnel Courses Courses Graduate Life Undergrad Advising Undergrad Advising Undergrad Advising Graduate Life Graduate Life Student Organizations Honors Program Honors Program Honors Program Student Organizations Student Organizations Student Organizations Student Organizations Student Organizations Effective Detection of Active Worms with Varying Scan Rate Wei Yu‡, Xun Wang†, Dong Xuan† and David Lee† ‡ Texas A&M University † The Ohio State University Presented by Xun Wang wangxu@cse.ohio-state.edu

  2. Motivation & Contributions • Motivation • Active worms are evolving • Existing worm detection can not detect them effectively • Need to understand them and defend against them • Contributions • Modeling Varying Scan Rate (VSR) worm • Designing attack target Distribution Entropy based dynamiC (DEC) detection scheme for VSR and traditional worms

  3. Outline • Traditional Worms • Varying Scan Rate Worm Modeling • Existing Worm Detection Schemes • DEC Worm Detection • Performance Evaluations • Discussions • Final Remarks

  4. Traditional Worms • Self-propagate by exploiting vulnerabilities of hosts mostly through port scanning • Scan strategy • Pure Random Scan (PRS): Pure randomly select IP addresses • Hitlist Scan: Use an externally supplied list of vulnerable hosts as the targets • Local Subnet Scan: Scan the hosts in the same sub network first • Scan rate • Constant: Does not change scan rate • Random changing scan rate

  5. Traditional PRS Worm Propagation Model • Traditional PRS worm - PRS scan strategy with constant port scan rate • Worm propagation model (Epidemic model [AM91]) • S: port scan rate • M(i): the number of infected hosts at time tick i • N(i): the number of un-infected vulnerable hosts at time tick i respectively • E(i + 1): the number of newly infected hosts from time tick i to i + 1 • T: the number of IP addresses in the Internet • Exponential increase of worm instance number (thus the scan traffic volume observed by traffic monitors)  Easy to be detected by existing detection systems

  6. Traditional PRS worm Other worms Varying Scan Rate Worms • Each VSR worm-infected victim (worm instance) adopts • a varying scan rate: S(t) • a varying attack probability: Pa(t) If S(t) is constant and Pa(t) = 1 VSR worm Change scan strategy

  7. VSR Worm Propagation Model • VSR worm propagation model: • VSR worm instance number observed by detection system: where Pm is the percentage of IP addresses under monitoring. If S(i)=S and Pa(i)=1

  8. Effectiveness of VSR Worms (1) VSR worm propagation model is different from that of traditional worms

  9. Effectiveness of VSR Worms (2) Detected worm instance number is not mono-increasing any more existing worm detection is not effective

  10. Worm Detection • Global traffic monitoring based worm detection • Distributed monitors passively record and report port scan traffic to the worm detection center [SANs, BCJ+05] • The detection center determines whether there is a large-scale worm propagation using certain detection schemes

  11. Worm Detection Space • CISH: Count, Individual, Static tHreshold [VSG05] • CVDH: Count, Variance, Dynamic tHreshold [WVG04] • CISR: Count, Individual, Static tRend [ZGT+03] † Other subspaces other detection schemes? • DVDH: Distribution, Variance, Dynamic tHreshold [Our extension of WVG04] • DEC (or DEDH): Distribution, entropy, Dynamic tHreshold [Ours] • Three key elements • Detection data: port scan record count, scan target (different IP) distribution • Statistical property of worm detection data: individual count, mean, variance, entropy • Detection decision rule: threshold-based, trend-based, static/dynamic rule Fig. 3. Space of worm detection.

  12. Ineffectiveness of Existing Detection Schemes to VSR worms • Metrics: - Detection Time (in minute) - Maximal Infection Ratio (%)

  13. DEC Worm Detection • Attack target Distribution Entropy based dynamiC(DEC) worm detection • Three key elements • Detection Data: distribution of worm scan/attack target IP, i.e.,how many different IP addresses are scanned • Statistical property of worm detection data: entropy • Detection decision Rule: run-time dynamic threshold adaptation

  14. Why Worm Attack Target Distribution? • Capture the fundamental feature of active worms • To propagate worm to as many hosts as possible, worm port scan traffic’s target IP addresses must show a widely dispersed distribution  the worm scan/attack target distribution is a key feature to distinguish worm traffic from other traffic • Example • Data-set1 = [(IP1, 8)] • Data-set2 = [(IP2, 1), (IP3, 1), (IP4, 1), (IP5, 1),(IP6, 1), (IP7, 1)] • By count, Data-set1’s count is 8 > Data-set2’s count is 6 • But Data-set2 is more like worm scan traffic and its IP addresses set is more distributed

  15. Why Entropy ? • Entropy quantifies “the amount of uncertainty” contained in data or “the randomness” of the data • The entropy is 0 when the distribution of data is maximally concentrated • It takes on the maximal value when the distribution is maximally dispersed • We use entropy to measure the target distribution, which is better than other measurements, such as variance

  16. How to Use Entropy? • Entropy of port scan target distribution • From collected port scan reports in an unit time  Z = ((DestIP1; sn1); ... ; (DestIPM; snM)), where sn1 is the number of times a IP DestIPi is scanned • Entropy of Z: where • Example: • Data-set1: Z1= [(IP1, 8)] • Data-set2: Z2= [(IP2, 1), (IP3, 1), (IP4, 1), (IP5, 1),(IP6, 1), (IP7, 1)] Variances of two data-sets are same and equal to 0 Entropy of Z1 is 0, but entropy of Z2 is 0.78!

  17. Performance Evaluation • Metrics - Detection Time (in minute) - Maximal Infection Ratio (%) • Simulation setup - Real-world trace plus simulated worm traffic • Evaluated worm detection schemes • CISH: Count, Individual, Static tHreshold • CVDH: Count, Variance, Dynamic tHreshold • CISR: Count, Individual, Static tRend • DVDH: Distribution, Variance, Dynamic tHreshold • Our DEC (or DEDH): Distribution, entropy, Dynamic tHreshold

  18. Detection Time of DEC (1) Fig. 4. Detection time of detection schemes on VSR worms. DEC can detect VSR worm much faster than other detection schemes CISR (trend-based detection) can not detect VSR worm

  19. Fig. 5. Detection time of detection schemes on traditional PRS worms. Detection Time of DEC (2) DEC can detect traditional worm faster and earlier than other detection schemes

  20. Fig. 6. Maximal infection ratio of detection schemes on VSR worms. Maximal Infection Ratio of DEC (1) DEC can detect VSR worm at its very early propagate stage

  21. Maximal Infection Ratio of DEC (2) Fig. 7. Maximal infection ratio of detection schemes on traditional PRS worms. Higher scan rate worms get detected earlier, and propagate less eventually

  22. Discussions • Worm Modeling • Evolving worms: e.g., Atak worm [Zdnet] • VSR worm: varying scan rate • Determination of optimal S(t) and Pa(t) functions • Detection • Why DEC is effective? • Attack target distribution • Entropy • Limitations? • Needs scan target distribution information • Do not protect individual sub network or host

  23. Final Remarks • We formally modeled VSR worm and designed DEC worm detection • Future work • Investigate other potential evolving worms which attempt to camouflage worm propagation • Design effective detection against them • Example: Self-adjusting worm and detection, ACSAC’06

  24. References [AM91]R. M. Anderson and R. M. May, Infectious Diseases of Humans:Dynamics and Control, Oxford University Press, Oxford, 1991. [BCJ+05] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. “Internet motion sensor: A distributed blackhole monitoring system”,NDSS’05. [SANs]SANs, Internet Storm Center, http://isc.sans.org/. [WVG04] J. Wu, S. Vangala, and L. X. Gao, “An effective architecture and algorithm for detecting worms with various scan techniques,” NDSS’04. [ZGT02] C. C. Zou, W. Gong, and D. Towsley, “Code red worm propagation modeling and analysis,” CCS’02. [ZGT+03] C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, “Monitoring and early detection for internet worms,” CCS’03. [Zdnet] Zdnet, “Smart worm lies low to evade detection”, http://news.zdnet.co.uk/internet/security/0,39020375,39160285,00.htm.

  25. Q&A Thanks!

More Related