Modeling/Detecting the Spread of Active Worms

Lixin Gao Dept. Of Electrical & Computer Engineering

Univ. of Massachusetts

lgao@ecs.umass.edu

http://www-unix.ecs.umass.edu/~lgao

Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

2Local Subnet

IDS

Network

Black Hole Detector

Detector

Black Hole

Detector

Local Subnet

Local IDS

Local Subnet

Local IDS

Black Hole

Detector

Local Subnet

Local IDS

Local Subnet

IDSIDSLocal Subnet

Local IDS

Local Subnet

Local IDS

IDS

Traffic AnalyzerTraffic AnalyzerTraffic AnalyzerTraffic Analyzer

TrafficAnalyzer Traffic

Analyzer

BlackHole

BlackHole

BlackHole

Detection CenterMonitoring Component

Monitoring Architecture

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

3

What to monitor? Inactive addresses Inactive ports # of victims Total scan traffic # of flows Distribution of destination addresses Outbound traffic ?

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

4

How to monitor? Aggregate data from inactive addresses and

ports Address space Address and port selection Learn trend and determine anomalies Selectively monitoring Adaptive monitoring Feedback based

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

5

Potential Issues Spoofed IP Multi-vector worm Aggressive scan Stealth scan Detecting only large scale attack

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

6

Analytical Active Worm Propagation (AAWP) Model T: size of the address space worm scans N: total number of vulnerable hosts in the

space S: scan rate

ni: number of infected machines at time i

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

7

Monitoring Random Scan

0 5 10 15 20 250

0.5

1

1.5

2

2.5

3

3.5

4 x 105

time (hour)

nu

mb

er

of

infe

cte

d n

od

es

simulated Code Red v2 like worm224 addresses monitored220 addresses monitored216 addresses monitored28 addresses monitored

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

8

Detection Time vs. Monitoring Space

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

9

Local Subnet Scan The worms preferentially scan for targets on

the “local” address space Nimda worm: 50% of the time, choose an address with the same first two octets 25% of the time, choose an address with the same first octet 25% of the time, choose a random address

AAWP model is extended to understand the characteristics of local subnet scanning

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

10

Compare Local Subnet Scan with Random Scan

0 1000 2000 3000 4000 5000 6000 7000 80000

1

2

3

4

5

6

7

8

9

10 x 104

time tick (second)

nu

mb

er

of

infe

cte

d n

od

es

random scanninglocal subnet scanning like Nimda worm

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

11

More Malicious Scan Random Scan

Wastes too much power Easier to get caught

More malicious scan techniques Probing hosts are chosen more carefully?

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

12

Scan Methods Selective Scan Routable Scan Divide-Conquer Scan Hybrid Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

13

Selective Scan Randomly selected destinations Selective Random Scan

Slapper worm Picks 162 /8 networks

Benefit: Simplicity, small program size

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

14

Selective Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

15

Routable Scan Scan only routable addresses from global BGP

table How to reduce the payload?

112K prefixes merge address segments, and use 2^16 threshold = 15.4 KB database

Only 20% segments contribute 90% addresses 3KB database

Further compression

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

16

Spread of Routable Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

17

Monitoring Routable Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

18

Divide-Conquer Scan An extension to routable scan Each time a new host gets infected, it will get

half of the address space. Susceptible to single point of failure Possible overlapping address space

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

19

Divide-Conquer Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

20

Monitoring Divide-Conquer Scan

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

21

Hybrid Scan A combination of the simple scan methods

above For example:

Routable + Hitlist + Local Subnet Scan Divide-Conquer + Hitlist

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003

22

More Details See

Modeling the Spread of Active Worms, Z.Chen, L. Gao, K. Kwiat, INFOCOM 2003 at

http://www-unix.ecs.umass.edu/~lgao/paper/AAWP.pdf An Effective Architecture and algorithm for Detecting

Worms with Various Scan Techniques, J. Wu, S. Vangala, L.Gao, K.Kwiat, at

http://rio.ecs.umass.edu/gao/paper/final.pdf