T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Effective Detection of Active Worms with Varying Scan Rate
Effective Detection of Active Worms with Varying Scan Rate
Wei Yu‡, Xun Wang†, Dong Xuan† and David Lee†
‡ Texas A&M University
† The Ohio State University
Wei Yu‡, Xun Wang†, Dong Xuan† and David Lee†
‡ Texas A&M University
† The Ohio State University
Presented by Xun Wang
Presented by Xun Wang
2
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Motivation & Contributions
• Motivation– Active worms are evolving– Existing worm detection can not detect them
effectively– Need to understand them and defend against them
• Contributions– Modeling Varying Scan Rate (VSR) worm– Designing attack target Distribution Entropy based
dynamiC (DEC) detection scheme for VSR and traditional worms
3
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Outline
• Traditional Worms• Varying Scan Rate Worm Modeling• Existing Worm Detection Schemes• DEC Worm Detection• Performance Evaluations • Discussions• Final Remarks
4
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Traditional Worms• Self-propagate by exploiting vulnerabilities of hosts
mostly through port scanning
• Scan strategy – Pure Random Scan (PRS): Pure randomly select IP addresses– Hitlist Scan: Use an externally supplied list of vulnerable hosts as
the targets– Local Subnet Scan: Scan the hosts in the same sub network first
• Scan rate– Constant: Does not change scan rate– Random changing scan rate
5
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Traditional PRS Worm Propagation Model• Traditional PRS worm
- PRS scan strategy with constant port scan rate
• Worm propagation model (Epidemic model [AM91])– S: port scan rate– M(i): the number of infected hosts at time tick i– N(i): the number of un-infected vulnerable hosts at time tick i
respectively – E(i + 1): the number of newly infected hosts from time tick i to i + 1– T: the number of IP addresses in the Internet
• Exponential increase of worm instance number (thus the scan
traffic volume observed by traffic monitors) Easy to be detected by existing detection systems
( )1( 1) ( )(1 (1 ) ),(1)S M iE i N i
T
( 1) ( ) ( 1), (2)M i M i E i
( 1) ( ) ( 1), (3)N i N i E i
( )1( 1) ( ) ( )(1 (1 ) ).(4)S M iM i M i N i
T
6
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Varying Scan Rate Worms
• Each VSR worm-infected victim (worm instance) adopts– a varying scan rate: S(t)
– a varying attack probability: Pa(t)
VSR worm
Traditional PRS worm
If S(t) is constant and Pa(t) = 1
Change scan strategy
Other worms
7
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
VSR Worm Propagation Model
• VSR worm propagation model:
• VSR worm instance number observed by detection system:
where Pm is the percentage of IP addresses under monitoring.
If S(i)=S and Pa(i)=1
( ) ( ) ( )1( 1) ( ) ( )(1 (1 ) ).(5)aS i P i M iM i M i N i
T
( )1( 1) ( ) ( )(1 (1 ) ).(4)S M iM i M i N i
T
( )ˆ ( ) ( ) ( )[(1 (1 ) ), (6)S ia mM i M i P i P
8
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Effectiveness of VSR Worms (1)
• VSR worm propagation model is different from that of traditional worms
1( , ) max( , 2)
1
CS t K C
tK
9
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Effectiveness of VSR Worms (2)
• Detected worm instance number is not mono-increasing any more existing worm detection is not effective
10
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Worm Detection
• Global traffic monitoring based worm detection
• Distributed monitors passively record and report port scan traffic to the worm detection center [SANs, BCJ+05]
• The detection center determines whether there is a large-scale worm propagation using certain detection schemes
11
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
• Three key elements – Detection data:
port scan record count, scan target (different IP) distribution
– Statistical property of worm detection data:
individual count, mean, variance, entropy
– Detection decision rule:
threshold-based,
trend-based,
static/dynamic rule
Worm Detection Space
• CISH: Count, Individual, Static tHreshold [VSG05]
• CVDH: Count, Variance, Dynamic tHreshold [WVG04]
• CISR: Count, Individual, Static tRend
[ZGT+03]
† Other subspaces other detection schemes?
• DVDH: Distribution, Variance, Dynamic tHreshold [Our extension of WVG04]
• DEC (or DEDH): Distribution, entropy,
Dynamic tHreshold [Ours]
Fig. 3. Space of worm detection.
12
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Ineffectiveness of Existing Detection Schemes to VSR worms
• Metrics:
- Detection Time (in minute) - Maximal Infection Ratio (%)
13
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
DEC Worm Detection
• Attack target Distribution Entropy based dynamiC (DEC) worm detection
• Three key elements– Detection Data: distribution of worm scan/attack target IP, i.e.,
how many different IP addresses are scanned– Statistical property of worm detection data: entropy– Detection decision Rule: run-time dynamic threshold adaptation
14
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Why Worm Attack Target Distribution?
• Capture the fundamental feature of active worms• To propagate worm to as many hosts as possible, worm
port scan traffic’s target IP addresses must show a widely dispersed distribution
the worm scan/attack target distribution is a key feature to distinguish worm traffic from other traffic
• Example– Data-set1 = [(IP1, 8)] – Data-set2 = [(IP2, 1), (IP3, 1), (IP4, 1), (IP5, 1),(IP6, 1), (IP7, 1)]– By count, Data-set1’s count is 8 > Data-set2’s count is 6– But Data-set2 is more like worm scan traffic and its IP addresses
set is more distributed
15
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Why Entropy ?
• Entropy quantifies “the amount of uncertainty” contained in data or “the randomness” of the data– The entropy is 0 when the distribution of data is maximally
concentrated– It takes on the maximal value when the distribution is
maximally dispersed
• We use entropy to measure the target distribution, which is better than other measurements, such as variance
16
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
• Entropy of port scan target distribution– From collected port scan reports in an unit time
Z = ((DestIP1; sn1); ... ; (DestIPM; snM)),
where sn1 is the number of times a IP DestIPi is scanned
– Entropy of Z: where
• Example:– Data-set1: Z1= [(IP1, 8)] – Data-set2: Z2= [(IP2, 1), (IP3, 1), (IP4, 1), (IP5, 1),(IP6, 1), (IP7, 1)]
How to Use Entropy?
1
( ) ( ) log( ),i i
i
sn snH Z
Y Y
1
.ii
Y sn
Variances of two data-sets are same and equal to 0Entropy of Z1 is 0, but entropy of Z2 is 0.78!
17
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Performance Evaluation• Metrics
- Detection Time (in minute) - Maximal Infection Ratio (%)
• Simulation setup- Real-world trace plus simulated worm traffic
• Evaluated worm detection schemes– CISH: Count, Individual, Static tHreshold – CVDH: Count, Variance, Dynamic tHreshold– CISR: Count, Individual, Static tRend– DVDH: Distribution, Variance, Dynamic tHreshold
– Our DEC (or DEDH): Distribution, entropy, Dynamic tHreshold
18
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Detection Time of DEC (1)
•DEC can detect VSR worm much faster than other detection schemes
•CISR (trend-based detection) can not detect VSR worm
Fig. 4. Detection time of detection schemes on VSR worms.
19
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Detection Time of DEC (2)
•DEC can detect traditional worm faster and earlier than other detection schemes
Fig. 5. Detection time of detection schemes on traditional PRS worms.
20
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Maximal Infection Ratio of DEC (1)
•DEC can detect VSR worm at its very early propagate stage
Fig. 6. Maximal infection ratio of detection schemes on VSR worms.
21
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Maximal Infection Ratio of DEC (2)
Fig. 7. Maximal infection ratio of detection schemes on traditional PRS worms.
•Higher scan rate worms get detected earlier, and propagate less eventually
22
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Discussions• Worm Modeling
– Evolving worms: e.g., Atak worm [Zdnet] – VSR worm: varying scan rate– Determination of optimal S(t) and Pa(t) functions
• Detection– Why DEC is effective?
- Attack target distribution - Entropy
– Limitations?- Needs scan target distribution information- Do not protect individual sub network or host
23
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Final Remarks
• We formally modeled VSR worm and designed DEC worm detection
• Future work– Investigate other potential evolving worms which attempt to
camouflage worm propagation – Design effective detection against them– Example: Self-adjusting worm and detection, ACSAC’06
24
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
References[AM91] R. M. Anderson and R. M. May, Infectious Diseases of
Humans:Dynamics and Control, Oxford University Press, Oxford, 1991.
[BCJ+05] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. “Internet motion sensor: A distributed blackhole monitoring system”, NDSS’05.
[SANs] SANs, Internet Storm Center, http://isc.sans.org/.[WVG04] J. Wu, S. Vangala, and L. X. Gao, “An effective architecture
and algorithm for detecting worms with various scan techniques,” NDSS’04.
[ZGT02] C. C. Zou, W. Gong, and D. Towsley, “Code red worm propagation modeling and analysis,” CCS’02.
[ZGT+03] C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, “Monitoring and early detection for internet worms,” CCS’03.
[Zdnet] Zdnet, “Smart worm lies low to evade detection”, http://news.zdnet.co.uk/internet/security/0,39020375,39160285,00.htm.
25
T H E O H I O S T A T E U N I V E R S I T Y
Computer Science and EngineeringComputer Science and Engineering
Q&A
Thanks!