Modeling the Spread of Active Worms ICIR蠕虫的传播ICIR建模.pptVIP

DIMACS workshop on Large-Scale Internet Attack, Sept 23-24, 2003 Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical Computer Engineering Univ. of Massachusetts lgao@ /~lgao Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat What to monitor? Inactive addresses Inactive ports # of victims Total scan traffic # of flows Distribution of destination addresses Outbound traffic ? How to monitor? Aggregate data from inactive addresses and ports Address space Address and port selection Learn trend and determine anomalies Selectively monitoring Adaptive monitoring Feedback based Potential Issues Spoofed IP Multi-vector worm Aggressive scan Stealth scan Detecting only large scale attack Analytical Active Worm Propagation (AAWP) Model T: size of the address space worm scans N: total number of vulnerable hosts in the space S: scan rate ni: number of infected machines at time i Monitoring Random Scan Detection Time vs. Monitoring Space Local Subnet Scan The worms preferentially scan for targets on the “local” address space Nimda worm: 50% of the time, choose an address with the same first two octets 25% of the time, choose an address with the same first octet 25% of the time, choose a random address AAWP model is extended to understand the characteristics of local subnet scanning Compare Local Subnet Scan with Random Scan More Malicious Scan Random Scan Wastes too much power Easier to get caught More malicious scan techniques Probing hosts are chosen more carefully? Scan Methods Selective Scan Routable Scan Divide-Conquer Scan Hybrid Scan Selective Scan Randomly selected destinations Selective Random Scan Slapper worm Picks 162 /8 networks Benefit: Simplicity, small program size Selective Scan Routable Scan Scan only routable addresses from global BGP table How to reduce the payload? 112K prefixes ? merge address segments, and use 2^16 threshold = 15.4 KB database