Modeling/Detecting the
Spread of Active Worms
Lixin Gao
Dept. Of Electrical & Computer Engineering
Univ. of Massachusetts
lgao@ecs.umass.edu
http://www-unix.ecs.umass.edu/~lgao
Joint Work with Z.Chen, J. Wu, S. Vangala and K. Kwiat
Monitoring Architecture
Detection Center
Traffic
Analyzer
Traffic
Analyzer
Black Hole
Black
Detector
Hole
Monitoring Component
Network
Traffic
Traffic
Analyzer
Analyzer
Black
Detector
Hole
Black
Black
Hole
Hole
Detector
Local
IDS
Local
IDS
IDS
LocalDIMACS
Subnet
Local Subnet
workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
Local Subnet
2
What to monitor?








Inactive addresses
Inactive ports
# of victims
Total scan traffic
# of flows
Distribution of destination addresses
Outbound traffic
?
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
3
How to monitor?







Aggregate data from inactive addresses and
ports
Address space
Address and port selection
Learn trend and determine anomalies
Selectively monitoring
Adaptive monitoring
Feedback based
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
4
Potential Issues





Spoofed IP
Multi-vector worm
Aggressive scan
Stealth scan
Detecting only large scale attack
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
5
Analytical Active Worm
Propagation (AAWP) Model

T: size of the address space worm scans
N: total number of vulnerable hosts in the
space
S: scan rate

ni: number of infected machines at time i


DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
6
Monitoring Random Scan
4 x 10
number of infected nodes
3.5
3
5
simulated Code Red v2 like worm
224 addresses monitored
220 addresses monitored
216 addresses monitored
28 addresses monitored
2.5
2
1.5
1
0.5
0
0
5
10
15
20
25
time (hour)
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
7
Detection Time vs. Monitoring Space
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
8
Local Subnet Scan


The worms preferentially scan for targets on
the “local” address space
Nimda worm:
50% of the time, choose an address with the same first two octets
25% of the time, choose an address with the same first octet
25% of the time, choose a random address
AAWP model is extended to understand the
characteristics of local subnet scanning
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
9
Compare Local Subnet Scan with
Random Scan
10 x 10
9
4
random scanning
local subnet scanning like Nimda worm
number of infected nodes
8
7
6
5
4
3
2
1
0
0
1000
DIMACS workshop on Large-Scale Internet
Sept 23-24,
2003
2000 Attack,
3000
4000
5000
time tick (second)
10
6000
7000
8000
More Malicious Scan

Random Scan



Wastes too much power
Easier to get caught
More malicious scan techniques

Probing hosts are chosen more carefully?
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
11
Scan Methods




Selective Scan
Routable Scan
Divide-Conquer Scan
Hybrid Scan
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
12
Selective Scan



Randomly selected destinations
Selective Random Scan
 Slapper worm
 Picks 162 /8 networks
Benefit: Simplicity, small program size
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
13
Selective Scan
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
14
Routable Scan
Scan only routable addresses from global BGP
table
 How to reduce the payload?

prefixes  merge address segments, and
use 2^16 threshold = 15.4 KB database
 Only 20% segments contribute 90% addresses
 3KB database
 112K

Further compression
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
15
Spread of Routable Scan
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
16
Monitoring Routable Scan
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
17
Divide-Conquer Scan




An extension to routable scan
Each time a new host gets infected, it will get
half of the address space.
Susceptible to single point of failure
Possible overlapping address space
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
18
Divide-Conquer Scan
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
19
Monitoring Divide-Conquer Scan
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
20
Hybrid Scan


A combination of the simple scan methods
above
For example:


Routable + Hitlist + Local Subnet Scan
Divide-Conquer + Hitlist
DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
21
More Details

See
Modeling the Spread of Active Worms, Z.Chen, L. Ga
K. Kwiat, INFOCOM 2003 at
http://www-unix.ecs.umass.edu/~lgao/paper/AAWP.pdf
 An Effective Architecture and algorithm for Detecting
Worms with Various Scan Techniques, J. Wu, S.
Vangala, L.Gao, K.Kwiat, at
http://rio.ecs.umass.edu/gao/paper/final.pdf

DIMACS workshop on Large-Scale Internet
Attack, Sept 23-24, 2003
22