Modeling, Early Detection, and
Mitigation of Internet Worm Attacks
Cliff C. Zou
Assistant professor
School of Computer Science
University of Central Florida
Orlando, FL
Email: czou@eecs.ucf.edu
Web: http://www.cs.ucf.edu/~czou
1


Find new targets

IP random scanning

Compromise targets

Exploit vulnerability

Newly infected join infection army
2






Code Red (Jul. 2001) : 360,000 infected in 14 hours
Slammer (Jan. 2003) : 75,000 infected in 10 minutes
Congested parts of Internet (ATMs down…)
Blaster (Aug. 2003) : 150,000 ~ 8 million infected
DDOS attack (shut down domain windowsupdate.com
)
Witty (Mar. 2004) : 12,000 infected in half an hour
Attack vulnerability in ISS security products
Sasser (May 2004) : 500,000 infected within two days
Infection faster than human response !
3





Automatic response required
First, understanding worm behavior

Basis for worm detection/defense
Next, early warning of an unknown worm


Detection based on worm model
Prediction of worm damage scale
Last, autonomous defense


Dynamic quarantine
Self-tuning defense
4


Worm propagation modeling

Early warning of an unknown worm

Autonomous defense

Summary and current work
5


Worm propagation modeling

Early warning of an unknown worm

Autonomous defense

Summary and current work
6

Simple worm propagation model
W



 address space, size W
N : total vulnerable
I t
: infected by time t

N-I t vulnerable at time t scan rate (per host), h
Prob. of a scan hitting vulnerable
# of increased infected in a unit time
7

Simple worm propagation
5 x 10
5
I t
3
2
4
1
0
0 100 200 300 400 500 600
Time t
8

600000


Simple worm model matches observed Code
Red data
500000
400000
300000
200000
100000
# of monitored scans
Model
0



4 6 8 10
Time (hour)
12
“ Ideal ” network condition
2
No human countermeasures
No network congestions
First model work to consider these [CCS’02]
14 16 18
9


Witty’s destructive behavior:
1). Send 20,000 UDP scans to 20,000 IP addresses
2). Write 65KB in a random point in hard disk
 Consider an infected computer:

Constant bandwidth  constant time to send 20,000 scans

Random point writing  infected host crashes with prob.

Crashing time approximate by
Exponential distribution ( )
10

# of vulnerable at t
: # of crashed infected computers at time t
12000
10000
I t
8000
6000
4000
Witty trace
Model
2000
0
4:30 8:00 12:00 16:00 20:00 00:00 04:00
Time (UTC) in March 20 ~ 21, 2004 hours
*Witty trace provided by U. Michigan “Internet Motion Sensor”
11

— hitlist, routing worm

Hitlist worm — increase I
0

Contains a list of known vulnerable hosts

Infects hit-list hosts first, then randomly scans

Lasts less than a minute
Routing worm — decrease W


Only scan BGP routable space
BGP table information: W = .32
£ 2 32

32% of IPv4 space is Internet routable
12






Code Red style worm h = 358/min
N = 360,000 hitlist, I(0) = 10,000 routing, W =.29
£ 2 32
400000
350000
300000
250000
200000
150000
100000
50000
0
0 100 200 300 400
Time (minutes)
Code Red worm
Hit-list worm
Routing worm
Hitlist routing worm
500 600
13

Botnet-based Diurnal Modeling
12 x 10
4 Asia group
15000
North America group
5 x 10
4 Europe group
10
4
8 10000
3
6
2
5000 4
1 2
0
12/31/04 01/01/05 01/02/05 01/03/05 01/04/05 01/05/05
0
12/31/04 01/01/05 01/02/05 01/03/05 01/04/05 01/05/05
Time
Time
0
12/31/04 01/01/05 01/02/05 01/03/05 01/04/05 01/05/05
Time
North America Europe Eastern Asia

Diurnal property of online infectious hosts

Determined by time zone
14

Worm Propagation Diurnal Model


Divide Internet hosts into groups

Each group has hosts in one or several nearby time zones
 same diurnal property
Consider modeling in one group:
: diurnal shaping function (fraction of online hosts)
: # of infected
: # of susceptible
: # of online infected
: # of online susceptible
15

Optimal Worm Releasing Time based on Diurnal Model
2
1.5
1
0.5
0
4 x 10
5
3.5
3
2.5
4
00:00
06:00
12:00
18:00
2.5
x 10
4
2
1.5
1
0.5
12 16
0
00:00 04:00 08:00 12:00 16:00 20:00 24:00
Release time (UTC hours)


Diurnal property affects a worm’s speed
Speed prediction derived based on diurnal model
16


Worm propagation modeling

Early warning of an unknown worm

Autonomous defense

Summary and current work
17

How to detect an unknown worm at its early stage?

Monitor :

Worm scans to unused IPs


TCP/SYN packets
UDP packets

Also called “darknet”
Internet
Monitored traffic

Monitored data is noisy
Local network
Unused
IP space
18


Worm anomaly  other anomalies?

A worm has its own propagation dynamics

Deterministic models appropriate for worms
Can we take advantage of worm model to detect a worm?
19

I t
3
2
4
5 x 10
5
1
0
0
Worm model in early stage
200
Time t
400 600
10
6
I t
10
4
10
2
10
0
0
1% 2%
100
Time t
200 300
Initial stage exhibits exponential growth
20

“Trend Detection”
 Detect traffic trend , not burst
0.2
0.15
0.1
0.05
0
-0.05
-0.1
60
50
40
30
20
10
0
Trend: worm exponential growth trend at the beginning
Detection: estimated exponential rate a be a positive , constant value
10
10
Monitored illegitimate traffic rate
60
50
40
30
20
10
0
20 30 40 50 10 20 30
Exponential rate a on-line estimation
0.2
0.15
0.1
0.05
0
-0.05
20
-0.1
30 40 50 10
Non-worm burst traffic
20 30 40
40
50
50
30
20
10
0
60
50
40
0.2
0.15
0.1
0.05
0
-0.05
-0.1
10 20 30 40
10 20 30
Worm traffic
40 50
21
50

Why exponential growth at the beginning?

Attacker’s incentive: infect as many as possible before people’s counteractions

If not, a worm does not reach its spreading speed limit

Slow spreading worm detected by other ways

Security experts manual check

Honeypot, …
22

Model for estimate of worm exponential growth rate a
Exponential model:
Z t
: # of monitored scans at time t
: monitoring noise yield
23

System: where
Kalman Filter for estimation of X t
:
24

Code Red simulation experiments
I t
Population: N=360,000, Infection rate: a = 1.8/hour,
Scan rate h = N(358/min, 100 2 ), Initially infected: I
0
=10
Monitored IP space 2 20 , Monitoring interval: 1 minute
Consider background noise
3.5
x 10
5
0.2
3
Real value of a
Estimated value of a
2.5
2 a
0.15
0.1
1.5
1
0.5
0
0.05
100 200 300 400 500 600 700
Time t (minute)
0
128 150 170 190 210 230 250
Time t (minute)
At 0.3% (157 min): estimate stabilizes at a positive constant value
25

yield
Damage evaluation —
Prediction of global vulnerable population N
3
2
6 x 10
5
5
4
1
0
128 150 170 190 210 230 250
Time t (minute)
Accurate prediction when less than 1% of N infected
26

Damage evaluation
—
Estimation of global infected population I t
4 x 10
5
: cumulative # of observed infected hosts by time t
: per host scan rate
3
Real infected I t
Observed C t
Estimated I t
: fraction of address space monitored
2
1
: Prob. an infected to be observed by the monitor in a unit time
0
100 200 300 400 500 600 700
Time t (minute)
# of newly observed
(t  t+1)
# of unobserved
Infected by t
Monitoring 2 14 IP space
( p=4 £ 10 -6 )
27


Worm propagation modeling

Early warning of an unknown worm

Autonomous defense

Summary and current work
28

Autonomous defense principles

Principle #1  Preemptive Quarantine

Compared to attack potential damage, we are willing to tolerate some false alarm cost


Quarantine upon suspicious, confirm later
Basis for our Dynamic Quarantine [ WORM’03 ]

Principle #2  Adaptive Adjustment


More serious attack, more aggressive defense
At any time t, minimize:
(attack damage cost) + (false alarm cost)
29

Self-tuning defense against various network attacks

Principle #2 : Adaptive Adjustment

More severe attack, more aggressive defense

Self-tuning defense system designs:

SYN flood Distributed Denial-of-Service (DDoS) attack


Internet worm infection
DDoS attack with no source address spoofing
30

Motivation of self-tuning defense
: False positive prob. blocking normal traffic
1
Severe attack
: False negative prob. missing attack traffic
: Detection sensitivity
: Fraction of attack in traffic
0
Q: Which operation point is “ good ” ?
A: All operation points are good
Optimal one depends on attack severity p
Light attack
1
31

p
Incoming Filter Passed
: Fraction of detected traffic
# of incoming attack traffic
# of incoming normal traffic
Unbiased
32

Incoming Filter Passed
Self-tuning optimization
Attack estimation
Discrete time k  k+1
Optimization:
Fraction of dropped normal
Fraction of passed attack
: Cost of passing an attack traffic
33

Self-tuning defense
Attack
Severity
Operation
Settings
Detection
Defense
More severe attack, more aggressive defense
34


Worm propagation modeling

Early warning of an unknown worm

Autonomous defense

Summary and current work
35




Worm modeling:


Two-factor model: Human counteractions; network congestion
Diurnal modeling; worm scanning strategies modeling
Early detection:


Detection based on “exponential growth trend”
Estimate/predict worm potential damage
Autonomous defense:


Dynamic quarantine ( interviewed by NPR )
Self-tuning defense ( patent filed by AT&T )

Email-based worm modeling and defense
36