Comparison of Worm Detection Strategies - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Comparison of Worm Detection Strategies

Description:

Containment of Scanning Worms in Enterprise networks ... Slowly scanning worms can be detected so long as the scanning is random or routable ... – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 14
Provided by: sarmav
Category:

less

Transcript and Presenter's Notes

Title: Comparison of Worm Detection Strategies


1
Comparison of Worm Detection Strategies
  • Sarma Vangala

2
List of Mechanisms
  • Countermalice enterprise level
  • Reverse Sequential Hypothesis testing using rate
    limiting (RSHT)
  • Destination Source Correlation (DSC)

3
Containment of Scanning Worms in Enterprise
networks
  • Looking at how many scans must go out of a cell
    before an IP address is contained/blocked
  • Using cell based detection helps in detecting
    better preferably want one host per cell
  • Worm should concentrate more on local subnet than
    on outside

4
Comparison of Countermalice and VNBA
  • Enterprise level
  • Able to contain host before T scans go out
  • T dependent on of vulnerable hosts
  • Observing traffic to active and inactive hosts
  • Based on creating a score of how many
    destinations contacted and how many are not
    replied
  • Containment stops traffic going out
  • Global
  • Infection contained before p infected? P
    difficult to determine
  • P dependent on scan rate and of vulnerable
    hosts
  • Observing for patterns to active and inactive
    hosts
  • Based on the idea a worm infected host contacts
    inactive addresses
  • Containment stops traffic coming in

5
Calculations/Analysis
  • Idea used if we can keep the avg. of hosts
    infected by any host less than one containment
    can be easily done and worm does not spread to
    uncontrollable limits or has already spread
  • Calculations of of vulnerable population
    infected
  • Idea used Quick surge in the number of victims
    is bad
  • Calculations of of infected nodes below a bound
    (unsuccessful) value depends on noise in the
    trace

6
Problems
  • Random or Routable only
  • Determining vulnerability is difficult
  • What is an unsuccessful scan? How are scan and
    non-scan packets differentiated
  • Random or Routable only
  • Determining N and s is difficult
  • Multiple parameters required

7
Reverse Seq. Hypothesis testing and credit based
rate limiting
  • Detection Observe a sequence of connection
    attempts by a host every hit/fail moves the
    threshold by a unit up/down 2 thresholds to
    determine if host is benign or malicious
  • Give credit to hosts that connect successfully
  • Based on the idea of slowing down hosts that do
    malicious scanning

8
Comparison of RSHT and VNBA
  • Active hosts and their unsuccessful connection
    attempts
  • Adaptive threshold increases or decreases based
    on a connection being a hit or a miss
  • Global or enterprise
  • Need no learning mechanism
  • Can set the desired detection performance and
    false alarm levels
  • Parameters (?0 , ?1 ) dependent on noise
  • Rate limiting to benefit benign hosts
  • Inactive hosts contacted by victims
  • Adaptive threshold varying with number of newly
    detected victims
  • Global or enterprise
  • Needs learning of victims in everyday traffic
  • No such advantage and determining is difficult
  • Parameters (N, s) dependent on noise in traffic
  • No such mechanism

9
Calculations/Analysis
  • Preset values of detection performance and false
    alarms
  • Set ?0 and ?1 No way of determining these
  • Ability to detect benign scanners
  • No preset detection performance levels false
    alarms difficult to determine
  • Set N and s No way of determining these
  • Need multiple parameters to detect these

10
Problems
  • Slowly scanning worms can be detected so long as
    the scanning is random or routable
  • Need only count the number of victims not
    dealing with containment here
  • problems with noise if attackers can some how
    make the noise towards the inactive hosts high,
    parameters and detection times vary
  • Detected using multiple parameters to reduce
    false alarms
  • Gamma, r and k dependent on traces
  • Faster the worm faster the detection
  • Most importantly based on the observation that
    scans should generally not go to the inactive
    address space
  • Slowly scanning worms avoid detection
  • Must maintain state of each host
  • Not dealing with cases where the network is
    unreachable
  • Cannot detect in the cases of DDoS attacks and
    other scenarios
  • Failed to detect an instance of MyDoom which
    Virus throttle did.
  • Not exactly described why they chose the
    parameters to compare with Williamson
  • Needs more first contact connections to discover
    Code Red II claiming it a fast scanner. What
    about Slammer then?
  • Most importantly based on observation that
    benign hosts get more hits than malicious ones

11
Destination Source Correlation
  • Observe the number of connections coming in and
    going out of a port
  • Track the destination address inside network and
    source address for each port if scan from same
    port of destination host to others increment
    counter if counter gt trained threshold alert
  • Three Bloom filters for every port, D(i-1), D(i)
    and S(i) gt for every tick note victims IP
    address and scan rate if scan rate deviates from
    normal profile then alert
  • No idea of what the training algorithm is
    mechanism not explained, abnormal using
    Chebyshevs inequality

12
DSC Vs. VNBA
  • Local networks
  • Can figure out the IP addresses and ports where
    the attack is
  • Faster scan gt faster filling up of the Bloom
    filter gt threshold reached faster gt faster
    detection
  • Divide conquer scans detected (assumption here is
    that connection profile is different which might
    not be so) actually it must be written as
    detection of worms sending scans to only active
    address space
  • HoneyStat to gather statistical data information
    about attacks
  • Global
  • Do nothing after detection cannot tell who is
    infected and who is not
  • Faster scan leads to a faster detection
  • Cannot detect scans sent only to active address
    space (ex. Complete scan)

13
Calculations/Analysis
  • False positives on the addresses incorrectly
    determined as worm victims due to Bloom filter.
  • False positives due to DDoS and other types of
    network attacks not considered
  • Both active and inactive hosts
  • Both for TCP and UDP
  • Size of Bloom filter needed 61,440 bytes 60
    kB/port (not a very good number)
  • No comments depends on the hardware we use
  • Treated by using multiple parameters
  • Inactive hosts reveal info
  • Both for TCP and UDP
  • Not calculated yet
Write a Comment
User Comments (0)
About PowerShow.com