1 / 24

An Integrated Approach to Detection of Fast and Slow Scanning Worms ASIACCS’09

Frank Akujobi, Ioannis Lambadaris, Evangelos Kranakis (Carleton Univ, CA). An Integrated Approach to Detection of Fast and Slow Scanning Worms ASIACCS’09. Challenges to the Current Network-based Anomaly Detection Techniques. Designed for (suitable for detecting) FAST worms

aerona
Download Presentation

An Integrated Approach to Detection of Fast and Slow Scanning Worms ASIACCS’09

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Frank Akujobi, Ioannis Lambadaris, Evangelos Kranakis (Carleton Univ, CA) An Integrated Approach to Detectionof Fast and Slow Scanning WormsASIACCS’09

  2. Challenges to the Current Network-based Anomaly Detection Techniques • Designed for (suitable for detecting) FAST worms • Lack the capability to detect SLOW worms • Although some approaches are designed to detect BOTH fast and slow worms, • E.g., [1] adaptively adjusts the threshold to monitor the outgoing traffic of an end-host • E.g., [16] proposes a multi-resolution approach • But the DRAWBACKS are: • High rate of false positive and false negative • Provide less information for forensic analysis • Not all the anomalous behaviors can be seen in the network level [1] J. Agosta, et al, “An adaptive anomaly detector for worm detection,” in SYSML’07. [16] V. Sekar, et al, “A Multi-resolution Approach for Worm Detection and Containment,” in DSN’06. Speaker: Li-Ming Chen

  3. Proposed Integrated Approach • Utilizes host-based anomaly detection, and performs correlation on network traffic profiles • Why use host-based AIDS (Anomaly IDS)? • More accurate, can detect slow worms • Since host-based AIDS aims to detect the attempted alternation of the predefined system states of an endpoint • However host-based AIDS can NOT determine the actual traffic flow responsible for the intrusion, • (especially during multiple simultaneous attacks) •  the proposed approach still tries to keep network traffic profiles as verifiable evidence Speaker: Li-Ming Chen

  4. (Threat Model) Worm Attack In each cell, there are some DEs (Detector Endpoints, host -based AIDS) Single or multiple attackers launch scanning worms on several targets Correlates captured traffic profiles on the gateway router Speaker: Li-Ming Chen

  5. Overview the Integrated Approach My Comment: Actually, this paper only focuses on analysis; the methods behind detection and correlation are weak or ignored without explanation! Detection Phase (at the end of the window) Correlation Phase Speaker: Li-Ming Chen

  6. Fast Worm Detection • When an FDA detects an intrusion: • 1). the FDA notifies other FDAs (within the same cell) • 2). other FDAs start real-time recording of profiles for ALL incoming network traffic for a pre-set capture interval, tf. • 3). at the END of the window, all FDAs in the cell transfer their records to their upstream GR (to the FCE) • Profile: {srcIP, dstPort, proto, payload} • My Comment: • AIDS is just a “function unit” to trigger the profile collection for further • correlation and analysis. • Does not mention how the AIDS works! Speaker: Li-Ming Chen

  7. Slow Worm Detection • Unlike FDAs, the SDAs do NOT wait for an notification! • SDAs perform continuous real-time capturing of profiles of ALL incoming network traffic in epochs of interval ts. • Once an SDA detects an intrusion, it will capture the nature of attempted alternation… • At the END of window, all SDAs in the cell transfer their records to their upstream GR (to the adaptive profiler) • My Comment: • An SDA records profiles on a “single” DE  not too much data. • Besides, the recorded Uj will further reduced by adaptive profiler ! Speaker: Li-Ming Chen

  8. Detection Windows and Adaptive Profiler My Comment: Does not mention how to decide the width of the windows… X32 U2 Note: FDA waits for notification, SDA continuously collects profiles. Filter out fast scanning intrusion profiles; SCE only processes the rest profiles! Speaker: Li-Ming Chen

  9. Bayesian-based Correlation • Bayesian theorem: • Expresses the posteriori probability (i.e. after evidence A is observed) of a hypothesis Bi in terms of the priori probabilities of Bi and A. Speaker: Li-Ming Chen

  10. Fast Worm Correlation Bi: a specific profile i Nij: # of Bi recorded by j-th DE Iij: indication function, the observation of Bi by j-th DE m: # of DE y: # of different profile (FCE所收集到的profile中,Bi所佔的比例) (given the measure of profile Bi, fast worm A 發生的機率)  if Bi is observed on all FDA, then P(A|Bi) = 1  P(Bi|A) can be computed by using Bayesian theorem, represents how responsible profilei is for the observed intrusion. Speaker: Li-Ming Chen

  11. Fast Worm Correlation (cont’d) (only 1 profile recorded) (Intrusion A發生時,Bi所佔的比例) (for all y) (more than 1 profile recorded) (no profile recorded) Speaker: Li-Ming Chen

  12. Slow Worm Correlation • (similar to Fast Worm Correlation) Si: a specific profile i ( ) Mij: # of Si recorded by j-th DE Lij: indication function, the observation of Si by j-th DE m: # of DE n: # of different profile x: # of witness SDA (並非考慮全部的 DE,僅考慮 有偵測到 slow worm H的 SDA 個數) Speaker: Li-Ming Chen

  13. Slow Worm Correlation (cont’d) (Intrusion H發生時,Si所佔的比例) Note: Slow Worm Correlation does not use threshold !! My Comment: Too trivial, what about normal traffic!? Speaker: Li-Ming Chen

  14. Analysis of Detection Interval • Detection interval: the expected time required for detecting fast and slow scanning worms • The performance • Used to bound the detection probability (or the probability of false detection) in next section • According to Markov’s inequality Speaker: Li-Ming Chen

  15. Fast Worm Detection Interval, tfd • tfv: the sum of inter-infection intervals until ALL FDAs have experienced • worm scan hits • Assume the scanning of host in the target cell is a Poisson process • with rate r hosts/second • G: # of scanned non-DEs before ALL m DEs are successfully scanned (W: cell size) Speaker: Li-Ming Chen

  16. Slow Worm Detection Interval, tsd • tsv: the sum of inter-infection intervals until at least one DE experiences • a worm scan hit. • Assume the scanning of host in the target cell is a Poisson process • with rate r hosts/minute • Z: # of hosts scanned until the first DE is scanned Speaker: Li-Ming Chen

  17. Average Detection Interval tfd tsd (W = 128) (m = 4) (slow scanning worm) (fast scanning worm) Speaker: Li-Ming Chen

  18. Markov’s Inequality • Markov’s inequality gives an upper bound for the probability that a non-negative function of a r.v. is greater than or equal to some positive constant. • In this paper, authors use Markov’s inequality to measure the “detection probability” (if given an upper bound for the “detection interval”) Expected detection interval Assigned upper bound (1 – CDF) Speaker: Li-Ming Chen

  19. Fast Worm Detection Probability ~ EXP( (m + G)/r ) (W = 254) (m = 4) t = 20 (upper bound) 1/(W – m) (W + m)/2r Speaker: Li-Ming Chen

  20. Slow Worm Detection Probability ~ EXP( Z/r ) (GEO. r.v.) W/mr (W = 128) (m = 4) (t = 20) (W = 128) (r = 3) (t = 20) Speaker: Li-Ming Chen

  21. Experimentation and Evaluation • Synthesized worm scanning traffic: • Modify blaster worm source code • Emulate multiple simultaneous fast and slow scanning worms • (!?) For effectiveness, the malicious attacks randomly scanned hosts in one target network before selecting another target network. My Comment: Without considering normal traffic !? Scan one network at a time advantages over the proposed approach! Speaker: Li-Ming Chen

  22. Experiment Results • Measure average detection interval (fast worm detection interval) (threshold = 0.15) (slow worm detection interval) Speaker: Li-Ming Chen

  23. Experiment Results (cont’d) • The results from the correlation algorithms (fast) (threshold) (slow) Speaker: Li-Ming Chen

  24. Conclusion • Propose a unique integrated detection technique capable of detecting and identifying simultaneous fast and slow scanning worms • Combine (1) host-based AIDS, (2) a self-adapting profiler, (3) Bayesian inference • Use sample mean excess function to determine appropriate thresholds for detecting fast worms • Present analysis of detection interval • Develop probability models for worm detection interval • Experimenting on live testbed Speaker: Li-Ming Chen

More Related