Detection Unknown Detection Unknown Worms Using Worms Using

Randomness CheckRandomness CheckComputer and Communication Security Lab.

Dept. of Computer Science and Engineering KOREA University

Hyundo Park, Heejo Lee(hyundo95@korea.ac.kr, heejo@korea.ac.kr)

IndexIndex

OverviewThe relation of between worm and randomnessThe relation of between randomness and rankADUR (Anomaly Detection Using Randomness check)Evaluation

OverviewOverview

The Worm uses random generator to choose target host.The sequence of traffics, generated by random generator, has randomness.We can express the sequence of traffics on the matrix.The value of rank of the matrix can decide whether the sequence of traffics has randomness or not.Moreover, the exclusive-or operation can minimize false alarm rate

InternetInternet

The normal state

Source and destination address of packets has

normal pattern

The internet is The internet is infected by worminfected by worm

The worm propagation The worm propagation statestate

Source and destination address of packets has

randomness

InfectedInfected

The relation of between worm and The relation of between worm and randomness randomness

Scanning method Detail Example

Hitlist scanning Use list of vulnerable hostA sudden increase of outgoing connection

Warhol

Topological scanning Gathering the information of target on infected host.

A sudden increase of outgoing connection

Morris

Local scanning A sudden increase non-response packet and rejection of connection request

present a various IP range

Code red,Nimda

Permutation scanning Generated non-use query on serverA sudden increase of outgoing connection

Slammer

The ADUR model detects worms by checking the pattern of scanning methods.

The ordinary worms generate random traffics to choose target hosts.

The relation of between The relation of between randomness and rankrandomness and rank

The rank is the number of leading one of upper triangle matrix.We measure the randomness by the use of rank

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

1 11 21 31 41 51 61Rank

Pro

babili

tyxx

x1

0

(1 2 )(1 2 )2

(1 2 )

i n i mrr n m r nm

i ri

the 99.99% of the value of rank of binary random metrics is more than 60.

If the binary matrix is random, the probability of the value of rank follows above equation.

n m rWhere, matrix, is the value of rank

ADURADUR

classification about classification about normal or abnormal normal or abnormal network statenetwork state

Calculate rank

Expression of traffic on the

matrix

Excusive-or operation

ADUR : expression of trafficsADUR : expression of traffics

The network traffic, source and destination IP address, can be expressed on matrix

1 2 3 4. . .IP IP IP IP

4( /16) 4i IP 1 34m first bit of IP

2 34m last bit of IP

3 44m first bit of IP

4 44m last bit of IP

4( (mod16)) 4j IP

ADUR : exclusive-or operationADUR : exclusive-or operation

The exclusive-or operation deletes normal traffic.The exclusive-or operation can minimize false alarm rate

1( ) ( )t t tR M R M M

( )tR M tis the value of rank at time

ADUR : classification about normal ADUR : classification about normal or abnormal network stateor abnormal network state

is the matrix for incoming packets on the network. is the matrix for outgoing packets on the network.

R( M ) is the rank of the matrix M .

( )IR M ( )OR M

OMIM

( )IR M ( )OR M

( )IR M ( )OR M

( )IR M ( )OR M

Normal

Attacked (Flowing)

Infected (Ebbing)

Attacked and infected (Flooding)

EvaluationEvaluation

The AAWP(Analytical Active Worm Propagation) model

1

1[ ] 1 1

isn

i i in n N nT

N

T

s

in i i

: the total number of vulnerable machines in the internet

When the number of initial infected hosts is 10000, the number of infected hosts is increasing exponentially.

: the size of IPv4 space used by the worm to scan

: the number of infected hosts at time tick

: the scan rate

EvaluationEvaluation

The variation of the rank value per time tick

The value of rank of normal traffics has a uniform boundary.

EvaluationEvaluation

The variation of the rank value where random connection increases one per each time tick when time tick is 20.

If there are 25 random connections on the network, the rank becomes larger than 60.

It is detected by ADUR whether the network is infected or attacked by the worm.

EvaluationEvaluation

ADUR model can detect worm propagation early.

The number of infected hosts modeled by AAWP as a function of time tick.

The corresponding value of rank when worms spread with the AAWP model.

EvaluationEvaluation

The change of the rank by the Slammer worm correctly shows clear distinction from the normal condition

Corresponding 2-D graph to the left, which also shows the infected subnet location

Rank distribution for a /16 network, where only one host is infected by Slammer

The state of network (Normal)The state of network (Normal) This is the normal state of network.

The value of rank of traffic matrix has small value boundary.

In this state, not warning.

Because this state is normal state.

normal

The state of network (Normal_nmap)The state of network (Normal_nmap)

This is the nmap state of network.

the nmap state is port scan state of one host.

In this state, only the number of packets on the network increases. But the sequence of destination address has not randomness.

So, the blue line is only increase.

In this state, not warning.

Because this state is not the propagation state of worm.

nmapnormal

The state of network (Normal_P2P)The state of network (Normal_P2P)

This is the P2P state of network.

the P2P state is transmitted heavy traffic over the network.

In this state, only the amount of bytes of packets on the network increases. But the sequence of destination address has not randomness.

So, the green line is only increase.

In this state, not warning.

Because this state is not the propagation state of worm.

nmapnormal

P2P

The state of network (Flowing)The state of network (Flowing)

In this state, warning.

Because this state is the propagation state of worm.

This is the flowing state of network.

The flowing state is attacked state by other network infected worm.

In this state, the randomness on incoming traffics only increase.

So, the value of rank of incoming traffics only increase.

normal

flowing

The state of network (Ebbing)The state of network (Ebbing)

This is the ebbing state of network.

The ebbing state is infected state by worm.

In this state, the randomness on outgoing traffics only increase.

So, the value of rank of outgoing traffics only increase.

normal

ebbing

The state of network The state of network (Flooding)(Flooding)

This is the flooding state of network.

The flooding state is attacked state by other network infected worm and infected state by worm.

In this state, the randomness on incoming and outgoing traffics only increase.

So, the value of rank of incoming and outgoing traffics only increase.

normal

flooding

ConclusionConclusion

The ADUR mechanism is to detect the spreading of Internet worms through checking the randomness of traffic The ADUR can detect unknown worms in an early stage The ADUR gives additional information such as infected subnet locations when a worm is detected.

Thank youThank you

Q & A