Research DirectionResearch Direction

Advisor: Frank,Yeong-Sung LinPresented by Jia-Ling Pan

2010/10/21 1NTUIM OPLAB

AgendaAgenda

IntroductionProblem Description

2010/10/21 2NTUIM OPLAB

IntroductionIntroduction

2010/10/21 3NTUIM OPLAB

Worm attacksWorm attacksDefinition

◦‘‘A network worm is a piece of malicious code that propagates over a network without human assistance and can initiate actively attack independently or depending on file-sharing.”─ [1]

◦ [1] Kienzle DM and Elder MC. “Recent worms: a survey and trends”, Proceedings of the 2003 ACM workshop on Rapid malcode, October 2003.

2010/10/21 4NTUIM OPLAB

Worm characteristicsWorm characteristics Information collection:

◦ Collect information about the local or target network.

Probing: ◦ Scans and detects the vulnerabilities of the

specified host, determines which approach should be taken to attack and penetrate.

Communication:◦ Communicate between worm and hacker or among

worms. Attack:

◦ Makes use of the holes gained by scanning techniques to create a propagation path.

Self-propagating:◦ Uses various copies of worms and transfers these

copies among different hosts.

2010/10/21 NTUIM OPLAB 5

Decentralized Information Decentralized Information SharingSharingCooperative attack detection and

countermeasures using decentralized information sharing.

Use of epidemic algorithms to share attack information and achieve quasi-global knowledge about attack behaviors.◦ [2] Guangsen Zhang and Manish Parashar, “Cooperative

detection and protection against network attacks using decentralized information sharing”, Cluster Computing, Volume 13, Number 1, Pages 67-86, 2010.

2010/10/21 NTUIM OPLAB 6

Decentralized Information Decentralized Information SharingSharingThe mechanism should be easy to

deploy, robust, and highly resilient to failures.

Gossip based mechanisms provide potentially effective solutions that meet these requirements.

Consider dissemination of information in a network to be similar to the spread of a rumor or of an infectious disease in a society.

2010/10/21 NTUIM OPLAB 7

Decentralized Information Decentralized Information SharingSharingIf all the nodes in this distributed

framework have common knowledge about the network attack behaviors, then network attacks can be perfectly detected.

However, achieving common knowledge requires completely synchronized and reliable communication, which is not feasible in a practical distributed system.

2010/10/21 NTUIM OPLAB 8

Decentralized Information Decentralized Information SharingSharingIn a distributed decentralized attack

detection system, each detection node will only have a partial view of the system.

Using an asynchronous, resilient communication mechanism to share local knowledge, the system can achieve quasi-global knowledge.

With this knowledge, every detection node can acquire sufficient information about attacks and as a result, the attacks can be detected effectively.

2010/10/21 NTUIM OPLAB 9

Decentralized Information Decentralized Information SharingSharing

◦AS level◦Overlay network

2010/10/21 10NTUIM OPLAB

Unknown worm behavioral Unknown worm behavioral detectiondetectionDetecting unknown worm activity in

individual computers while minimizing the required set of features collected from the monitored computer.

While all the worms are different, we wanted to find common characteristics by the presence of which it would be possible to detect an unknown worm.◦ [3] R. Moskovitch, Y. Elovici, and L. Rokach, “Detection of unknown

computer worms based on behavioral classification of the host”, Computational Statistics & Data Analysis, Volume 52, Issue 9, Pages 4544-4566, May 2008.

2010/10/21 NTUIM OPLAB 11

Worm origin identificationWorm origin identificationPresent the design of a Network ForensicAlliance (NFA), to allow multiple

administrative domains (ADs) to jointly locate the origin of epidemic spreading attacks.

Can find the origin and the initial propagation paths of a worm attack, either within an intranet or on the Internet as a whole, by performing post-mortem analysis on the traffic records logged by the networks.

[5]Yinglian Xie, Sekar V., Reiter M.K. and Hui Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks”, Proceedings of the 2006 14th IEEE International Conference on  Network Protocols, November 2006.

2010/10/21 NTUIM OPLAB 12

Problem DescriptionProblem Description

2010/10/21 13NTUIM OPLAB

Problem DescriptionProblem DescriptionAttacker attributesDefender attributesAttack-defense scenarios

2010/10/21 14NTUIM OPLAB

Attacker attributesAttacker attributesObjective

◦Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes.

Budget◦Node compromising◦Worm injection

2010/10/21 NTUIM OPLAB 15

Attacker attributesAttacker attributesAttack mechanisms

◦Node compromising Next hop selection criteria:

Link degree High link degree ─ information seeking

Link utilization Low link utilization ─ stealth strategy

◦Worm injection Candidate selection criteria:

Link traffic High link traffic ─ high rate worm injection Low link traffic ─ low rate worm injection

2010/10/21 NTUIM OPLAB 16

Defender attributesDefender attributesObjective

◦Protect core nodesBudget

◦General defense resources(ex: Firewall, IDS)

◦Worm profile distribution mechanisms

◦Worm source identification methods

2010/10/21 NTUIM OPLAB 17

Defender attributesDefender attributesDefense mechanisms

◦Node protection◦Unknown worm detection & profile

distribution◦Worm origin identification

2010/10/21 NTUIM OPLAB 18

ScenariosScenarios

2010/10/21 NTUIM OPLAB 19

Firewall

AS node

Core AS node

Profile generationType1 wormType2 worm

G

D

J

I

F

C

E

A

B

H

ScenariosScenarios

2010/10/21 NTUIM OPLAB 20

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

H

Attacker B

Attacker A

attacker

Node compromise

Node compromise

Profile generation

ScenariosScenarios

2010/10/21 NTUIM OPLAB 21

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

H

Node compromise

Attacker A

attacker

Worm injection

Profile generation

ScenariosScenarios

2010/10/21 NTUIM OPLAB 22

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

HAttacker A

attacker

Worm propagation

Profile generation

ScenariosScenarios

2010/10/21 NTUIM OPLAB 23

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

HAttacker A

attacker

Profile generation

ScenariosScenarios

2010/10/21 NTUIM OPLAB 24

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

HAttacker A

attacker

Node compromise Profile

generation

ScenariosScenarios

2010/10/21 NTUIM OPLAB 25

Firewall

AS node

Core AS node

Profilegeneration

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

HAttacker A

Attacker

Detect unknown worm behavior

Profile distributi

on

Worm origin

identification

Worm origin identification

ScenariosScenarios

2010/10/21 NTUIM OPLAB 26

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

HAttacker A

attacker

Worm injection

Profile generation

ScenariosScenarios

2010/10/21 NTUIM OPLAB 27

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

HAttacker A

attacker

Worm propagation

Profile generation

ScenariosScenarios

2010/10/21 NTUIM OPLAB 28

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

HAttacker A

attacker

Detect unknown worm behavior

Profile distributi

onWorm origin

identification

Profile generationWorm origin identification

ScenariosScenarios

2010/10/21 NTUIM OPLAB 29

Firewall

AS node

Core AS node

Type1 wormType2 worm

G

D

J

I

F

C

E

A

B

HAttacker A

attacker

Profile generation

Thanks for your listening

2010/10/21 NTUIM OPLAB 30