220 likes | 368 Views
Detection Unknown Worms Using Randomness Check. Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo Park, Heejo Lee (hyundo95@korea.ac.kr, heejo@korea.ac.kr). Index. Overview The relation of between worm and randomness
E N D
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo Park, Heejo Lee (hyundo95@korea.ac.kr, heejo@korea.ac.kr)
Index • Overview • The relation of between worm and randomness • The relation of between randomness and rank • ADUR (Anomaly Detection Using Randomness check) • Evaluation
Overview • The Worm usesrandomgenerator to choose target host. • The sequence of traffics, generated by random generator, has randomness. • We can express the sequence oftrafficson thematrix. • The value of rankof the matrix can decide whether the sequence of traffics has randomness or not. • Moreover, the exclusive-oroperation can minimize false alarm rate The internet is infected by worm Internet The worm propagation state Source and destination address of packets has randomness The normal state Source and destination address of packets has normal pattern Infected
The relation of between worm and randomness • The ordinary worms generate random traffics to choose target hosts. • The ADUR model detects worms by checking the pattern of scanning methods.
The relation of between randomness and rank • The rank is the number of leading one of upper triangle matrix. • We measure the randomness by the use of rank Where, matrix, is the value of rank • the 99.99% of the value of rank of binary random metrics is more than 60. • If the binary matrix is random, the probability of the value of rank follows above equation.
ADUR Expression of traffic on the matrix classification about normal or abnormal network state Calculate rank ADUR Excusive-or operation
ADUR : expression of traffics • The network traffic, source and destination IP address, can be expressed on matrix
ADUR : exclusive-or operation • The exclusive-or operation deletes normal traffic. • The exclusive-or operation can minimize false alarm rate is the value of rank at time
ADUR : classification about normal or abnormal network state • is the matrix for incoming packets on the network. • is the matrix for outgoing packets on the network. • R( M ) is the rank of the matrix M . Normal Attacked (Flowing) Infected (Ebbing) Attacked and infected (Flooding)
Evaluation • The AAWP(Analytical Active Worm Propagation) model : the total number of vulnerable machines in the internet : the size of IPv4 space used by the worm to scan : the scan rate : the number of infected hosts at time tick • When the number of initial infected hosts is 10000, the number of infected hosts is increasing exponentially.
Evaluation • The variation of the rank value per time tick • The value of rank of normal traffics has a uniform boundary.
Evaluation • The variation of the rank value where random connection increases one per each time tick when time tick is 20. • If there are 25 random connections on the network, the rank becomes larger than 60. • It is detected by ADUR whether the network is infected or attacked by the worm.
Evaluation • ADUR model can detect worm propagation early. The number of infected hosts modeled by AAWP as a function of time tick. The corresponding value of rank when worms spread with the AAWP model.
Evaluation The change of the rank by the Slammer worm correctly shows clear distinction from the normal condition Rank distribution for a /16 network, where only one host is infected by Slammer Corresponding 2-D graph to the left, which also shows the infected subnet location
The state of network (Normal) • This is the normal state of network. • The value of rank of traffic matrix has small value boundary. normal In this state, not warning. Because this state is normal state.
The state of network (Normal_nmap) nmap normal • This is the nmap state of network. • the nmap state is port scan state of one host. • In this state, only the number of packets on the network increases. But the sequence of destination address has not randomness. • So, the blue line is only increase. In this state, not warning. Because this state is not the propagation state of worm.
The state of network (Normal_P2P) P2P nmap normal • This is the P2P state of network. • the P2P state is transmitted heavy traffic over the network. • In this state, only the amount of bytes of packets on the network increases. But the sequence of destination address has not randomness. • So, the green line is only increase. In this state, not warning. Because this state is not the propagation state of worm.
The state of network (Flowing) flowing normal • This is the flowing state of network. • The flowing state is attacked state by other network infected worm. • In this state, the randomness on incoming traffics only increase. • So, the value of rank of incoming traffics only increase. In this state, warning. Because this state is the propagation state of worm.
The state of network (Ebbing) ebbing normal • This is the ebbing state of network. • The ebbing state is infected state by worm. • In this state, the randomness on outgoing traffics only increase. • So, the value of rank of outgoing traffics only increase.
The state of network (Flooding) flooding normal • This is the flooding state of network. • The flooding state is attacked state by other network infected worm and infected state by worm. • In this state, the randomness on incoming and outgoing traffics only increase. • So, the value of rank of incoming and outgoing traffics only increase.
Conclusion • The ADUR mechanism is to detect the spreading of Internet worms through checking the randomness of traffic • The ADUR can detect unknown worms in an early stage • The ADUR gives additional information such as infected subnet locations when a worm is detected.
Thank you Q & A