Containment of Scanning Worms in Enterprise Networks - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Containment of Scanning Worms in Enterprise Networks

Description:

... worm spread and disrupt spread before a widespread harm is done. Worm containment ... Worm infected hosts lead to a much higher rate of new address visits ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 29
Provided by: sarmav
Category:

less

Transcript and Presenter's Notes

Title: Containment of Scanning Worms in Enterprise Networks


1
Containment of Scanning Worms in Enterprise
Networks
  • Stuart Staniford
  • Silicon Defense
  • Presented by Sarma Vangala

2
Introduction
  • Traditional defense inadequate against recent
    worms (worm containment problem)
  • Recognize worm spread and disrupt spread before a
    widespread harm is done
  • Worm containment at network level
  • Identify worms based on misbehavior of IP
    addresses (bad IP addresses) and stop them from
    further communication

3
Motivation
  • Normal use has no more than 1 to 2 new
    destinations every second
  • Worm infected hosts lead to a much higher rate of
    new address visits
  • How many new infections should we see before a
    worm can be contained?

4
Contributions
  • Worm containment system for fast random scanning
    worms (Counter Malice) in Enterprise networks
  • Dividing network into cells
  • Performance of containment system is better if
    cells have equal number of vulnerabilities

5
Overview
  • Why Enterprise networks
  • Network and Worm model
  • Random Scanning worms
  • Random Scanning worms with local subnet scanning
  • Better worm scanning strategies
  • Conclusions

6
Why Enterprise Networks
  • Common policies and technologies with Outbound
    containment (DDoS, higher proportion of behavior
    visible)
  • Low connectedness
  • Small address spaces sparsely populated
  • Firewalling

7
Network and Worm Model
  • Homogeneous (2 Class B networks, one
    vulnerability density)
  • Equal Cell
  • Infinite Speed Random Scanning

8
Parameters Used
  • v Vulnerability density (probability that an
    address in vulnerable)
  • T Threshold on of scans
  • Pn Enterprise targeting probability
    (probability that an enterprise address is picked
    by a worm)
  • Pc Local cell preference
  • ? - of vulnerable hosts infected
  • C Size of cell ( 0f addresses in cell)

9
Random Scanning Worms
  • A1 infected host
  • Pc 0
  • Pr(A1,i) (vPn)i(1-vPn)T-I
  • E(A1) TvPn
  • E(A1)lt1 or E(A1)gt1 gt
  • (TvPnlt1) or (TvPngt1)

10
Random Scanning Worms (contd..)
  • ?c Critical infection density (epidemic
    threshold) after which worm propagation slows
    down such that E(A)lt1
  • ?f Final infection density
  • Numerically ?f0.583 for Pn0.5, T10 and v0.3

11
Simulations 1
  • Monte Carlo simulator
  • Every address is infected, vulnerable or
    invulnerable
  • Worm tree with breadth first search
  • Worm starting point, vulnerability density varied

12
Histogram of ?
13
Worms with Cell preference (local subnet scanning)
  • Containment within cell also needed along with
    external
  • Watch for of outbound connections made from
    cell
  • E(Oc1) TvPn(1CvPc) ltgt 1
  • CvPc gtgt 1 more intra cell spread

14
CPc Vs TPn
15
Better Scanning Vs. Cell Size
16
Local Subnet Scan (Results)
17
Containment of Code Red and Nimda
  • Code Red I v 360000/232 8E-5
  • Slammer v 75000/232 2E-5
  • Worm does not spread even if Cell size is large
    (? 225)
  • Code Red II Pn 0.375
  • Nimda Pn 0.5 ? higher local preference than
    Code Red II, difficult to stop
  • Both containable for C lt 200000

Pc 1
18
Better Scanning Strategies for Worm Writers
  • Worm writer minimizes time to scan both within
    cell and outside cell
  • Outside cell time to scan can be modeled by
    epidemiological model
  • Inside cell
  • Time to compromise a host in a particular cell in
    the enterprise
  • Time to compromise the hosts in that cell

19
Total time for worm to complete its task
  • ? proportion of worms effort on outside network
  • tfin (?/v(1- ?)) 3log(vN-1)/ ?vS
  • N 2 class B networks

20
? Vs. tfin(hours)
21
Higher v (time here in minutes)
22
Analysis
  • ? 0.1 ? Pn 0.1 gt effective containment as
    finding a new address space is slow
  • When small vulnerability density, finding remote
    class B is difficult and worm should devote time
    in doing that

23
Optimal ? for varying v
24
Arrangement of Containment Systems in Cells
  • Power law distribution of networks gt power law
    distribution of vulnerabilities (network is
    inhomogeneous)
  • Modeled as i-? for ith cell and ? is a fixed
    constant

25
? Vs. ?
26
Device Placement
  • More vulnerabilities more infections, less
    vulnerabilities less infection
  • Cell size should be divided such that each cell
    has the same of vulnerabilities

27
Conclusions
  • Most worms containable easily at enterprise
    network level
  • Better containment achieved by dividing the
    enterprise network into cells each of which have
    the same number of vulnerabilities
  • Containment deployment should be complete
    otherwise worm spread above critical levels
    possible

28
Thank You!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Containment of Scanning Worms in Enterprise Networks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!