Containment of Scanning Worms in Enterprise Networks - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Containment of Scanning Worms in Enterprise Networks

Description:

... worm spread and disrupt spread before a widespread harm is done. Worm containment ... Worm infected hosts lead to a much higher rate of new address visits ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 29
Provided by: sarmav
Category:

less

Transcript and Presenter's Notes

Title: Containment of Scanning Worms in Enterprise Networks


1
Containment of Scanning Worms in Enterprise
Networks
  • Stuart Staniford
  • Silicon Defense
  • Presented by Sarma Vangala

2
Introduction
  • Traditional defense inadequate against recent
    worms (worm containment problem)
  • Recognize worm spread and disrupt spread before a
    widespread harm is done
  • Worm containment at network level
  • Identify worms based on misbehavior of IP
    addresses (bad IP addresses) and stop them from
    further communication

3
Motivation
  • Normal use has no more than 1 to 2 new
    destinations every second
  • Worm infected hosts lead to a much higher rate of
    new address visits
  • How many new infections should we see before a
    worm can be contained?

4
Contributions
  • Worm containment system for fast random scanning
    worms (Counter Malice) in Enterprise networks
  • Dividing network into cells
  • Performance of containment system is better if
    cells have equal number of vulnerabilities

5
Overview
  • Why Enterprise networks
  • Network and Worm model
  • Random Scanning worms
  • Random Scanning worms with local subnet scanning
  • Better worm scanning strategies
  • Conclusions

6
Why Enterprise Networks
  • Common policies and technologies with Outbound
    containment (DDoS, higher proportion of behavior
    visible)
  • Low connectedness
  • Small address spaces sparsely populated
  • Firewalling

7
Network and Worm Model
  • Homogeneous (2 Class B networks, one
    vulnerability density)
  • Equal Cell
  • Infinite Speed Random Scanning

8
Parameters Used
  • v Vulnerability density (probability that an
    address in vulnerable)
  • T Threshold on of scans
  • Pn Enterprise targeting probability
    (probability that an enterprise address is picked
    by a worm)
  • Pc Local cell preference
  • ? - of vulnerable hosts infected
  • C Size of cell ( 0f addresses in cell)

9
Random Scanning Worms
  • A1 infected host
  • Pc 0
  • Pr(A1,i) (vPn)i(1-vPn)T-I
  • E(A1) TvPn
  • E(A1)lt1 or E(A1)gt1 gt
  • (TvPnlt1) or (TvPngt1)

10
Random Scanning Worms (contd..)
  • ?c Critical infection density (epidemic
    threshold) after which worm propagation slows
    down such that E(A)lt1
  • ?f Final infection density
  • Numerically ?f0.583 for Pn0.5, T10 and v0.3

11
Simulations 1
  • Monte Carlo simulator
  • Every address is infected, vulnerable or
    invulnerable
  • Worm tree with breadth first search
  • Worm starting point, vulnerability density varied

12
Histogram of ?
13
Worms with Cell preference (local subnet scanning)
  • Containment within cell also needed along with
    external
  • Watch for of outbound connections made from
    cell
  • E(Oc1) TvPn(1CvPc) ltgt 1
  • CvPc gtgt 1 more intra cell spread

14
CPc Vs TPn
15
Better Scanning Vs. Cell Size
16
Local Subnet Scan (Results)
17
Containment of Code Red and Nimda
  • Code Red I v 360000/232 8E-5
  • Slammer v 75000/232 2E-5
  • Worm does not spread even if Cell size is large
    (? 225)
  • Code Red II Pn 0.375
  • Nimda Pn 0.5 ? higher local preference than
    Code Red II, difficult to stop
  • Both containable for C lt 200000

Pc 1
18
Better Scanning Strategies for Worm Writers
  • Worm writer minimizes time to scan both within
    cell and outside cell
  • Outside cell time to scan can be modeled by
    epidemiological model
  • Inside cell
  • Time to compromise a host in a particular cell in
    the enterprise
  • Time to compromise the hosts in that cell

19
Total time for worm to complete its task
  • ? proportion of worms effort on outside network
  • tfin (?/v(1- ?)) 3log(vN-1)/ ?vS
  • N 2 class B networks

20
? Vs. tfin(hours)
21
Higher v (time here in minutes)
22
Analysis
  • ? 0.1 ? Pn 0.1 gt effective containment as
    finding a new address space is slow
  • When small vulnerability density, finding remote
    class B is difficult and worm should devote time
    in doing that

23
Optimal ? for varying v
24
Arrangement of Containment Systems in Cells
  • Power law distribution of networks gt power law
    distribution of vulnerabilities (network is
    inhomogeneous)
  • Modeled as i-? for ith cell and ? is a fixed
    constant

25
? Vs. ?
26
Device Placement
  • More vulnerabilities more infections, less
    vulnerabilities less infection
  • Cell size should be divided such that each cell
    has the same of vulnerabilities

27
Conclusions
  • Most worms containable easily at enterprise
    network level
  • Better containment achieved by dividing the
    enterprise network into cells each of which have
    the same number of vulnerabilities
  • Containment deployment should be complete
    otherwise worm spread above critical levels
    possible

28
Thank You!
Write a Comment
User Comments (0)
About PowerShow.com