monitorWarning-techreport - 1 Monitoring and Early Warning...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou , Lixin Gao , Weibo Gong , Don Towsley Department of Computer Science Univ. Massachusetts, Amherst Technical Report: TR-CSE-03-01 Abstract After the Code Red incident in 2001 and the recent SQL worm in January 2003, it is clear that a simple self-propagating worm can quickly spread across the Internet and infect most vulnerable computers before people can take effective countermeasures. The fast spreading nature of these worms calls for a worm monitoring and warning system. In this paper we propose an effective early warning system. Based on epidemic models and observation data of a fast-spreading worm, we deploy a Kalman filter to predict worm propagation in real-time. Furthermore, we can effectively correct the bias introduced by the observed number of infected hosts. Our simulation results for the Code Red and SQL worm show that with observation data from a small fraction of IP addresses, we can accurately predict the worm infection rate when the worm infect about 5% of all vulnerable computers. The total number of vulnerable computers can also be estimated quickly. I. INTRODUCTION Since the Morris worm in 1988 [16], the security threat posed by worms has steadily increased, especially in the last several years. In 2001, the Code Red and Nimda worms infected hundreds of thousands of computers [13][17], causing millions of dollars loss to our society [9]. These two worms demonstrated how vulnerable our computer networks are when facing an actively propagating worm. Furthermore, Staniford et. al presented some worm design techniques such that the new worm could spread even faster [19]. After a relatively quiet time, the SQL worm recently appeared on January 25th 2003 and quickly spread throughout the Internet. Because its vulnerable population was much smaller than what Code Red and Nimda had, and also because it was much easier to block the SQL worm traffic than to block Code Red and Nimda, the SQL worm was quickly constrained after one day [20][15]. However, the SQL worm used UDP to send scans. Thus, while it was active, it sent out huge amount of scan packets and formed a denial of service attack. Many networks across Asia, Europe and America were shut down for several hours [6]. Currently, some organizations and security companies, such as the CERT, CAIDA, and SANS Institute [4][2][18], are monitoring the Internet and paying close attention to any abnormal traffic. Nevertheless, there is no nation-scale malware monitoring and defense center. Given the fast spreading nature of the Internet worms, it seems appropriate to setup a worm monitoring and early warning system. In addition, by collecting more complete data on the worm propagation via the monitoring system, we could estimate and predict a worm propagation trend and its behavior at its early stage for automatic mitigation.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 In this paper, we mainly focus on worms that uniformly scan the Internet. The most widespread Internet
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 16

monitorWarning-techreport - 1 Monitoring and Early Warning...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online