On the Effectiveness of Distributed Worm Monitoring

Distributed monitoring of unused portions of the IP address space holds the promise of providing early and accurate detection of high-profile security events, especially Internet worms. While this observation has been accepted for some time now, a systematic analysis of the requirements for building an effective distributed monitoring infrastructure is still missing. In this paper, we attempt to quantify the benefits of distributed monitoring and evaluate the practicality of this approach. To do so we developed a new worm propagation model that relaxes earlier assumptions regarding the uniformity of the underlying vulnerable population. This model allows us to evaluate how the size of the monitored address space, as well the number and locations of monitors, impact worm detection time. We empirically evaluate the effect of these parameters using traffic traces from over 1.5 billion suspicious connection attempts observed by more than 1600 intrusion detection systems dispersed across the Internet. Our results show that distributed monitors with half the allocated space of a centralized monitor can detect non-uniform scanning worms in half the time. Moreover, a distributed monitor of the same size as a centralized monitor can detect the worm four times faster. Furthermore, we show that even partial knowledge of the vulnerable population density can be used to improve monitor placement. Exploiting information about the location of the vulnerable population leads, in some cases, to detection time that is seven times as fast compared to random monitor deployment.

[1]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[2]  Scott Shenker,et al.  Best-effort versus reservations: a simple comparative analysis , 1998, SIGCOMM '98.

[3]  Herbert W. Hethcote,et al.  The Mathematics of Infectious Diseases , 2000, SIAM Rev..

[4]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[5]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[6]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[7]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[8]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[9]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[10]  Hal Berghel,et al.  The Code Red Worm , 2001, CACM.

[11]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[12]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[13]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[14]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[15]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[16]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[17]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[18]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[19]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[20]  Vishal Malik,et al.  Distributed intrusion detection system , 2002 .