Advanced Techniques to Detect and Control Global Security Threats
This project considers not just Internet worm detection, but also attempts to identify countermeasures to stop their spread. In particular, we hope to quantify the time in which a countermeasure must be deployed in order to effectively stop or slow DoS attacks.
This project will leverage research funded by DARPA NMS and CAIDA members.
Principal Investigator: David Moore
Funding source: Cisco Systems, Inc. Period of performance: July 15, 2002 - June 14, 2003.
Description of Research and Goals
In the last year, we've seen continued growth in the number of DoS attacks, and a number of highly publicized Internet worms. While some work has been done on methods of mitigating the effects of Denial-of-Service attacks, there is a little operationally relevant of research into how to control the spread of Internet worms.
In July of 2002, the CodeRed worm was able to infect 360,000 hosts in less than one day. Clearly, manual intervention is unable to counter an attack of this scale - 24 hours is insufficient time to propagate basic information about the attack, let alone begin actual prevention. In fact, CAIDA research has shown that the majority of machines were still vulnerable to the attack more than a week after the initial CodeRed outbreak. Therefore, any mechanism to control the spread of Internet worms must be automated if it is to have any chance of success. To design such a mechanism, we first must understand the basic relationship between the rate of worm spread and the reaction time of the system to contain the outbreak. CAIDA, in collaboration with faculty in the UCSD Computer Science and Engineering Department, has performed some preliminary analysis of the reaction times necessary to stop the spread of a worm under optimal conditions. We'd like to expand this research to include realistic simulations of worm spread and containment. Specifically, we would like to explore the utility of firewall and router based methods of filtering to control the spread of the worm based on blackholing infected hosts or content signature blocking. Our preliminary results suggest that while deploying appropriate blocking technologies may be unable to contain the global spread of a worm, they may allow institutions using blocking technologies to protect themselves to a significant degree.
Key questions to be answered:
- Are there fundamental limits on controlling the spread of Internet worms (or other self-propagating code)?
- How effective are optimal reactive blocking strategies at controlling the spread?
- How well can we succeed if only a portion of ISPs participate? How protected are the participating ISPs versus the non-participating ISPs?
- Can we extend the use of backscatter techniques to more quickly detect attacks?
CAIDA has pioneered the use of large address space monitoring to track and understand global network security events such as global Denial-of-Service attacks and Internet worms. As part of this proposal, we wish to increase our ability to archive and analyze these forms of data. During the first two weeks of August, our monitoring of the spread of the CodeRed worm resulted in collection of half a gigabyte of compressed data per hour. We plan to develop more realtime techniques for detecting the onset of universal security threats and explore the extent to which distributed early detection systems could be globally deployed.
This project considers not just Internet worm detection, but also attempts to identify countermeasures to stop their spread. In particular, we hope to quantify the time in which a countermeasure must be deployed in order to effectively stop or slow DoS attacks.
We plan to:
- Institute worm data collection independent of denial-of-service attack tracking efforts.
- Develop automated means of data migration from monitor boxes to long-term storage, while preserving the accessibility and integrity of the data.
- Incorporate aggregation and pre-analysis of worm activity and other host probing.
- Extend backscatter techniques to improve their functionality.
- Simulate how filtering in the network can control the spread of worms.
- Investigate the effectiveness of prefix blocking and content blocking via access control lists at minimizing worm spread.
As a measurement focused research group, CAIDA is uniquely situated to monitor global security threats. We have a widely deployed monitoring infrastructure that is not tied to the development of security-related products and thus can be used to do independent operationally relevant research.
While several companies are developing products or services for preventing or blocking Denial-of-Service attacks (e.g. Asta, Arbor, Mazu, Reactive) and one has done a single study of CodeRed and Nimda propagation, commercial efforts have neither the resources nor the motivation to study the fundamental aspects of the feasibility of controlling Internet worm spread with any currently viable techniques.
Timelines for Funding and Research Completion
Funding begins 15 June 2002.
Research Milestones
- 15 Aug 2002 Equipment Purchase and Deployment
- 15 Dec 2003 Development of automatic data collection for monitors
- 14 June 2003 Provide data to simulators for evaluating effectiveness of countermeasures
Any Required/Expected Research Cooperation with Cisco
Only as requested by Cisco personnel.References
- [1]
- David Moore, Geoffrey M. Voelker and Stefan Savage, CAIDA/UCSD, ``Inferring Internet Denial-of-Service Activity'', USENIX Security Symposium. Washington, D.C. Aug, 2001. https://www.caida.org/publications/papers/backscatter
- [2]
- David Moore, Colleen Shannon, Geoffrey M. Voelker and Stefan Savage, CAIDA/UCSD, ``Fundamental Limits on Blocking Self-Propagating Code'', Presentation at Internet Under Crisis Conditions Workshop, CSTB. Washington, D.C. Mar, 2002. https://www.caida.org/publications/presentations/crisis2002/
- [3]
- Ken Keys, David Moore, Ryan Koga, Edouard Lagache, Michael Tesch, k claffy, CAIDA, ``The Architecture of the CoralReef Internet Traffic Monitoring Suite'', PAM 2001. Amsterdam, Netherlands. Apr, 2001. https://www.caida.org/publications/papers/pam2001/coralreef
- [4]
- C. Dovorolis, P. Ramanathan, D Moore, ``What do packet dispersion techniques measure?'', InfoCom 2001. Alaska. Jan, 2001. https://www.caida.org/publications/papers/consti.pdf
- [5]
- B. Huffaker, M. Fomenkova, D. Moore, k claffy, CAIDA, ``Macroscopic analyses of the infrastructure: measurement and visualization of Internet connectivity and performance'', PAM 2001. Amsterdam, Netherlands. Apr, 2001. https://www.caida.org/publications/papers/pam2001/skitter
- [6]
- B. Huffaker, M. Fomenkova, D. Moore, E. Nemeth, k claffy, CAIDA, ``Measurements of the Internet topology in the Asia-Pacific Region'', Inet '00. Yokohama, Japan. Jul, 2000. https://www.caida.org/publications/papers/asia_paper/
- [7]
- C. Shannon, D. Moore, k claffy, CAIDA, ``Characteristics of fragmented IP traffic on Internet links'', ACM SIGCOMM Internet Measurement Workshop. San Francisco. Nov, 2001.
- [8]
- D. Moore, R. Periakaruppan, J. Donohoe, k claffy, CAIDA, ``Where in the world is netgeo.caida.org?, Inet '00. Yokohama, Japan. Jul, 2000. https://www.caida.org/publications/papers/inet_netgeo/
- [9]
- David Moore, CAIDA, ``The Spread of the Code-Red Worm (CRv2)''. Jul, 2001. https://www.caida.org/archive/code-red/coderedv2_analysis
- [10]
- David Moore, Colleen Shannon, CAIDA, ``CAIDA Analysis of Code-Red''. Aug, 2001. https://www.caida.org/archive/code-red/
- [11]
- Colleen Shannon, David Moore, CAIDA, ``Code Red, the second coming - from whence diurnal cycles'', USENIX Security Symposium Work-In-Progress Session, Washington, D.C. Aug, 2001. https://www.caida.org/catalog/media/2001_usenix0108_wips/
    
    File translated from TEX by TTH, version 2.92.
    On 13 Sep 2002, 12:01.


