Predicting Global Internet Instability Caused by Worms using Neural Networks

Marais, Elbert

16 November 2006

Student Number : 9607275H - MSc dissertation - School of Electrical and Information Engineering - Faculty of Engineering and the Built Environment / Internet worms are capable of quickly propagating by exploiting vulnerabilities of hosts that have access to the Internet. Once a computer has been infected, the worms have access to sensitive information on the computer, and are able to corrupt or retransmit this information. This dissertation describes a method of predicting Internet instability due to the presence of a worm on the Internet, using data currently available from global Internet routers. The work is based on previous research which has indicated a link between the increase in the number of Border Gateway Protocol (BGP) routing messages and global Internet instability. The type of system used to provide the prediction is known as an autoencoder. This is a specialised type of neural network, which is able to provide a degree of novelty for inputs. The autoencoder is trained to recognise “normal” data, and therefore provides a high novelty output for inputs dissimilar to the normal data. The BGP Update routing messages sent between routers were used as the only inputs to the autoencoder. These intra-router messages provide route availability information, and inform neighbouring routers of any route changes. The outputs from the network were shown to help provide an early warning mechanism for the presence of a worm. An alternative method for detecting instability is a rule-based system, which generates alarms if the number of certain BGP routing messages exceeds a prespecified threshold. This project compared the autoencoder to a simple rule-based system. The results showed that the autoencoder provided a better prediction and was less complex for a network administrator to configure. Although the correlation between the number of BGP Updates and global Internet instability has been shown previously, this work presents the first known application of a neural network to predict the instability using this correlation. A system based on this strategy has the potential to reduce the damage done by a worm’s propagation and payload, by providing an automated means of detection that is faster than that of a human.

neural networks

internet worms

border gateway protocol

autoencoder

instability

Modeling and Defending Against Internet Worm Attacks

Chen, Zesheng

09 April 2007

As computer and communication networks become prevalent, the Internet has been a battlefield for attackers and defenders. One of the most powerful weapons for attackers is the Internet worm. Specifically, a worm attacks vulnerable computer systems and employs self-propagating methods to flood the Internet rapidly. The objective of this research is to characterize worm attack behaviors, analyze Internet vulnerabilities, and develop effective countermeasures. More specifically, some fundamental factors that enable a worm to be designed with advanced scanning methods are presented and investigated through mathematical modeling, simulations, and real measurements. First, one factor is an uneven vulnerable-host distribution that leads to an optimal scanning method called importance scanning. Such a new method is developed from and named after importance sampling in statistics and enables a worm to spread much faster than both random and routable scanning. The information of vulnerable-host distributions, however, may not be known before a worm is released. To overcome this, worms using two sub-optimal methods are then investigated. One is a self-learning worm that can accurately estimate the underlying vulnerable-host distribution while propagating. The other is a localized-scanning worm that has been exploited by Code Red II and Nimda worms. The optimal localized scanning and three variants of localized scanning are also studied. To fight against importance-scanning, self-learning, and localized-scanning worms, defenders should scatter applications uniformly in the entire IP-address space from the viewpoint of game theory. Next, a new metric, referred to as the non-uniformity factor, is presented to quantify both the unevenness of a vulnerable-host distribution and the spreading ability of network-aware worms. This metric is essentially the Renyi information entropy and better characterizes the non-uniformity of a distribution than the Shannon entropy. Finally, another fundamental factor is topology information that enables topological-scanning worms. The spreading dynamics of topological-scanning worms are modeled through a spatial-temporal random process and simulated with both real and synthesized topologies.

Internet worms

Game theory

Defense

Modeling

Information theory

Network security

A NetFlow Based Internet-worm Detecting System in Large Network

Wang, Kuang-Ming

04 September 2005

Internet-worms are a major threat to the security of today¡¦s Internet and cause significant worldwide disruptions, a huge number of infected hosts generating overwhelming traffic will impact the performance of the Internet. Network managers have the duty to mitigate this issue . In this paper we propose an automated method for detecting Internet-worm in large network based on NetFlow. We also implement a prototype system ¡V FloWorM which can help network managers to monitor suspect Internet-worms activities and identify their species in their managed networks. Our evaluation of the prototype system on real large and campus networks validates that it achieves pretty low false positive rate and good detecting rate.

NetFlow

network security

network anomaly detection

Internet-worms