Internet-scale malware mitigation: combining intelligence of the control and data plane

  • Authors:
  • Ying Zhang;Evan Cooke;Z. Morley Mao

  • Affiliations:
  • University of Michigan;University of Michigan;University of Michigan

  • Venue:
  • Proceedings of the 4th ACM workshop on Recurring malcode
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

Security on the Internet today is treated mostly as a data plane problem. IDS's, firewalls, and spam filters all operate on the simple principle of detecting malicious data plane behavior and erecting data plane filters. In this paper we explore how breaking down the barrier between the control and data plane can significantly enhance our understanding of how to detect and filter Internet threats like worms and botnets. Our investigation is guided by two specific goals: using information and anomalies detected on the data plane to inform control plane decision support and using anomalies detected on the control plane to inform data plane filtering. We begin by analyzing the source of persistent worms and other persistent malicious and misconfigured data plane traffic to understand the scope of this behavior on the control plane. We then analyze how anomalies on the control plane associated with poorly managed networks and are correlated with the sources of malicious and misconfigured traffic detected on the data plane. Our results show that malicious and misconfigured data plane behavior is widely spread across the control plane suggesting that constructing a few control plane filters to block the most infected organizations will not have a significant impact. We demonstrate that networks with data plane anomalies tend to exhibit more routing misconfigurations. Finally, we discuss how these correlations could be used to reject or filter routes and help stop recurring threats like persistent worms.