1 / 36

Can You Infect Me Now? Malware Propagation in Mobile Phone Networks

Introduction. Can You Infect Me Now? Malware Propagation in Mobile Phone Networks. Chris Fleizach 1 , Michael Liljenstam 3 , Per Johansson 2 , Geoffrey M. Voelker 1 and András Méhes 3. 1 2 3. Over 1.8 billion mobile subscriptions as of 2005

alarice
Download Presentation

Can You Infect Me Now? Malware Propagation in Mobile Phone Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction Can You Infect Me Now?Malware Propagation in Mobile Phone Networks Chris Fleizach1, Michael Liljenstam3, Per Johansson2, Geoffrey M. Voelker1and András Méhes3 123

  2. Over 1.8 billion mobile subscriptions as of 2005 • Phones are becoming general processing platforms. • In Smartphones, the potential exists for malware developers to exploit the types of vulnerabilities that have long plagued Internet hosts • Mobile phone spam • Denial of service attacks • Mobile botnets (mobots) • Ultimately, loss of service which leads to loss of revenue • Mobile phones will become a highly attractive target for criminals. Introduction Motivation

  3. Mobile phones have multiple communication vectors: • Bluetooth • SMS and MMS • Voice and VoIP • Internet • However, these channels are constricted by network topologies, contact graphs and bandwidth limitations • We cannot blindly apply the lessons learned from Internet worms. Introduction How will it happen?

  4. Explore the range of malware propagation on mobile phone networks • Characterize its speed and severity • Understand how network provisioning impacts propagation • Understand how malware propagation impacts the network • Highlight the implications of network-based defenses against malware Introduction Goals

  5. To accomplish these goals, we: • Created a realistic network topology generator (RACoON) • Modeled address books of cell phone users • Created an event-driven simulator: • Model two attack vectors: Voice-over IP and MMS • Investigate ways to speed up the spread of malware • Examine network-based defenses Introduction Methodology

  6. We modeled a single carrier’s UMTS network Modeling mobile phone networks Universal Mobile Telecommunications System • Network Elements • Node B • RNC • SGSN • GGSN • MMS server

  7. Networks are planned and provisioned using: • Population data • Land use data • Previous cell phone deployments • Radio effects • We used U.S. census data to create a square grid of population densities to inform our placement of UMTS elements • Used a 1x1 sq. mi. resolution • Averaged population for regions based on county land area and total population Modeling mobile phone networks Modeling mobile phone networks

  8. Modeling mobile phone networks Population Data Areas of high population density are darker

  9. The Radio Access and Core Operator Network topology Generator (RACoON) • Uses population data as input to capture regional population differences • Divides the area into uniform grid cells • Uses a bottom-up placement strategy to place radio cells and Node Bs. • Adds fixed network nodes that obey capacity constraints Modeling mobile phone networks Generating the network topology

  10. Modeling mobile phone networks A generated network Highly populated regions correspond to regions that need more SGSNs SGNSs connected with the Waxman model – distance based random topology 200x200 sq. mi grid of northwest US

  11. The topology we used in our simulated was based on the Boston metropolitan area (northeast U.S.) • 100x100 sq. mi. grid • 7 million people (but scaled down based on 78% cell phone penetration statistics) • 9,616 Radio Cells • 49 RNCs, 49 SGSNs • 1 MMS server Modeling mobile phone networks Topology Specifics

  12. Existing viruses in cell phones (e.g. Commwarrior) use the entries in the address book to spread • The implication is that there is an underlying social network topology • What is the degree distribution for address books? • How are nodes connected? Modeling Social Topology Networks Modeling social networks

  13. Many real-world phenomena are modeled by scale-free networks (Internet AS topology, links between movie actors, file sizes, … ) Zou et al. said email lists were power-law1 Newman et al. said email address books were scale-free2 Liben-Nowell said connections in a social network community (LiveJournal.com) were log-normal3 1 Zou, Towsley, Gong. “Email worm modeling and defense” 2 Newman, Forrest, Balthrop. “Email networks and the spread of computer viruses” 3Liben-Nowell. “An algorithmic approach to social networks” Modeling Social Topology Networks Degree distributions

  14. But these models imply that most people have very few connections. Intuitively, this seems incorrect. We surveyed cell phone owners at UCSD CSE and Ericsson The distribution was more like a stretched Gaussian. Modeling Social Topology Networks Degree distributions

  15. In fact we found that the data fit an Erlangdistribution Erlang is a shifted Gaussian Modeling Social Topology Networks Erlang Distribution

  16. In power law distributions, some nodes act as “super-hubs”, while most have very few connections • There is a preference for less popular nodes to attach to more popular nodes (creating more inbound connections) • Intuitively, this seems unlikely in the cell phone domain Modeling Social Topology Networks How are the nodes connected?

  17. Attachment instead can be influenced by geography and population Liben-Nowell found the probability that one person was connected to another was inversely proportional to the number of people between them Modeling Social Topology Networks Node Attachment P(x,y) = probability person x is a friend with person y D(x,y) = number of people between person x and person y

  18. We studied two scenarios with our modeling techniques: • Voice-over IP • MMS • Measured the percentage of infected phones over a 12 hour period • The malware contacts numbers from the address book until completed, and then randomly dials phone numbers Experimental Results Experiments

  19. A Voice-over IP exploit would subvert one of the stacks handling packetized voice data. Infecting another phone implies that an end-to-end connection can be made. The bandwidth used to send the payload is the maximum available bandwidth for all the paths between the two phones Voice over IP Results Voice-over IP Attack

  20. Voice over IP Results Voice over IP Not a standard S-curve infection - Complete reaches 90% after 4 hours - Erlang reaches 90% at 12 hours But in log-scale, the “S” curve returns

  21. Voice over IP Results Congestion in VoIP scenario Average congestion across all elements Major bottleneck is at the RNC -> SGSN link. - RNCs have to little outbound bandwidth Congestion also decreases over time - Phones finish enumerating their contacts, start randomly dialing

  22. MMS-based malware infects a phone by being read by a victim The MMS server stores the message until the victim requests it The MMS server in our simulations had 100 message/s capacity for sending and receiving. MMS Results MMS Scenario Wait time before a user retrieves the MMS message Modeled as a mixture of Gaussians, centered at 20 seconds and 45 minutes

  23. MMS Results MMS Scenario Rate of infection significantly different from VoIP Primary constraint is the 100mps limit of the MMS server

  24. A clever attacker can use knowledge about the network to exacerbate the spread of malware • We look at various ways that malware creators may try to speed up their worms: • Transferring contacts • Avoiding congestion • Using out of band channels Speedy Malware Engineering malware for speed

  25. Transferring contacts and avoiding congestion can be very effective Infection reaches 90% rate 4xfaster than the standard scenario Speedy Malware Combining Strategies

  26. Speedy Malware Speeding up MMS Use an out-of-band channel (Internet) to coordinate. Malware can quickly build a global address book The infection rate using an Internet server reaches 48 infections/s (nearly optimal) Standard malware only reaches 35 infections/s

  27. Network operators are in a better position than the Internet community • Since the infrastructure is centrally managed and owned, defenses can be inserted at critical points to affect the spread • However, the fact that the end nodes (phones) can be hard to disinfect introduces challenges • We examined a few defensive scenarios: • Blacklisting • Rate limiting • Filtering Defenses Defenses  Removing the infected reduces congestion!  Removing the infected reduces congestion! •  Can be effective for MMS. Possible, but difficult, for VoIP

  28. Communications based worms can severely disrupt service and spread quickly if engineered correctly. • Defenses need to be applied early and with extreme prejudice to stop an outbreak • Still much work to be done in the area. • Our model is very coarse. It could use other sources of data to inform modeling. Conclusion Conclusion

  29. Conclusion Questions and Answers

  30. Voice over IP Results Voice over IP infections Does the size of the address book affect when a phone is infected?

  31. Advanced malware could divide address books between infected phones This strategy would approximate a “complete” address book, while dividing work Speedy Malware Transferring Contacts

  32. The real bottleneck is bandwidth. If malware can recognize that their links are congested and back off, it will allow other phones to complete their connections Speedy Malware Avoiding congestion

  33. Almost all cell phone malware to-date has relied on user intervention We model the spread when 25%, 50%, 75% and 100% of the population intervene to cause an infection to occur MMS Results MMS and Users

  34. As MMS usage increases, operators will naturally increase capacity. We look at what happens when the MMS server can handle 2x and 5x the current capacity (with only one server) Bandwidth starts to affect spread more than capacity constraints MMS Results MMS and Capacity

  35. Defenses Blacklisting Standard VoIP malware Blacklisting would use some heuristic to identify infected phones and then block their connectivity. Even aggressive blacklisting, done early, may still not be effective

  36. A network operator could try to limit how many calls or messages could be sent within a time period This can have the adverse effect of reducing overall congestion Defenses Rate limiting Standard malware is occluded by rate limiting scenario

More Related