1 / 44

Epidemiological Approach to Network Security

Epidemiological Approach to Network Security. 13th KRNET 2005 2005.6.27. Sue Moon KAIST. Definitions. An epidemic "an outbreak of sudden rapid spread, growth, or development" what reproduces itself Epidemiology

trina
Download Presentation

Epidemiological Approach to Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Epidemiological Approach to Network Security 13th KRNET 2005 2005.6.27. Sue Moon KAIST

  2. Definitions • An epidemic • "an outbreak of sudden rapid spread, growth, or development" • what reproduces itself • Epidemiology • "a branch of medical science that deals with the incidence, distribution, and control of disease in a population" • applies to human diseases, computer viruses/worms, spreading of ideas and rumors ("gossip")

  3. Epidemiologically Motivating Questions • What are the factors that affect an epidemic? • What are known models of epidemic spreading? • How do computer viruses/worms fare in light of known models? • What can we do to increase network security?

  4. Definitions of Viruses/Worms • Computer virus • "A parasitic program written intentionally to enter a computer without the users permission or knowledge" (Symantec) • Network worms • "self-contained, self-replacing program that spreads by inserting copies of itself into other executable code or documents " (Wikipedia) • Require no human action to spread

  5. Factors in Epidemiology • Host state • susceptible, infected, detected, removed (immune or dead) • Time constraints • continuous, discrete • Topological constraints • well-mixed and constant • a host meets another equally likely • scanning strategies • lattice, network

  6. Simplest Epidemiological Model: SI Model (Logistic Growth Equation)

  7. Spreading under SI Model Data fit withK = 1.8 Courtesy: Stanison, Paxson, Weaver.

  8. SIR Model  “removal” rate (Logistic Growth Equation)

  9. History of the Internet Worms • 1988: First Internet worm • Morris Worm: exploited buffer overflow vulnerabilities • 2001: Resurgence of the worms • Code Red, Klez, Sircam • 2003: resulting in the largest down-time and clean-up cost ever • SQL Slammer Worm, Blaster Worm, and Sobig • 2004: zombies, shortened time interval between vulnerability announcement and worm emergence • MyDoom, Witty Worm

  10. Code Red Worm I v1 • Exploiting buffer-overflow vulnerability of IIS • Probing susceptible hosts using SYN packets • Checking if the date is between 1st and 19th • If so, generating random IP addresses to spread • Else, launching DoS attacks against www1.whitehouse.gov • Using a static seed to generate IP addresses • Memory resident (infected hosts recover after rebooting)

  11. Code Red Worms I v2 and II • Code Red I v2 • Using a random seed to generate IP addresses • Faster propagation speed • Code Red II • Completely unrelated to the original Code Red • Containing the string “Code Red II” in source code • Setting up a backdoor in the infected machine • Not memory resident • More complex host-selection method • 1/8: random IP address • 1/2: IP address which has the same /8 with the host • 3/8: IP address which has the same /16 with the host

  12. Spreading Dynamics of Code Red I v2 • Host infection rate

  13. Spreading Dynamics of Code Red I v2 • Deactivation due to phase transition

  14. Propagation Models • Scanning Model: models of the worms with various scan techniques (Jiang Wu et al.) • Topological Model: a model on arbitrary network topologies (Yang Wang et al.)

  15. Scanning Model • AAWP Model • Where, • N: # of vulnerable hosts • T: target size • s: scan rate (# of probes per time tick) • ni: # of infected hosts at time i

  16. Scanning Model • AAWP Model (Cont’d)

  17. Scanning Model • Selective Random Scan • selected target addresses (unallocated or reserved IP blocks are removed) • propagation speed • T = 2.7 * 10^9

  18. Scanning Model • Routable Scan • routable target addresses (routable IP blocks from global routers) • finding how many routable IP prefixes • 49K prefixes from BGP Tables (Route Views servers) • merging continuous prefixes (17,918 blocks, 1.17x10^9 addresses) • combining close blocks (1926 blocks, 1.31x10^9 addresses, threshold: one /16) • Propagation speed • T = 1.0 * 10^9

  19. Scanning Model • Divide-Conquer Scan • dividing target address when infecting a host • “single point of failure” • generating a hitlist to decide splitting point • propagation speed

  20. Scanning Model • Hybrid Scan • combining routable scan with random scan at a later stage of the propagation • able to infect hidden and protected hosts • Extreme Scan • DNS Scan • difficult to get a complete target addresses • hosts that don’t have public domain name • huge address list size • Complete Scan • using the complete list of assigned IP addresses • list size: 400Mbytes • slower than random scan

  21. Comparison of Scanning Models

  22. Scanning Model • Comparison of the Worm Scan Methods (Cont’d)

  23. Topological Model • Proposed Model • Assuming general connected graph G = (N, E), where N is the number of nodes in the network and E is the set of edges

  24. Topological Model • Experiments • Real network graphs from Oregon router view (10900 AS peers) • Synthesized power-law graphs (1000-node BA network)

  25. Topological Model

  26. Topological Model • Epidemic threshold with a single parameter

  27. Topological Model • Generality of the Threshold Condition

  28. How to Mitigate the Worm Threat? 1. Reduce # of susceptible hosts (prevention) 2. Reduce rate of infection (suppression) 3. Reduce # of infected hosts (containment) S(0) = N  = / M • probe rate of worm Mtotal population (=232 IPv4)  “removal” rate

  29. Countermeasures • Containment (David Moore et al.) • Worm-Killing Worm (Hyogon Kim et al.) • An Architecture for Patch Distribution (Stelios Sidiroglou et al.)

  30. Containment • Key Properties of Containment • Time to detect and react • Strategies for identifying and containing the pathogen • Deployment scenario • Containment Technologies • Content filtering • IP blacklisting

  31. Containment Infrastructure • Idealized Deployment • Idealized setting • Universally deployed containment systems • Simultaneous information distributions • Simulation parameter • Code Red I v2 spread • 360,000 total vulnerable hosts • Total population: 2^32 • Probe rate: 10/sec

  32. Effectiveness of Containment • In Idealized Deployment

  33. Effectiveness of Containment

  34. Effectiveness of Containment • Practical Deployment • Practical setting • System deployment on the AS level • Simulation parameters • Code Red I v2 • 338,652 vulnerable hosts • 6,378 Ases • Default reaction time: 2 hours

  35. Effectiveness of Containment • In Practical Deployment

  36. Effectiveness of Containment • In Practical Deployment

  37. Worm-Killing Worm • Behaving like typical worms • Except that it cures and patches infected hosts • Examples: Code Green and CRClean released against Code Red Worm • Experiment Setting • SQL Slammer Worm • 100,000 vulnerable hosts • total population = 2^32 • Higher scanning rate than that of SQL Slammer Worm • Default reaction time a = 10 sec • k < v

  38. Worm-Killing Worm • Typical Spreading Dynamics

  39. Impact of Reaction Time by Worm-Killing Worm

  40. Self-Destruction of Worm-Killing Worm • Rumor-Monger threshold r : when the probe success rate drops below r , then the killer worm stops spreading

  41. Architecture for Patch Distribution • A Network Worm Vaccine Architecture • Automatically generating and testing patches • A combination of • Honeypots • Dynamic code analysis • Sandboxing • Software updates

  42. V. Summary • Insurgence of the worms with pervasive network environment • Approximated propagation models and simulation on small data sets • Co-evolution of attackers and defenders • No comprehensive remedy yet • Existing work mainly focusing on post-outbreak measures

  43. Acknowledgements & References [1] Ahn, Yong-yeol, "Epidemics on Networks: from Physics," unpublished, April 2005. [2] Kang, Min Gyung, "The Internet Worms: Propagation Models and Countermeasures," unpublished, April 2005. [3] David Alderson, "Mitigating the Risk of Cyber Attack," Guest Lecture in MS&E293, Stanford, 2003. [4] D. Moore et al, "Internet Quarantine: Requirements for Containing Self-Propagating Code," INFOCOM 2002. [5] Hyogon Kim et al., "On the functional validity of the worm-killing worm," ICCC 2005.

More Related