Dynamic Control of Worm Propagation

1
Dynamic Control of Worm Propagation

• By
• Arun Yelimeli
• 04/06/2004

2
Contents

• Introduction
• Virus, worm
• Existing defenses
• Drawbacks of existing defenses
• Statement of the problem
• PID controller
• Expected outcomes

3
Introduction

• Virus
• Programs written to alter the way a computer
  operates, without the permission or knowledge of
  the user.
• Worm
• Programs that replicate themselves from system to
  system without the use of a host file.

4
Existing defenses

• Antivirus
• Compares the fingerprint of virus with its
  database for detection.
• Firewall
• Filters all network packets to determine whether
  to forward them toward their destination.

5
Drawbacks of present day prevention methods

• Signature based prevention
• It cannot prevent unknown worms.
• Humans involved in the loop
• Too slow to contain fast spreading worms.
• Complex networks
• Internet can be accessed from mobile phones or
  wireless networks.

6
Statement of the problem

• What is the problem?
• Fast spreading viruses (Code Red, Nimda, Sapphire
  etc.).
• Slow (human mediated) response.
• Signature based detection.

7
Objectives

• Detect worm based threats.
• Dynamically quarantine infections to localized
  sectors.
• Restrict infection to 1 of vulnerable machines.

8
Fast spreading virus infection
Figure 1 Worm spreading pattern
9
System Architecture
10
PID Controller

• Example Room temperature control
• Advantages
• System output can be controlled automatically.
• System performance is less sensitive to
  variations of parameter values.
• Feedback makes it easier to achieve desired
  transient and steady state response.

11
Methodology
Figure 2 Implementation using Client-Server model
12
Methodology
Figure 3 Delay connections model
13
State model

• Rate of change of the number of connections
  (dC/dt) is
• Acceleration
• Rate of change in the size of the delayed queue
  (dD/dt) is

14
Methodology Continued

• Connections generated (s-curve) to simulate an
  attack.
• Implementation of PID controller in LabVIEW.
• Real time testing on a network of 6 machines.

15
Result
Figure Behavior of the state model for the
control of the number of connections on the
presence of a worm spreading according to an
S-shape function. (a) Shows the total number of
connections with and without feedback (b) shows
the acceleration and the detection times (c)
shows the number of connections on the delayed
queue and (d) shows the results of the
application of the feedback loop approach at the
host and at the firewall level.
16
Observed data
17
Expected outcome

• Effect of delaying connections on network
  performance.
• Percentage of containment to 1 of the network.
• How fast the control can be achieved?
• What percentage of false positives can be reduced?

18
Future Work

• Number of nodes
• Testing on large and complex networks.
• Rate of outgoing connections an infected machine
  makes.
• Though there are other symptoms of fast spreading
  worm infection, only the rate of outgoing
  connections will be considered in this research.

19
Questions and Suggestions
20
Thank you..