Email Worm Modeling and Defense - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Email Worm Modeling and Defense

Description:

Example: Melissa, Love letter, Sircam, SoBig, MyDoom, ... Human activation. Slower ... Email worms find all addresses on compromised computers. ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 15
Provided by: tennisE
Category:

less

Transcript and Presenter's Notes

Title: Email Worm Modeling and Defense


1
Email Worm Modeling and Defense
  • Cliff C. Zou, Don Towsley, Weibo Gong
  • Univ. Massachusetts, Amherst

2
Internet Worm Introduction
  • Scan-based worms
  • Example Code Red, Slammer, Blaster, Sasser,
  • No human interaction
  • Fast (automatic defense)
  • Need vulnerability
  • Fewer incidents
  • Network-based blocking
  • Modeling no (week) topological issue
  • Epidemic models
  • Email worms
  • Example Melissa, Love letter, Sircam, SoBig,
    MyDoom,
  • Human activation
  • Slower
  • Need no vulnerability
  • More incidents
  • Defense on email servers
  • Modeling email address logical topology
  • No math model yet

Nimda mixed infection MyDoom search engine
3
Email Topology Heavy-tailed Distributed
Complementary cumulative distribution (May 2002
800,000 Yahoo groups)
  • Email topology degree distr. Size
    distr. of email address books
  • Popular email list one list address corresponds
    to many.
  • Email worms find all addresses on compromised
    computers.
  • Email address books, Web cache, text documents,
    etc.
  • We study email propagation on power law
    topologies.
  • Generators available best candidate to
    represent heavy-tailed topology.

4
Email Worm Simulation Model
  • Discrete time simulation
  • Topology undirected graph
  • Power law, small world, random graph
  • Modeling behavior of individual user
  • Worm email attachment opening prob.
  • Email checking time interval
  • Following any distribution Exponential, Erlang,
    Constant.
  • Modeling the entire user population
  • normal distr.
  • normal distr.

5
Propagation Stochastic Effect
  • Power law network 100,000 nodes, average
    degree 8
  • Nt the number of infectious at time t.
    N0 2 randomly selected
  • 100 simulation runs for each experiment
  • Initially infected nodes and initial infection
    are critical.
  • It is possible that no one is infected except N0
  • When no neighboring nodes open email attachments.

Random effect in simulation
6
Initially infected nodes with different node
degree
Avg. degree 8
Avg. degree 20
  • Initially infected nodes are more important in a
    sparsely connected network than a densely
    connected network

7
Effect of email checking time variability
  • Random variable
  • Exponential
  • 3rd-order Erlang
  • Constant
  • An email worm propagates faster when the email
    checking time is more stochastically variable.
  • Snowball effect Before worm copies give birth to
    the next generation in the less variable system,
    worm copies in the more variable system have
    already given birth to several generations.

8
Topology Effect on Email Worm Propagation
Avg. degree of infected nodes (1000 simulation
runs)
Topology effect
  • An email worm propagates faster on a power-law
    topology than on the other two.
  • Highly connected nodes are infected earlier.
  • They amplify worm propagation speed by shooting
    out more copies.

9
Immunization Defense against Email Worms
  • Static immunization defense
  • A fraction of nodes are immune to an email worm
    before its outbreak.
  • No nodes will be immunized during the worms
    outbreak.
  • Selective immunization
  • Immunizing the mostly connected nodes.
  • Effective for a power-law network
  • Nodes have very variable node degrees
  • 3 2000

10
Selective Immunization Defense
Power law topology
Small world topology
  • Selective immunization defense is more effective
    on a power law topology than on the other two.
  • Due to the percolation property of a topology.

11
Percolation and Phase Transition
  • Selective percolation with p
  • Removing top p percent of mostly connected nodes.
  • Corresponding to selective immunization.
  • Newman et al. studied uniform percolation.
  • Selective percolation property
  • Connection ratio
  • fraction of remained nodes that are connected.
  • Remaining link ratio
  • fraction of remained links.
  • Phase transition ? selective percolation
    threshold
  • Disjoint the remaining network when

12
Percolation and Phase Transition
Small world topology
Power law topology
  • Why different effect with 5 selective
    immunization?
  • Power law topology removing 55.5 links
  • Small world (random graph) topology removing 20 links
  • Email worm prevention via selective immunization
    (Phase transition)
  • 30 for the power law topology
  • Around 70 for the small world and random graph
    topologies.

13
Summary
  • Email topology is a heavy-tailed distributed
    topology.
  • The impact of a power law topology on email worm
    propagation is mixed
  • Cons an email worm spreads faster than on a
    small world or a random graph topology.
  • Pros static selective immunization defense is
    more effective.

14
Future Work
  • Mathematical modeling
  • Difficulty considering an arbitrary topology
  • Directed graph for email topology
  • One-way email address relationship
  • Heavy tailed distr. definition? Topology
    generator?
  • Dynamic immunization defense
  • Short-term focus Enterprise network defense
Write a Comment
User Comments (0)
About PowerShow.com