Demo: Proof-of-Concept Worm Interactions

1
Demo Proof-of-Concept Worm Interactions via
Mobile Devices
Worm Interaction
3
DEMONSTRATION

• Node status
• Susceptible
• Infected with Prey (Bad worm)
• Infected with Predator (Good worm)
• Worm Interaction Types
• Aggressive one-sided interaction Predator
  terminates Prey, Predator vaccinates susceptible
  nodes
• Conservative one-sided interaction Predator
  terminates Prey but will not vaccinate
  susceptible nodes
• Two-sided interaction Two types can infect
  susceptible nodes, but will block each other

Sapon Tanachaiwiwat and Ahmed Helmy Website
http//www-scf.usc.edu/tanachai
Encounter game
6
Ming Hsieh Department of Electrical
Engineering University of Southern California

• Five players (participants from CHANTS workshops)
• Each player obtains 1 HP iPAQ with either
  susceptible status, or Prey infected (Type A) or
  Predator infected (Type B)
• Team with more infected nodes win

Computer and Information Science and
Engineering University of Florida
A
B
Motivation
1
Simulation and Model results
7

• Many worms shifting to wireless mobile phones
  e.g. Cabir, ComWar.M
• Worms relayed via direct encounters (short-range
  radio) between mobile nodes ? encounter-based
  worms
• Different characteristics from random-scan
  network worms
• Rely on encounter pattern and relationships
  between users
• Similar to the spread of packets in Epidemic
  routing 1 and other opportunistic routings

Worm Interaction Model
4

• Question How can we describe encounter-based
  worm interaction mathematically?
• Propose simple differential equations
• Extension from SIR Epidemic Model (for contagious
  disease)

Aggressive one-sided
Conservative one-sided
Two-sided
Yinitial infected host ratio between predator
and prey
Example of encounter-based worm propagation
Results of Proof-of-Concept Worms
8
Susceptible Infected with
Infected with
worm A, prey
worm B, predator

Susceptible Infected with
Infected with
worm A, prey
worm B, predator

Immune to prey
Immune to prey
Aggressive one-sided interaction
Conservative one-sided interaction
Rround of run (aggressive one-sided interaction)
Susceptible Infected with
Infected with
worm A, prey
worm B, predator

A
B
Immune to prey
Immune to predator
A
B
Two-sided interaction
Proof-of-Concept Worms
5
War of the Worms
2

• Bluetooth-based application behaving like a worm
• Implemented in HP iPAQs with Widcomm Bluetooth
  SDK

• Question How can we alleviate this problem?
• Traditional prevention at gateway such as
  firewall not effective against fully distributed
  attacks
• Disconnected networks ? No centralized update
• Inspired by War of the Worms CodeGreen worms
  launched to terminate CodeRed worms
• Approach Deploy automated generated predator
  worm to terminate prey worm ? worm interaction
• Goal Understand and evaluate the concept of worm
  interaction using proof-of-concept worm
  interactions in mobile devices

Worm Copy
Cross-country encounter traces
9

• Six users carry HP iPAQs with discovery mode
• Collect encounter trace starting from Gainesville
  to Montreal
• See encounter patterns and analyze statistics
  from the traces