Epidemiological Approach to Network Security

1
Epidemiological Approach to Network Security

• 13th KRNET 2005
• 2005.6.27.
• Sue Moon
• KAIST

2
Definitions

• An epidemic
• "an outbreak of sudden rapid spread, growth, or
  development"
• what reproduces itself
• Epidemiology
• "a branch of medical science that deals with the
  incidence, distribution, and control of disease
  in a population"
• applies to human diseases, computer
  viruses/worms, spreading of ideas and rumors
  ("gossip")

3
Epidemiologically Motivating Questions

• What are the factors that affect an epidemic?
• What are known models of epidemic spreading?
• How do computer viruses/worms fare in light of
  known models?
• What can we do to increase network security?

4
Definitions of Viruses/Worms

• Computer virus
• "A parasitic program written intentionally to
  enter a computer without the users permission or
  knowledge" (Symantec)
• Network worms
• "self-contained, self-replacing program that
  spreads by inserting copies of itself into other
  executable code or documents " (Wikipedia)
• Require no human action to spread

5
Factors in Epidemiology

• Host state
• susceptible, infected, detected, removed (immune
  or dead)
• Time constraints
• continuous, discrete
• Topological constraints
• well-mixed and constant
• a host meets another equally likely
• scanning strategies
• lattice, network

6
Simplest Epidemiological Model SI Model
(Logistic Growth Equation)
7
Spreading under SI Model
Courtesy Stanison, Paxson, Weaver.
8
SIR Model
? removal rate
(Logistic Growth Equation)
9
History of the Internet Worms

• 1988 First Internet worm
• Morris Worm exploited buffer overflow
  vulnerabilities
• 2001 Resurgence of the worms
• Code Red, Klez, Sircam
• 2003 resulting in the largest down-time and
  clean-up cost ever
• SQL Slammer Worm, Blaster Worm, and Sobig
• 2004 zombies, shortened time interval between
  vulnerability announcement and worm emergence
• MyDoom, Witty Worm

10
Code Red Worm I v1

• Exploiting buffer-overflow vulnerability of IIS
• Probing susceptible hosts using SYN packets
• Checking if the date is between 1st and 19th
• If so, generating random IP addresses to spread
• Else, launching DoS attacks against
  www1.whitehouse.gov
• Using a static seed to generate IP addresses
• Memory resident (infected hosts recover after
  rebooting)

11
Code Red Worms I v2 and II

• Code Red I v2
• Using a random seed to generate IP addresses
• Faster propagation speed
• Code Red II
• Completely unrelated to the original Code Red
• Containing the string Code Red II in source
  code
• Setting up a backdoor in the infected machine
• Not memory resident
• More complex host-selection method
• 1/8 random IP address
• 1/2 IP address which has the same /8 with the
  host
• 3/8 IP address which has the same /16 with the
  host

12
Spreading Dynamics of Code Red I v2

• Host infection rate

13
Spreading Dynamics of Code Red I v2

• Deactivation due to phase transition

14
Propagation Models

• Scanning Model models of the worms with various
  scan techniques (Jiang Wu et al.)
• Topological Model a model on arbitrary network
  topologies (Yang Wang et al.)

15
Scanning Model

• AAWP Model

• Where,
• N of vulnerable hosts
• T target size
• s scan rate ( of probes per time tick)
• ni of infected hosts at time i

16
Scanning Model

• AAWP Model (Contd)

17
Scanning Model

• Selective Random Scan
• selected target addresses (unallocated or
  reserved IP blocks are removed)
• propagation speed
• T 2.7 109

18
Scanning Model

• Routable Scan
• routable target addresses (routable IP blocks
  from global routers)
• finding how many routable IP prefixes
• 49K prefixes from BGP Tables (Route Views
  servers)
• merging continuous prefixes (17,918 blocks,
  1.17x109 addresses)
• combining close blocks (1926 blocks, 1.31x109
  addresses, threshold one /16)
• Propagation speed
• T 1.0 109

19
Scanning Model

• Divide-Conquer Scan
• dividing target address when infecting a host
• single point of failure
• generating a hitlist to decide splitting point
• propagation speed

20
Scanning Model

• Hybrid Scan
• combining routable scan with random scan at a
  later stage of the propagation
• able to infect hidden and protected hosts
• Extreme Scan
• DNS Scan
• difficult to get a complete target addresses
• hosts that dont have public domain name
• huge address list size
• Complete Scan
• using the complete list of assigned IP addresses
• list size 400Mbytes
• slower than random scan

21
Comparison of Scanning Models
22
Scanning Model

• Comparison of the Worm Scan Methods (Contd)

23
Topological Model

• Proposed Model
• Assuming general connected graph G (N, E),
  where N is the number of nodes in the network and
  E is the set of edges

24
(No Transcript)
25
Topological Model

• Experiments
• Real network graphs from Oregon router view
  (10900 AS peers)
• Synthesized power-law graphs (1000-node BA
  network)

26
Topological Model
27
Topological Model

• Epidemic threshold with a single parameter

28
Topological Model

• Generality of the Threshold Condition

29
How to Mitigate the Worm Threat?

• S(0) N
• ? ? / M
• probe rate of worm
• M total population (232 IPv4)
• ? removal rate

30
Countermeasures

• Containment (David Moore et al.)
• Worm-Killing Worm (Hyogon Kim et al.)
• An Architecture for Patch Distribution (Stelios
  Sidiroglou et al.)

31
Containment

• Key Properties of Containment
• Time to detect and react
• Strategies for identifying and containing the
  pathogen
• Deployment scenario
• Containment Technologies
• Content filtering
• IP blacklisting

32
Containment Infrastructure

• Idealized Deployment
• Idealized setting
• Universally deployed containment systems
• Simultaneous information distributions
• Simulation parameter
• Code Red I v2 spread
• 360,000 total vulnerable hosts
• Total population 232
• Probe rate 10/sec

33
Effectiveness of Containment

• In Idealized Deployment

34
Effectiveness of Containment
35
Effectiveness of Containment

• Practical Deployment
• Practical setting
• System deployment on the AS level
• Simulation parameters
• Code Red I v2
• 338,652 vulnerable hosts
• 6,378 Ases
• Default reaction time 2 hours

36
Effectiveness of Containment

• In Practical Deployment

37
Effectiveness of Containment

• In Practical Deployment

38
Worm-Killing Worm

• Behaving like typical worms
• Except that it cures and patches infected hosts
• Examples Code Green and CRClean released against
  Code Red Worm
• Experiment Setting
• SQL Slammer Worm
• 100,000 vulnerable hosts
• total population 232
• Higher scanning rate than that of SQL Slammer
  Worm
• Default reaction time a 10 sec
• k lt v

39
Worm-Killing Worm

• Typical Spreading Dynamics

40
Impact of Reaction Time by Worm-Killing Worm
41
Self-Destruction of Worm-Killing Worm

• Rumor-Monger threshold r when the probe success
  rate drops below r , then the killer worm stops
  spreading

42
Architecture for Patch Distribution

• A Network Worm Vaccine Architecture
• Automatically generating and testing patches
• A combination of
• Honeypots
• Dynamic code analysis
• Sandboxing
• Software updates

43
V. Summary

• Insurgence of the worms with pervasive network
  environment
• Approximated propagation models and simulation on
  small data sets
• Co-evolution of attackers and defenders
• No comprehensive remedy yet
• Existing work mainly focusing on post-outbreak
  measures

44
Acknowledgements References

• 1 Ahn, Yong-yeol, "Epidemics on Networks from
  Physics," unpublished, April 2005.
• 2 Kang, Min Gyung, "The Internet Worms
  Propagation Models and Countermeasures,"
  unpublished, April 2005.
• 3 David Alderson, "Mitigating the Risk of Cyber
  Attack," Guest Lecture in MSE293, Stanford,
  2003.
• 4 D. Moore et al, "Internet Quarantine
  Requirements for Containing Self-Propagating
  Code," INFOCOM 2002.
• 5 Hyogon Kim et al., "On the functional
  validity of the worm-killing worm," ICCC 2005.