Epidemic Profiles and Defense of Scale-Free Networks

1
Epidemic Profiles and Defense of Scale-Free
Networks

• L. Briesemeister, P. Lincoln, P. Porras
• Presented by Meltem Yildirim
• CmpE - 588

2
Agenda

• Purpose
• Related Work
• Epidemic Profiles
• Computer Network Topologies
• Simulation
• Conclusion

3
Purpose

• Defending a large network infrastructure from
  rapidly propagating malicious code
• Study
• worms, viruses and their infection strategies
• percolation and epidemic spread in scale-free
  networks
• protecting the network mission (reliable access
  to information)

4
e.g. Sapphire Worm
Because of the tremendous speed of attacks, we
are obligated to search for responsive and rapid
defense measures.
The geographic spread of Sapphire in 30 min after
release
5
Related Work (1)

• Moore
• No response time is fast enough to protect
  against widespread epidemic.
• Albert
• Scale-free networks are resilient against
  random error, but not against deliberate attack
  of highly connected nodes.
• Dezsö and Barabási
• Random cures are not very useful but protecting
  the hubs can rescue the whole network.

6
Related Work (2)

• Pastor-Satorras and Vespignani
• worked on the BA model
• There is no epidemic threshold that determines
  prevalence.
• Eguíluz and Klemm
• worked on the KE model
• There is a finite epidemic threshold that
  determines prevalence.

7
Epidemic Profiles (1)

• Infection Criteria The criteria that a host must
  fullfill (the vulnerabilities that it must
  possess) in order to be infected.
• Worms and viruses make use of these
  vulnerabilities and apply a number of infection
  methods
• Network service buffer overflows
• Macro and script insertion
• Deception of binary code
• Malicious codes usually use a limited set of the
  infection methods.

8
Epidemic Profiles (2)

• Infection Strategy the method by which the
  epidemic seeks new targets
• Sequential scanning process in order to find new
  victims, propagating to the new victims and so on.

9
Epidemic Profiles (3)
Methods for Exploring New Victims
Method Description Example
Mail-based use mail services and address books to propagate Melissa virus
Topological gather internal topological information on each infected target to seek additional new targets Morris worm
Contagion embeds contagions within normal communication channels
Active Scanning randomly scans to identify potential targets CodeRed
Coordinated Scanning uses efficient segmentation of IP address space to accelerate scan coverage Warhol worms
10
Computer Network Topologies

• We divide models of network topologies into two
  categories
• 1. Network models exhibiting a homogeneous
• degree distribution
• e.g. random graph (ER model)
• 2. Network models exhibiting a power law
• degree distribution (Scale-Free Networks)
• 2.1. BA Model
• 2.2. KE Model

11
BA Model (1)

• developed by Barabási and Albert
• 3 parameters
• m0 the number of initial nodes
• m initial degree of every new node attached (m
  m0)
• t number of time steps
• In every time step t, one new node with m new
  edges is added to the graph.
• Preferential attachment
• P(ki) ki / ?j kj where ki is the degree of
  node i

12
BA Model (2)
Example m0 3, m 2
t 1
t 2
t 3
13
KE Model (1)

• developed by Klemm and Equíluz
• 2 parameters
• m number of initial nodes
• t number of time steps
• Start with m fully connected, active nodes. In
  every time step t, attach one new node to all
  active nodes. Make the new node active as well.
  Inactivate one of the nodes according to a
  probability P(ki).
• P(ki) ((?j kj 1) ki) 1
• Higher clustering coefficient, more similar to
  real computer networks

14
KE Model (2)
Example m 3 (yellowactive, grayinactive,
rednew)
t 1
t 2
t 3
15
Fault Tolerance

• Theorem
• In a nontrivial KE network with generation
  parameter m, there are m disjoint paths between
  any pairs of nodes.

16
Simulation (1)

• Assumptions
• N 50,000 nodes 1000 LANs containing 50 nodes
  each
• WAN BA or KE model, LANs completely connected
• m0 m 10 and t NWAN - m 100 - 10 90
  steps
• At the beginning of each simulation, a node is
  infected randomly. Simulation runs for T 25
  time steps.
• Infected nodes stay infected, continue to spread
  disease and do not change back to normal.
• ? Prevalence number of infected nodes / number
  of all nodes
• If ? exceeds a certain threshold, a certain
  number of most connected nodes are automatically
  immunized whether they are infected or not.
• 6 cases 10 and 100 nodes immunized for ? 20,
  5, 1

17
Simulation (2)
Threshold ? 20
18
Simulation (3)
( Threshold ? 20 )
( Threshold ? 1 )
19
Simulation (4)

• Explanation of Simulation Results
• Although defensive measures are taken, worm
  spreads extremely rapidly in BA networks. In only
  a few time steps, majority of the BA network is
  infected. KE networks are infected much more
  slowly.
• Network defenses that are put in place after the
  attack can slow down the spread of infection in
  certain topologies.
• It is easier to slow down the spread of infection
  in KE networks than in BA networks. Usually,
  there is no time to defend the rest of the
  computers in BA networks.

20
Conclusion

• Some scale-free network topologies are inherently
  more defensible than others against rapidly
  spreading malicious code.
• With a few alterations, inherently defensible
  networks can prevent or delay an infection from
  reaching its maximum potential.
• Network segmentation
• Lack of communication channels between vulnerable
  nodes
• IP filtering to limit scanning

21
Questions