Analyzing Cooperative Containment Of Fast Scanning Worms

1
Analyzing Cooperative Containment Of Fast
Scanning Worms
Jayanthkumar Kannan Joint work with
Lakshminarayanan Subramanian, Ion Stoica, Randy
Katz
2
Motivation

• Automatic containment of worms required

• Slammer infected about 95 of vulnerable
  population within 10 mins

• Easier to write Worm Propagation toolkit
  new exploit

3
Worm containment strategies
firewalls
core routers
end-hosts
specialized end-points

• End-host instrumentation CCCSRB 04, NS 05

• Core-router augmentation WWSGB 04

• Specialized end-points (honeyfarms) P 04

• Firewall-level containment WSP 04, WESP 04

4
Decentralized Cooperation

• Internet firewalls exchange information with each
  other to contain the worm
• Suggested in recent work WSP 04, NRL 03, AGIKL
  03

• Pros of decentralization
• Scales with the system size
• No single point of failure / administrative
  control

• Efficacy and limitations not well understood

5
Questions we seek to answer

• Cost of decentralization
• Effect of finite communication rate between
  firewalls on containment

• Effect of malice
• Impact of malicious firewalls on containment

• Performance under partial deployment

6
Roadmap

• Abstract model of cooperation
• Analysis of cooperation model
• Numerical Results
• Analytical, Simulation
• Conclusion

7
Model of Cooperation

• Each firewall in the cooperative performs
  following actions

• Local Detection Identify when its network is
  infected by analyzing outgoing traffic

• Signaling Informs other firewalls of its own
  infection along with filters

• Filtering A informed firewall drops incoming
  packets

8
Firewall states
Infected
Successful worm scan
Local Detection
Detected
Normal
Signals Sent
Signal Received
Alerted/Uninfected
9
Model of Signaling

• Two kinds of signaling
• Implicit Piggyback signals on outgoing packets
• Explicit Signals addressed to other firewalls

• Setup attacks
• Challenge-response verification of signals
• Firewall sends false signal
• Thresholding Enter alerted state after
  receiving signals from T different firewalls
• Firewall suppresses signal
• Even if up to 25 firewalls behave this way, good
  containment is possible

10
Roadmap

• Abstract model of cooperation
• Analysis of cooperation model
• Numerical Results
• Analytical, Simulation
• Conclusion

11
Analytical results

• Main focus Containment metric C
• C fraction of networks that escape infection

• Is Signaling Necessary?

• Cost of Decentralization
• Dependence of containment on signaling rate

• Effect of malice
• Dependence of containment on Threshold T

12
Parameters used in analysis

• Worm model
• Scanning Topological scanning (zero time)
  followed by global uniform scanning
• Probability of successful probe p
• Scanning rate s
• Vulnerable hosts uniformly distributed behind
  these firewalls

• Local detection model
• After infection, the time required for the
  infection to be detected is an exponential
  variable with time td

• Signaling model
• Explicit signals sent at rate E

13
Detection and Filtering

• Worm probes only in interval between infection
  and detection

• ? is the expected number of successful infections
  made by a infected network before detection
• ? p s td

• Result If ? lt 1, C 1 for large N
• Analogy to birth-death process
• Implications
• Earlier worms like Blaster satisfied this
  constraint

14
Detection and Filtering (2)

• Surprisingly, even if ? gt 1, containment can be
  achieved without signaling

• Intuition
• As the infection proceeds, harder to find new
  victims
• ? ( p s td) effectively decreases over time

• For ? 1.5, about 40 containment
• For ? 2.0, about 20 containment
• ? 2.0 for a Slammer-like worm

15
Analyzing Signaling

• Signaling required if ? gt 1
• Differential equation model
• For ? gt 1 and s (?-1)/td , the containment
  metric C is at least

16
Asympotic Variations

• Implicit Signaling
• Worm spreads at rate ps
• Signals sent at rate s
• Linear drop with time to detection (td)
• Linear drop with threshold (T)
• Explicit Signaling
• Implicit signaling relies on (p ltlt 1)
• Explicit signals essential for high p
• Linear drop with 1/E
• Tunable parameter

17
Roadmap

• Abstract model of cooperation
• Analysis of cooperation model
• Numerical Results
• Analytical, Simulation
• Conclusion

18
Numerical Results

• Parameter Settings
• Scan rate set to that of Slammer
• Size of vulnerable population 2 x Blaster
• 1,00,000 networks 20 vulnerable hosts per
  network
• Start out with 10 infected networks and track
  worm propagation

19
Cost of Decentralization
Higher the detection time, lower the containment
20
Effect of Malice
Defends against a few hundred malicious firewalls
21
Conclusions

• Contribution Further the understanding of
  cooperative worm containment
• Cost of Decentralization
• With moderate overhead, good containment can be
  achieved
• Effect of Malice
• Can handle a few hundred malicious firewalls in
  the cooperative
• Cost of Deployment
• Even with deployment levels as low as 10, good
  containment can be achieved

22
Detection and Filtering
23
Signaling
24
Containment vs Vulnerable population size
25
Containment vs Signaling Rate
26
Containment vs Deployment
27
Internet-like Scenario
Works well even under non-uniform distributions
28
Conclusions

• Main result with moderate overhead, cooperation
  can provide good containment even under partial
  deployment
• For earlier worms, cooperation may have been
  unnecessary
• Required for the fast scanning worms of today

• Our results can be used to benchmark local
  detection schemes in their suitability for
  cooperation
• Our model and results can be applied to
• Internet-level / enterprise-level cooperation
• More sophisticated worms like hit-list worms

• Room for improvement in terms of robustness
• Verifiable signals
• Hybrid architecture
• Fit in well-informed participants in the
  cooperative