Epidemiological Approach to Network Security

13th KRNET 20052005.6.27.

Sue MoonKAIST

Definitions

• An epidemic– "an outbreak of sudden rapid spread,

growth, or development"– what reproduces itself

• Epidemiology– "a branch of medical science that deals

with the incidence, distribution, and control of disease in a population"

– applies to human diseases, computer viruses/worms, spreading of ideas and rumors ("gossip")

Epidemiologically Motivating Questions

• What are the factors that affect an epidemic?

• What are known models of epidemic spreading?

• How do computer viruses/worms fare in light of known models?

• What can we do to increase network security?

Definitions of Viruses/Worms

• Computer virus– "A parasitic program written intentionally to enter

a computer without the users permission or knowledge" (Symantec)

• Network worms– "self-contained, self-replacing program that sprea

ds by inserting copies of itself into other executable code or documents " (Wikipedia)

– Require no human action to spread

Factors in Epidemiology

• Host state– susceptible, infected, detected, removed

(immune or dead)

• Time constraints– continuous, discrete

• Topological constraints– well-mixed and constant

• a host meets another equally likely• scanning strategies

– lattice, network

Simplest Epidemiological Model: SI Model

(Logistic Growth Equation)

Spreading under SI Model

Data fit with K = 1.8

Courtesy: Stanison, Paxson, Weaver.

SIR Model

(Logistic Growth Equation)

“removal” rate

)(

)()()(

)()(

tIdt

dR

tItStIdt

dI

tStIdt

dS

History of the Internet Worms

• 1988: First Internet worm– Morris Worm: exploited buffer overflow vulnerabilities

• 2001: Resurgence of the worms– Code Red, Klez, Sircam

• 2003: resulting in the largest down-time and clean-up cost ever– SQL Slammer Worm, Blaster Worm, and Sobig

• 2004: zombies, shortened time interval between vulnerability announcement and worm emergence– MyDoom, Witty Worm

Code Red Worm I v1

• Exploiting buffer-overflow vulnerability of IIS• Probing susceptible hosts using SYN packets• Checking if the date is between 1st and 19th

– If so, generating random IP addresses to spread– Else, launching DoS attacks against www1.whitehouse.gov

• Using a static seed to generate IP addresses• Memory resident (infected hosts recover after rebo

oting)

Code Red Worms I v2 and II

• Code Red I v2• Using a random seed to generate IP addresses• Faster propagation speed

• Code Red II• Completely unrelated to the original Code Red• Containing the string “Code Red II” in source code• Setting up a backdoor in the infected machine• Not memory resident• More complex host-selection method

– 1/8: random IP address– 1/2: IP address which has the same /8 with the host– 3/8: IP address which has the same /16 with the host

Spreading Dynamics of Code Red I v2

• Host infection rate

Spreading Dynamics of Code Red I v2

• Deactivation due to phase transition

Propagation Models

• Scanning Model: models of the worms with various scan techniques (Jiang Wu et al.)

• Topological Model: a model on arbitrary network topologies (Yang Wang et al.)

Scanning Model

• AAWP Model

– Where,• N: # of vulnerable hosts• T: target size• s: scan rate (# of probes per time tick)• ni: # of infected hosts at time i

Scanning Model

• AAWP Model (Cont’d)

Scanning Model

• Selective Random Scan– selected target addresses (unallocated

or reserved IP blocks are removed)– propagation speed

• T = 2.7 * 10^9

Scanning Model

• Routable Scan– routable target addresses (routable IP blocks from

global routers)– finding how many routable IP prefixes– 49K prefixes from BGP Tables (Route Views

servers)– merging continuous prefixes (17,918 blocks,

1.17x10^9 addresses)– combining close blocks (1926 blocks, 1.31x10^9

addresses, threshold: one /16)– Propagation speed

• T = 1.0 * 10^9

Scanning Model

• Divide-Conquer Scan– dividing target address when infecting a host– “single point of failure”– generating a hitlist to decide splitting point– propagation speed

Scanning Model

• Hybrid Scan– combining routable scan with random scan at a

later stage of the propagation– able to infect hidden and protected hosts

• Extreme Scan– DNS Scan

• difficult to get a complete target addresses• hosts that don’t have public domain name• huge address list size

– Complete Scan• using the complete list of assigned IP addresses• list size: 400Mbytes• slower than random scan

Comparison of Scanning Models

Scanning Model

• Comparison of the Worm Scan Methods (Cont’d)

Topological Model

• Proposed Model– Assuming general connected graph G = (N,

E), where N is the number of nodes in the network and E is the set of edges

Topological Model

• Experiments– Real network graphs from Oregon router

view (10900 AS peers)– Synthesized power-law graphs (1000-node

BA network)

Topological Model

Topological Model

• Epidemic threshold with a single parameter

Topological Model

• Generality of the Threshold Condition

)(

)()()(

)()(

tIdt

dR

tItStIdt

dI

tStIdt

dS

How to Mitigate the Worm Threat?

S(0) = N = / M probe rate of wormM total population (=232 IPv4) “removal” rate

3. Reduce # of infected hosts(containment)

2. Reduce rate of infection(suppression)

1. Reduce # of susceptible hosts(prevention)

Countermeasures

• Containment (David Moore et al.)• Worm-Killing Worm (Hyogon Kim et al.)• An Architecture for Patch Distribution (Stelios

Sidiroglou et al.)

Containment

• Key Properties of Containment– Time to detect and react– Strategies for identifying and containing

the pathogen– Deployment scenario

• Containment Technologies– Content filtering– IP blacklisting

Containment Infrastructure

• Idealized Deployment– Idealized setting

• Universally deployed containment systems• Simultaneous information distributions

– Simulation parameter• Code Red I v2 spread• 360,000 total vulnerable hosts• Total population: 2^32• Probe rate: 10/sec

Effectiveness of Containment

• In Idealized Deployment

Effectiveness of Containment

Effectiveness of Containment

• Practical Deployment– Practical setting

• System deployment on the AS level

– Simulation parameters• Code Red I v2• 338,652 vulnerable hosts• 6,378 Ases• Default reaction time: 2 hours

Effectiveness of Containment

• In Practical Deployment

Effectiveness of Containment

• In Practical Deployment

Worm-Killing Worm

• Behaving like typical worms– Except that it cures and patches infected hosts– Examples: Code Green and CRClean released against Cod

e Red Worm• Experiment Setting

– SQL Slammer Worm– 100,000 vulnerable hosts– total population = 2^32– Higher scanning rate than that of SQL Slammer Worm– Default reaction time a = 10 sec– k < v

Worm-Killing Worm

• Typical Spreading Dynamics

Impact of Reaction Time by Worm-Killing Worm

Self-Destruction of Worm-Killing Worm

• Rumor-Monger threshold r : when the probe success rate drops below r , then the killer worm stops spreading

Architecture for Patch Distribution

• A Network Worm Vaccine Architecture– Automatically generating and testing patches– A combination of

• Honeypots• Dynamic code analysis• Sandboxing• Software updates

V. Summary

• Insurgence of the worms with pervasive network environment

• Approximated propagation models and simulation on small data sets

• Co-evolution of attackers and defenders

• No comprehensive remedy yet • Existing work mainly focusing on post-

outbreak measures

Acknowledgements & References

[1] Ahn, Yong-yeol, "Epidemics on Networks: from Physics," unpublished, April 2005.

[2] Kang, Min Gyung, "The Internet Worms: Propagation Models and Countermeasures," unpublished, April 2005.

[3] David Alderson, "Mitigating the Risk of Cyber Attack," Guest Lecture in MS&E293, Stanford, 2003.

[4] D. Moore et al, "Internet Quarantine: Requirements for Containing Self-Propagating Code," INFOCOM 2002.

[5] Hyogon Kim et al., "On the functional validity of the worm-killing worm," ICCC 2005.