Embed Size (px)
Citation preview
Network Transport: Recipient Activated Malware
Bruce W. FowlerUniversity of Alabama in Huntsville
Center for Management of Science and Technology
P. O. Box 220Arab, AL 35016
Acknowledgement
The author wishes to gratefully acknowledge the assistance of Ms. Norma Lee in developing the process models herein presented.
Background
Induced Fragility in
Information Age Warfare
What's Malware?
Malware Definition (http://www.linfo.org/malware.html)
Malware is any software that is developed for the purpose of doing harm to computers or via computers.
Malware can be classified in several ways, including on the basis of how it is spread, how it is executed and/or what it does. The main types of malware include worms, viruses, trojans, backdoors, spyware, rootkits and spam.
What's Recipient Activated Malware (RAM)?
Malware that is activated by the recipient: Type 1: the malware is linked to a recipient via an
email Malware embedded in email proper, Malware embedded as attachment, or Malware embedded in web page with link in the email. Malware on removable media obtained from a colleague.
Type 2: the malware is embedded in a web page that the user (recipient) visits either undirected or by direction other than email.
Internet 'Reality' Space-Time
Time Similar to ‘material’
reality (mechanical clocks, parametric)
Space arcs (edges) and
nodes not Cartesian
RAM + space-time
Neglecting server infection, RAM only afflicts terminating arcs (edges) on the boundaries of the network.
Only degree one nodes impacted, network statistics effectively irrelevant exception: non-American cellular phones? exception: positive correlation network contribution
structuring email addressing? No further spatiality (gridless)
Rate Theory Interlude
1
1 1
Starting Equation
If the are regular, then to first order
in Laplace Transform expansion,
where
i iicontinuous
i
continuous
i i
du duu t t
dt dt
t
u tdu du
dt dt
t t
RAM Type 1 Process
RAM Type 1 Transport Equation - 1
1
2
number of infected, contagious computers
total number of computers on network
time between email transmissions
time for a non-contageous computer to become contageous
number of addresses
T
N
N
m
on advertising email with embedded
or linked malware (possibly RV)
p probability recipient computer is not infected
= 1
probability anti-malware filters catches malware
prob
NI
T
T Y
S
fs
N N N
N N
p
p
ability user releases nalware caught by filter
probability recipient executes/links to malware
population of infected, non-contagious computersep
n
RAM Type 1 Transport Equation - 2
2
1 2
1 2
2
01
1 ;
, network transmission time
;
1
NI S S fs e
NI S S fs e
dn N nm p p p p p
dt
dN n
dt
dN NLim m p p p p p
dt
This is simply a Logistics DE! Disease-like
diffusion
RAM Type 2 Process
RAM Type 2 Transport Equation
3
Some previous plus
mean time between web site visits
, relative liklihood of visiting benign, malware web site
fraction of websites harboring malware
S total number of web sites
probabi
B M
M
T
MALp
3
lity of visiting a malware site
=1
probability of downloading Malware (may be 1 for some forms)
1
M M
M M B M
down
TMAL down S S fs e
p
N NdNp p p p p p
dt
This is simple NED.
Insights
Type 2 potentially more serious – faster growth Counter-measures
Low hanging fruit – common pieces Anti-malware filters (good investment, keep up to date – conficker
worm!) Web site warning utilities/blocking Education – never take anything out of filter cache, never run
programs you don’t know, visit only good sites. Tree chopping and Baby tossing
Corporate network Wine
Two OS + Virtual Machines
The Future
How to recover from MalWare Waiting for new methods Drilling down Commonalities
