220 likes | 351 Views
Peer-to-peer system-based active worm attacks: Modeling, analysis and defense. Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan. Computer Communications 31 (2008). Outlines. Introduction Modeling P2P-based active worm attacks Analyzing P2P-based active worm attacks
E N D
Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications 31 (2008)
Outlines • Introduction • Modeling P2P-based active worm attacks • Analyzing P2P-based active worm attacks • Defending against P2P-based active worm attacks • Performance evaluation • Final remarks
Introduction Automatically propagate themselves and compromise hosts in the Internet. Traditional worms predominantly adopt the random-based scan approach to propagate. A more powerful worm attack strategy is the hit-list strategy, which collects a list of IP addresses prior to the attack to improve success rate of infection. P2P systems can be a potential vehicle for the attacker.
Modeling P2P-based active worm attacks • In general, there are two stages in an active worm attack: (1) scanning the network to select victim hosts; (2) infecting the victim after discovering its vulnerability. • Pure Random Scan (PRS) • Only 24% of addresses in the Internet space are used.
Offline P2P-based hit-list scan (OPHLS) The attacker collects IP address information of the P2P system offline. We denote this as the hit-list of the attacker. After obtaining the hit-list,, there are two phases of attack model: First, all newly infected hosts continuously attack the hit-list until all hosts in the hit-list have been scanned (called the P2P system attack phase). In the second phase, all infected hosts continue to attack the Internet via PRS.
Online P2P-based scan (OPS) • The host immediately launches the attack on its P2P neighbors as a high priority (using 60% of its attack capability), and attack the rest of the Internet with its remaining capability (40%) via PRS. • Note that there are two types of P2P systems: structured and unstructured. • In the OPHLS model, it is the same in both types of systems, since the attacker predetermines the hit-list before attacks. • In the OPS model, the number of neighbors is quite different.
Model parameters • (1) P2P system size: • A Super-P2P system. • The size is the total number of users, denoted as m. The remaining hosts are a part of the Non-P2P system. • (2) P2P structured/unstructured topology: • Structured: all P2P nodes maintain the similar number of neighbors (averagetopology degree is ). • Unstructured: is the mean value of topology degree, is a constant for a given , and denotes the power law degree.
Analyzing P2P-based active worm attacks In the OPHLS attack model, Recursive formulas:
Analyzing P2P-based active worm attacks In the OPS attack model,
Defending against P2P-based active worm attacks • Defense framework: • Control center: it can be a system deployed node, or a stable P2P node itself. • A number of volunteer defense hosts: worm detection and response. • Threshold-based and trend-based worm detection schemes. • Threshold-based scheme: simple and easy to apply,but high false alarm rates.
Performance evaluation • <SYS; ATT; DE> • SYS: • ATT: , where OPSS & OPUS: the Online P2P-based scan attack model for the structured and unstructured P2P system. • DE: , where WB: denotes results obtained using simulations for the which one attack model.D: Trend-based detection (D1), Threshold-based detection(D2)
The Sensitivity of Attack Performance to P2P Topology Degree OPSS(degree #)
The Sensitivity of Attack Performance to P2P Host Vulnerability
The Sensitivity of Defense Performance to Different Attack Models
Sensitivity of Detection Time to Defense Region Size The defense region size g denotes a region with a group of P2P defense hosts within g P2P hops from the region leader.
Final remarks P2P systems are gaining rapid popularity in the Internet. We believe that P2P-based active worm attacks are very dangerous threats for rapid worm propagation and infection. Model and analyze P2P-based active worm propagation. Design effective defense strategies against them. An offline P2P-based hit-list attack model (OPHLS) and an online P2P-based attack model (OPS).