1 / 28

Analyzing Cooperative Containment Of Fast Scanning Worms

Analyzing Cooperative Containment Of Fast Scanning Worms. Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz. Motivation. Automatic containment of worms required. Slammer infected about 95% of vulnerable population within 10 mins.

eden-best
Download Presentation

Analyzing Cooperative Containment Of Fast Scanning Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz

  2. Motivation • Automatic containment of worms required • Slammer infected about 95% of vulnerable population within 10 mins • Easier to write: Worm = “Propagation” toolkit + new exploit

  3. Worm containment strategies firewalls • End-host instrumentation: CCCSRB 04, NS 05 core routers end-hosts specialized end-points • Core-router augmentation: WWSGB 04 • Specialized end-points (honeyfarms): P 04 • Firewall-level containment: WSP 04, WESP 04

  4. Decentralized Cooperation • Internet firewalls exchange information with each other to contain the worm • Suggested in recent work: WSP 04, NRL 03, AGIKL 03 • Pros of decentralization: • Scales with the system size • No single point of failure / administrative control • Efficacy and limitations not well understood

  5. Questions we seek to answer • Cost of decentralization • Effect of finite communication rate between firewalls on containment • Effect of malice • Impact of malicious firewalls on containment • Performance under partial deployment

  6. Roadmap • Abstract model of cooperation • Analysis of cooperation model • Numerical Results • Analytical, Simulation • Conclusion

  7. Model of Cooperation • Each firewall in the cooperative performs following actions: • Local Detection: Identify when its network is infected by analyzing outgoing traffic • Signaling: Informs other firewalls of its own infection along with filters • Filtering: A informed firewall drops incoming packets

  8. Firewall states Infected Successful worm scan Local Detection Detected Normal Signals Sent Signal Received Alerted/Uninfected

  9. Model of Signaling • Two kinds of signaling: • Implicit: Piggyback signals on outgoing packets • Explicit: Signals addressed to other firewalls • Setup attacks: • Challenge-response verification of signals • Firewall sends false signal: • Thresholding: Enter “alerted” state after receiving signals from T different firewalls • Firewall suppresses signal: • Even if up to 25% firewalls behave this way, good containment is possible

  10. Roadmap • Abstract model of cooperation • Analysis of cooperation model • Numerical Results • Analytical, Simulation • Conclusion

  11. Analytical results • Main focus: Containment metric C: • C = fraction of networks that escape infection • Is Signaling Necessary? • Cost of Decentralization: • Dependence of containment on signaling rate • Effect of malice: • Dependence of containment on Threshold T

  12. Parameters used in analysis • Worm model: • Scanning: Topological scanning (zero time) followed by global uniform scanning • Probability of successful probe = p • Scanning rate = s • Vulnerable hosts uniformly distributed behind these firewalls • Local detection model: • After infection, the time required for the infection to be detected is an exponential variable with time td • Signaling model: • Explicit signals sent at rate E

  13. Detection and Filtering • Worm probes only in interval between “infection” and “detection” • λ is the expected number of successful infections made by a infected network before detection • λ = p s td • Result: If λ < 1, C = 1 for large N • Analogy to birth-death process • Implications • Earlier worms like Blaster satisfied this constraint

  14. Detection and Filtering (2) • Surprisingly, even if λ > 1, containment can be achieved without signaling • Intuition: • As the infection proceeds, harder to find new victims • λ (= p s td) effectively decreases over time • For λ = 1.5, about 40% containment • For λ = 2.0, about 20% containment • λ = 2.0 for a Slammer-like worm

  15. Analyzing Signaling • Signaling required if λ > 1 • Differential equation model • For λ > 1 and σ = (λ-1)/td , the containment metric C is at least

  16. Asympotic Variations • Implicit Signaling: • Worm spreads at rate “ps” • Signals sent at rate “s” • Linear drop with time to detection (td) • Linear drop with threshold (T) • Explicit Signaling: • Implicit signaling relies on (p << 1) • Explicit signals essential for high p • Linear drop with 1/E • Tunable parameter

  17. Roadmap • Abstract model of cooperation • Analysis of cooperation model • Numerical Results • Analytical, Simulation • Conclusion

  18. Numerical Results • Parameter Settings: • Scan rate set to that of Slammer • Size of vulnerable population = 2 x Blaster • 1,00,000 networks: 20 vulnerable hosts per network • Start out with 10 infected networks and track worm propagation

  19. Cost of Decentralization Higher the detection time, lower the containment

  20. Effect of Malice Defends against a few hundred malicious firewalls

  21. Conclusions • Contribution: Further the understanding of cooperative worm containment • Cost of Decentralization: • With moderate overhead, good containment can be achieved • Effect of Malice: • Can handle a few hundred malicious firewalls in the cooperative • Cost of Deployment: • Even with deployment levels as low as 10%, good containment can be achieved

  22. Detection and Filtering

  23. Signaling

  24. Containment vs Vulnerable population size

  25. Containment vs Signaling Rate

  26. Containment vs Deployment

  27. Internet-like Scenario Works well even under non-uniform distributions

  28. Conclusions • Main result: with moderate overhead, cooperation can provide good containment even under partial deployment • For earlier worms, cooperation may have been unnecessary • Required for the fast scanning worms of today • Our results can be used to benchmark local detection schemes in their suitability for cooperation • Our model and results can be applied to: • Internet-level / enterprise-level cooperation • More sophisticated worms like hit-list worms • Room for improvement in terms of robustness • Verifiable signals • Hybrid architecture: • Fit in “well-informed” participants in the cooperative

More Related