Cooperative Response Strategies for Large Scale Attack Mitigation

1. Cooperative Response Strategies for Large Scale Attack Mitigation D. Nojiri, J. Rowe, K. LevittUniv of California DavisDARPA Info Survivability Conference and Exposition2003Presented by Hao Cheng, 2006.01

2. Contribution • Build a mathematical model for the cooperation defense model. • Simulation results sound reasonable and confirm some meaningful understandings.

3. Architecture malicious Internet block alerted friend protocol alerted P2P Cooperative Structure

4. Why Cooperation & P2P? • Large-scale Internet worm attack • attack- overwhelming, distributed • local knowledge- useless • hierarchical control- localized region

5. What Problems? • Propagation of information- slow • Security issues • Responses- expensive • False alarms • A formal study on automated mitigation control mechanism is necessary. • Mathematical model + Simulation

6. Assumption • Direct cooperation- limited number of friend organizations • Two States. • if (detect/alerted suspicious attacks) • follow local policy • blocking and sharing info with its own set of friends. • Rate of propagation R(mitigating response) >R(worm attacks)

7. # of hosts already compromised # of hosts to be compromised in this time slot ratio of vulnerable hosts which each infected host can attack Modeling • Staniford’s Virus Propagation Model [2]

8. # of infested hosts which recovered during this time slot. Cont • Kephart’s Virus Infection Model [3]

9. # of friends which are not alerted. # of response members which are alerted. cumulative severity of messages sent to its friends. Mitigation Response Cumulative severity of messages in the entire system

10. probability of remote attack probability of local attack Infection Rate • Attacks from Inside/Outside • Local Infection Rate: • Global Infection Rate: short comments: not all hosts are controlled in cooperation network.

11. Numerical Solution Differential Equation, solve in numerical way.

12. Plots propagation rate time step Analysis: need to have enough number of cooperating members or friends.

13. Simulation • base on Swarm simulation package. • http://www.swarm.org/wiki/Main_Page • Biological science- population dynamics.

14. Experimental Settings • Internet Topology – flat network. • 5832 vulnerable hosts, 729 cooperating members (controlling 8 hosts). • Responce device keeps an alert level and will become “alerted” if receiving enough alert messages. • Alerted: block + informs friends.

15. Plots propagation rate varied number of friends time step

16. Analysis Results • Greater number of friends, Greater suppression of the worm, Shorter the time to recover, More false alarms. • Higher severity threshold, Lower false alarms. • Optimal friend lists.- graph theory problem, reduce the diameter of a directed graph with limited number of edges.

17. Weakness • The mitigation response cost. • Unclear in Presentation. • Not very realistic in Math modeling. • already pointed during presentation. • A peer can go into alerted, not only by receiving the warning information. • Modeling results not totally convincing. • Security problem.

18. Improvement • study pointed problems. • Optimal friend list need to be considered more seriously.

19. Reference • D. Nojiri, J. Rowe, K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. DARPA Info Survivability Conference and Exposition, 2003. • Jeffrey O. Kephart, Steve R. White. Directed Graph Epidemiological Models of Computer Viruses. IEEE Computer Society Symposium on Research in Security and Privacy. 1991. • Stuart Staniford, V. Paxon, N. Weaver. How to Own the Internet in Your Spare Time. Usenix Security Symposium 2002. • http://www.swarm.org/wiki/Main_Page

20. Questions?