1 / 17

Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense

Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst. Motivation: automatic mitigation and its difficulties. Fast spreading worms pose serious challenges: SQL Slammer infected 90% within 10 minutes.

pcates
Download Presentation

Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst

  2. Motivation: automatic mitigation and its difficulties Fast spreading worms pose serious challenges: SQL Slammer infected 90% within 10 minutes. Manual counteractions out of the question. Difficulty of automatic mitigation  high false alarm cost. Anomaly detection for unknown worm. False alarms vs. detection speed. Traditional mitigation: No quarantine at all  … long-time quarantine until passing human’s inspection.

  3. Principles in real-world epidemic disease control • Principle #1 Preemptive quarantine • Assuming guilty before proven innocent • Comparing with disease damage, we are willing to pay certain false alarm cost. • Principle #2  Feedback adjustment • More serious epidemic, more aggressive quarantine action • Adaptive adjustment of the trade-off between disease damage and false alarm cost.

  4. long-time quarantine Dynamic short-time quarantine No quarantine Dynamic Quarantine • Assuming guilty before proven innocent • Quarantine on suspicion, release quarantine after a short time automatically reduce false alarm cost • Can use any host-based, subnet-based anomaly detection system. • Host or subnet based quarantine (not whole network-level quarantine). • Quarantine is on suspicious port only. • A graceful automatic mitigation:

  5. Network Activities Anomaly Detection System Decision & Control Feedback Control Dynamic Quarantine Framework (host-level) Worm detection system Worm Detection & Evaluation • Feedback : More suspicious, more aggressive action • Predetermined constants: ( for each TCP/UDP port) • Observation variables: :# of quarantined. • Worm detection and evaluation variables: • Control variables: Probability Damage Quarantine time Alarm threshold

  6. Malware Warning Center Two-level Feedback Control Dynamic QuarantineFramework • Network-level quarantine (Internet scale) • Dynamic quarantine is on routers/gateways of local networks. • Quarantine time, alarm threshold are recommended by MWC. • Host-level quarantine (local network scale) • Dynamic quarantine is on individual host or subnet in a network. • Quarantine time, alarm threshold are determined by: • Local network’s worm detection system. • Advisory from Malware Warning Center. Host-level quarantine Local network Network-level quarantine

  7. Host-level Dynamic Quarantine without Feedback Control • First step: no feedback control/optimization • Fixed quarantine time, alarm threshold. • Results and conclusions: • Derive worm models under dynamic quarantine. • Efficiently reduce worm spreading speed. • Give human precious time to react. • Cost: temporarily quarantine some healthy hosts. • Raise/generate epidemic threshold • Reduce the chance for a worm to spread out.

  8. infectious susceptible Worm modeling — simple epidemic model # of contacts IS Simple epidemic model for fixed population system: I(t) : # of susceptible : # of hosts t : # of infectious : infection ability

  9. infectious removed susceptible Worm modeling —Kermack-McKendrick model • State transition: : # of removed from infectious : removal rate • Epidemic threshold theorem: • No outbreak happens if where : epidemic threshold t

  10. Analysis of Dynamic Quarantine I(t): # of infectious S(t): # of susceptible T: Quarantine time R(t): # of quarantined infectious Q(t): # of quarantined susceptible 1: quarantine rate of infectious 2: quarantine rate of susceptible Without “removal”: Assumptions:

  11. S(t) I(t) Q(t)=p’2S(t) R(t)=p’1I(t) Extended Simple Epidemic Model Susceptible Infectious # of contacts Before quarantine: After quarantine:

  12. Extended Simple Epidemic Model Vulnerable population N=75,000, worm scan rate 4000/sec T=4 seconds, l1 = 1, l2=0.000023 (twice false alarms per day per node) R(t): # of quarantined infectious Q(t): # of quarantined susceptible Law of large number

  13. ExtendedKermack-McKendrickModel removed Before quarantine: After quarantine:

  14. ExtendedKermack-McKendrickModel Population N=75,000, worm scan rate 4000/sec, T=4 seconds, l1 = 1, l2=0.000023, g=0.005 R(t): # of quarantined infectious Q(t): # of quarantined susceptible

  15. Dynamic Quarantine Model —Considering Human’s Counteraction • A more realistic dynamic quarantine scenario: • Security staffs inspect quarantined hosts only. • Not enough time to check all quarantine hosts before their quarantine time expired --- removal only from quarantined infectious hosts R(t). • Model is similar to the Kermack-McKendrick model Introduced Epidemic threshold:

  16. Dynamic Quarantine Model —Considering Human’s Counteraction Population N=75,000, worm scan rate 4000/sec, T=4 seconds, l1 = 1, l2=0.000023, g=0.005 R(t): # of quarantined infectious Q(t): # of quarantined susceptible

  17. Summary • Learn the quarantine principles in real-world epidemic disease control: • Preemptive quarantine: Assuming guilty before proven innocent • Feedback adjustment: More serious epidemic, more aggressive quarantine action • Two-level feedback control dynamic quarantine framework • Optimal control objective: • Reduce worm spreading speed, # of infected hosts. • Reduce false alarm cost. • Derive worm models under dynamic quarantine • Efficiently reduce worm spreading speed • Give human precious time to react • Raise/generate epidemic threshold • Reduce the chance for a worm to spread out

More Related