1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Slides:

Advertisements

Similar presentations

Mobile Communication Networks Vahid Mirjalili Department of Mechanical Engineering Department of Biochemistry & Molecular Biology.

Advertisements

‘Small World’ Networks (An Introduction) Presenter : Vishal Asthana

Algorithmic and Economic Aspects of Networks Nicole Immorlica.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Stopping computer viruses through dynamic immunization E. Shir, J.Goldenberg, Y. Shavitt, S. Solomon.

School of Information University of Michigan Network resilience Lecture 20.

Information Networks Generative processes for Power Laws and Scale-Free networks Lecture 4.

SILVIO LATTANZI, D. SIVAKUMAR Affiliation Networks Presented By: Aditi Bhatnagar Under the guidance of: Augustin Chaintreau.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

Connected Components in Software Networks Miloš Savić, Mirjana Ivanović, Miloš Radovanović Department of Mathematics and Informatics Faculty of Science.

Advanced Topics in Data Mining Special focus: Social Networks.

1 A Random-Surfer Web-Graph Model (Joint work with Avrim Blum & Hubert Chan) Mugizi Rwebangira.

The Barabási-Albert [BA] model (1999) ER Model Look at the distribution of degrees ER ModelWS Model actorspower grid www The probability of finding a highly.

The structure of the Internet. How are routers connected? Why should we care? –While communication protocols will work correctly on ANY topology –….they.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.

1 November 2 nd, 2007WORM’07 Can You Infect Me Now? Chris Fleizach 1, Michael Liljenstam 3, Per Johansson 2, Geoffrey M. Voelker 1 and András Méhes

CS 728 Lecture 4 It’s a Small World on the Web. Small World Networks It is a ‘small world’ after all –Billions of people on Earth, yet every pair separated.

Web as Graph – Empirical Studies The Structure and Dynamics of Networks.

Spreading dynamics on small-world networks with a power law degree distribution Alexei Vazquez The Simons Center for Systems Biology Institute for Advanced.

Common Properties of Real Networks. Erdős-Rényi Random Graphs.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Analysis of Social Information Networks Thursday January 27 th, Lecture 3: Popularity-Power law 1.

The structure of the Internet. How are routers connected? Why should we care? –While communication protocols will work correctly on ANY topology –….they.

The structure of the Internet. The Internet as a graph Remember: the Internet is a collection of networks called autonomous systems (ASs) The Internet.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

On Distinguishing between Internet Power Law B Bu and Towsley Infocom 2002 Presented by.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Information Networks Power Laws and Network Models Lecture 3.

Developing Analytical Framework to Measure Robustness of Peer-to-Peer Networks Niloy Ganguly.

Data Analysis in YouTube. Introduction Social network + a video sharing media – Potential environment to propagate an influence. Friendship network and.

1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,

Network Characterization via Random Walks B. Ribeiro, D. Towsley UMass-Amherst.

Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Worms, Viruses, and Cascading Failures in networks D. Towsley U. Massachusetts Collaborators: W. Gong, C. Zou (UMass) A. Ganesh, L. Massoulie (Microsoft)

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.

Directed-Graph Epidemiological Models of Computer Viruses Presented by: (Kelvin) Weiguo Jin “… (we) adapt the techniques of mathematical epidemiology to.

1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Analyzing the Vulnerability of Superpeer Networks Against Attack Niloy Ganguly Department of Computer Science & Engineering Indian Institute of Technology,

Dynamics of Malicious Software in the Internet

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Brief Announcement : Measuring Robustness of Superpeer Topologies Niloy Ganguly Department of Computer Science & Engineering Indian Institute of Technology,

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

2016/3/13 1 Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications.

1 Link Privacy in Social Networks Aleksandra Korolova, Rajeev Motwani, Shubha U. Nabar CIKM’08 Advisor: Dr. Koh, JiaLing Speaker: Li, HueiJyun Date: 2009/3/30.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE

Random Walk for Similarity Testing in Complex Networks

Epidemic spreading in complex networks with degree correlations

Internet Worm propagation

Modeling and Measuring Botnets

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

CSE551: Introduction to Information Security

Introduction to Internet Worm

Presentation transcript:

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst

2 Internet Worm Introduction Scan-based worms:  Example: Code Red, Slammer, Blaster, Sasser, …  No human interaction  Fast (automatic defense)  Need vulnerability  Fewer incidents  Network-based blocking  Modeling: no (week) topological issue  Epidemic models worms:  Example: Melissa, Love letter, Sircam, SoBig, MyDoom, …  Human activation  Slower  Need no vulnerability  More incidents  Defense on servers  Modeling: address logical topology  No math model yet Nimda: mixed infection MyDoom: search engine

3 Topology — Heavy-tailed Distributed topology degree distr. Size distr. of address books  Popular list: one list address corresponds to many.  worms find all addresses on compromised computers.  address books, Web cache, text documents, etc. We study propagation on power law topologies.  Generators available ; best candidate to represent heavy-tailed topology. Complementary cumulative distribution (May 2002: > 800,000 Yahoo groups)

4 Worm Simulation Model Discrete time simulation Topology: undirected graph  Power law, small world, random graph Modeling behavior of individual user  Worm attachment opening prob.  checking time interval  Following any distribution: Exponential, Erlang, Constant. Modeling the entire user population  normal distr.

5 Propagation Stochastic Effect Power law network: 100,000 nodes, average degree = 8 N t : the number of infectious at time t. N 0 = 2 randomly selected 100 simulation runs for each experiment Random effect in simulation Initially infected nodes and initial infection are critical. It is possible that no one is infected except N 0 When no neighboring nodes open attachments.

6 Initially infected nodes with different node degree Initially infected nodes are more important in a sparsely connected network than a densely connected network Avg. degree = 8 Avg. degree = 20

7 Effect of checkingtime variability An worm propagates faster when the checking time is more stochastically variable.  Snowball effect: Before worm copies give birth to the next generation in the less variable system, worm copies in the more variable system have already given birth to several generations. Random variable Exponential 3rd-order Erlang Constant

8 Topology Effect on Worm Propagation An worm propagates faster on a power-law topology than on the other two.  Highly connected nodes are infected earlier.  They amplify worm propagation speed by shooting out more copies. Topology effect Avg. degree of infected nodes (1000 simulation runs)

9 Immunization Defense against Worms Static immunization defense:  A fraction of nodes are immune to an worm before its outbreak.  No nodes will be immunized during the worm’s outbreak. Selective immunization:  Immunizing the mostly connected nodes.  Effective for a power-law network  Nodes have very variable node degrees 3 ~ 2000+

10 Selective Immunization Defense Selective immunization defense is more effective on a power law topology than on the other two.  Due to the percolation property of a topology. Power law topology Small world topology

11 Percolation and Phase Transition Selective percolation with p :  Removing top p percent of mostly connected nodes.  Corresponding to selective immunization.  Newman et al. studied uniform percolation. Selective percolation property:  Connection ratio:  fraction of remained nodes that are connected.  Remaining link ratio:  fraction of remained links.  Phase transition  selective percolation threshold  Disjoint the remaining network when

12 Why different effect with 5% selective immunization?  Power law topology: removing 55.5% links  Small world (random graph) topology: removing < 20% links worm prevention via selective immunization (Phase transition) :  30% for the power law topology  Around 70% for the small world and random graph topologies. Power law topology Small world topology Percolation and Phase Transition

13 Summary topology is a heavy-tailed distributed topology. The impact of a power law topology on worm propagation is mixed:  Cons: an worm spreads faster than on a small world or a random graph topology.  Pros: static selective immunization defense is more effective.

14 Future Work Mathematical modeling  Difficulty: considering an arbitrary topology Directed graph for topology  One-way address relationship  Heavy tailed distr. definition? Topology generator? Dynamic immunization defense Short-term focus: Enterprise network defense