ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented.

Slides:



Advertisements
Similar presentations
Mobile Communication Networks Vahid Mirjalili Department of Mechanical Engineering Department of Biochemistry & Molecular Biology.
Advertisements

Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.
Garbage Collecting the World Bernard Lang Christian Queinnec Jose Piquer Presented by Yu-Jin Chia See also: pp text.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
Sec-TEEN: Secure Threshold sensitive Energy Efficient sensor Network protocol Ibrahim Alkhori, Tamer Abukhalil & Abdel-shakour A. Abuznied Department of.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Scalable Application Layer Multicast Suman Banerjee Bobby Bhattacharjee Christopher Kommareddy ACM SIGCOMM Computer Communication Review, Proceedings of.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
OSI Model.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Internet Networking Spring 2003
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Department Of Computer Engineering
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
Connecting LANs, Backbone Networks, and Virtual LANs
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Mapping Internet Addresses to Physical Addresses (ARP)
Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Detrick Robinson & Amris Treadwell.  Computer viruses- are pieces of programs that are purposely made up to infect your computer.  Examples: › Internet.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Identifying Reversible Functions From an ROBDD Adam MacDonald.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
Efficient Identification of Overlapping Communities Jeffrey Baumes Mark Goldberg Malik Magdon-Ismail Rensselaer Polytechnic Institute, Troy, NY.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.
Directed-Graph Epidemiological Models of Computer Viruses Presented by: (Kelvin) Weiguo Jin “… (we) adapt the techniques of mathematical epidemiology to.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
Computer Defining denial of service, worm, virus and hoax. Examples of negligence or incompetence that leads to crime. CI R M E By: Megan Price.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Improving Spam Detection Based on Structural Similarity By Luiz H. Gomes, Fernando D. O. Castro, Rodrigo B. Almeida, Luis M. A. Bettencourt, Virgílio A.
BotGraph: Large Scale Spamming Botnet Detection Yao Zhao, Yinglian Xie, Fang Yu, Qifa Ke, Yuan Yu, Yan Chen, and Eliot Gillum Speaker: 林佳宜.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
More Distributed Garbage Collection DC4 Reference Listing Distributed Mark and Sweep Tracing in Groups.
Keeping Your Computer Safe and Running Efficiently.
Low Power, Low Delay: Opportunistic Routing meets Duty Cycling Olaf Landsiedel 1, Euhanna Ghadimi 2, Simon Duquennoy 3, Mikael Johansson 2 1 Chalmers University.
Viruses. Learning Objectives: At the end of this lesson you should be able to:
Unit 2 Assignment 1. Spyware Spyware is a software that gathers information about a person or site and uses it without you knowing. It can send your information.
Project 1 : Phase 1 22C:021 CS II Data Structures.
Cryptography and Network Security
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
networks and the spread of computer viruses Authors:M. E. J. Newman, S. Forrest, and J. Balthrop. Published:September 10, Physical Review.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
Exposing Link-Change Events to Applications
Link Layer 5.1 Introduction and services
The Echo Algorithm The echo algorithm can be used to collect and disperse information in a distributed system It was originally designed for learning network.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Worm Origin Identification Using Random Moonwalks
THE STEPS TO MANAGE THE GRID
Firewalls.
Virtual LANs.
CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.
Batch Parties Changes.
1.2.2 Security aspects • Show understanding of the security aspects of using the Internet and understand what methods are available to help minimise the.
Introduction to Internet Worm
Presentation transcript:

ACT: Attachment Chain Tracing Scheme for Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented By: Adam Anthony

Outline Significance Basic epidemiology Case Classifications Transmission Chains Quarantining Progressive Immunization Implementation Discussion

Project Significance New: First study to bring the concepts of contact tracing and a transmission chain into network security Significant: It promises to lead to the similar heightened success that biological epidemiologists have experienced for years Novel: Addresses a computer virus much like a biological virus and rarely concerns itself with the technology behind the virus.

Basic Epidemiology DNA Fingerprinting Contact Chain Tracing

Case Classifications

Transmission Chains Structure Identification Algorithm Quarantining

Structure A B C  A has a primary (layer 1 contact) link to B  All of B's unique primary links become layer 2 contacts to A  Pattern continues into layer 3, layer 4, etc. Contains address for

Chain Identification Algorithm (Part 1) 1. Detect a host exceeding an activity threshold R d 2. If the host does not belong to another chain (it is a normal case) 1. Set it up as the first link in a new chain 2. Set the host’s category to Suspicious 3. Set the category of all normal hosts reachable by the activity to linked and place them in the next link in the chain

Chain Identification Algorithm (Part 2) 3. If the host does belong to another chain (it is not normal) 1. Set host’s category to Suspicious 2. Add the host’s normal recipients to the chain and set their category to Linked 4. If the length of the chain at the host’s connection is equal to a threshold K, 1. Change all suspicious cases to probable 2. Change all linked cases to potential 3. Send the address and category information of all nodes in the chain to the quarantine system

Quarantine Process Policy strictness based on potential threat to the network, overall network configuration Only for Probable or Potential cases Hard Quarantine -- block and warn Rational User -- no benefit, no risk Soft Quarantine -- reduce probability of risky users

Soft Quarantine reduce probability of users taking risks Based on the “Rational User Assumption” Red flag = high risk, user less probable to open Yellow flag = medium risk, user slightly more probable to open Unflagged = is safe to open

Hard VS. Soft Quarantine Hard Practically Safer for a naive user More effective in slowing down virus spread False alarm = lost Soft Requires Rational user assumption Less effective in slowing down virus spread No lost

Experimentation Full simulation Generate network graphs Random and power law Allow the network to advance one step at a time Enforce different policies, record the results

Progressive Immunization Selective Immunization = don't immunize all nodes Choose to Immunize nodes: Randomly Highest Degree Probable cases

Implementation Suggestions Chain Tracing Server installed at a logical point Case Finding Process Transmission Chain Management Process Quarantine implemented by the service- providing server (if it has it) Run 2 TCMP’s

Critical Discussion Too much assumption of state? Subjective design of simulation Hard VS. Soft quarantine Implications of progressive Immunization Scalability?

Conclusion

Questions

Appendix: Transmission Chain Management Algorithms

Algorithm: Case Finding Process for all sending addresses do check n i, the number of s host i has sent if n i >R d then report host i and its internal recipient addresses to the Transmission Chain Management Process end if end for

Algorithm: Contact Trace Stack Setup if (i is an internal normal host) or (i is an external host but is not an index case of any existing CTS) then assign i to be the index case of a new CTS S i for all receivers of i with normal category do add receivers to layer 1 of CTS S i change receivers' category to linked end for end if if i is an internal host then C i ⇐ suspicious end if

Algorithm: Update Contact Trace Stack C i ⇐ suspicious find (S i,L i ), the location of i for all r i, new recipients of i with normal category do S r ⇐ S i L r ⇐ L i +1 end for if L i = K then tc_finish(S i ) end if

Algorithm: Transmission Chain Finish for all suspicious hosts in CTS S i, do change their category to probable end for for all linked hosts in CTS S i, do change their category to potential end for pass the address and category information of all the nodes in S i to the quarantine process. Remove CTS S i

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.