Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research Progress Report

Published byEunice Manning Modified over 6 years ago

Similar presentations

Presentation on theme: "Research Progress Report"— Presentation transcript:

1 Research Progress Report
Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2018/11/29 NTUIM OPLAB

2 Agenda Previous comments Introduction Problem Description 2018/11/29
NTUIM OPLAB

3 Previous comments Epidemic model Initial resource allocation
Resource deployment adjustment Defense strategies over reacted v.s insensitive 2018/11/29 NTUIM OPLAB

4 Introduction 2018/11/29 NTUIM OPLAB

5 Epidemic model The SIR Model(Kermack-Mckendrick model)
Any time point an individual is either susceptible (S), infected and infectious (I) or recovered and immune (R). S(t): the number of individuals not yet infected with the disease at time t, or those susceptible to the disease. I(t): the number of individuals who have been infected with the disease and are capable of spreading the disease to those in the susceptible category. R(t) is the compartment used for those individuals who have been infected and then recovered from the disease. Those in this category are not able to be infected again or to transmit the infection to others. Using a fixed population, N = S(t) + I(t) + R(t)   2018/11/29 NTUIM OPLAB

6 Epidemic model The SIR Model(Kermack-Mckendrick model)
Only susceptible individuals can get infected. After having been infectious for some time, an individual recovers and becomes completely immune for the remainder of the study period. There are no births, deaths, immigration or emigration during the study period. A consequence of the assumptions is that individuals can only make two moves: from S to I and from I to R. The flow of this model may be considered as follows: S→I→R 2018/11/29 NTUIM OPLAB

7 Worm Propagation Model
Simple Epidemic Model Each host is in one of the two states: susceptible or infectious. The model assumes that the system is homogeneous, each host has the equal probability to contact any other hosts in the Internet. The model also assumes that once infected by a worm, the host remains in the infectious state forever. Thus the transition procedure is: S→I Can describe the propagation status in initial stages, but is difficult to match the propagation status later. 2018/11/29 NTUIM OPLAB

8 Worm Propagation Model
The SIR Model(Kermack-Mckendrick model) Maintains one of three states: susceptible, infectious or removed. It assumes that during an epidemic of a contagious disease, some infectious hosts either recover or die. The hosts are in “removed” state after they recover or die from the disease. Any host in the system has either the state transition S→I→R or stays in S state forever. 2018/11/29 NTUIM OPLAB

9 Worm Propagation Model
The SIR Model(Kermack-Mckendrick model) Improves the classical simple epidemic model by considering that some infectious hosts either recover or die after some time. However in the Internet, cleaning, patching, and filtering countermeasures against worms will remove both susceptible hosts and infectious hosts from circulation. The model assumes the infection rate to be constant, which isn’t true for a rampantly spreading Internet worm. 2018/11/29 NTUIM OPLAB

10 Worm Propagation Model
Two-Factor model Human countermeasures Cleaning compromised computers. Patching or upgrading susceptible computers . Setting up filters to block the worm traffic on firewalls or edge routers. Disconnecting their computers from Internet. Decreased infection rate β(t) The large-scale worm propagation have caused congestion and troubles to some Internet routers, thus slowed down the worm scanning process. 2018/11/29 NTUIM OPLAB

11 Worm Propagation Model
Two-Factor model dR(t)/dt=γI(t) (1) dQ(t)/dt=μS(t)J(t) (2) J(t)=I(t)+R(t) (3) β(t)= β0[1-I(t)/N]η (4) N=S(t)+I(t)+R(t)+Q(t) (5) dS(t)/dt= -β(t)S(t)I(t)-dQ(t)/dt (6) dI(t)/dt= β(t)[N-R(t)-I(t)-Q(t)]I(t)- dR(t)/dt (7) 2018/11/29 NTUIM OPLAB

12 Worm Propagation Model
Two-Factor model (N = 1, 000, 000, I0 = 1, η = 3, γ = 0.05, μ = 0.06/N, and β0 = 0.8/N) Simple epidemic model: η = 0, γ = 0, and μ = 0 2018/11/29 NTUIM OPLAB

13 Worm Propagation Model
Two-Factor model Takes more factors into consideration, such as human countermeasures and network congestion. It can be used to analyze more complex worm propagation scene. However, the effect of topology on worm propagation is still an unsolvable problem. [1] Sihan Qing and Weiping Wen, “A survey and trends on Internet worms”, Computers & Security, 2005 [2] Su Fei1, Lin Zhaowen and Ma Yan, “A Survey of Internet Worm Propagation Models”, Proceedings of IC-BNMT2009 2018/11/29 NTUIM OPLAB

14 New worm types Self disciplinary worms Static self-disciplinary worms
Adapts its propagation patterns to defensive countermeasures, aiming to avoid or delay detection, and ultimately, to infect more computers. Static self-disciplinary worms Intelligently select a propagation speed at the initial time of attack but nevertheless maintain the same strategy during the attack session. Dynamic self-disciplinary worm Dynamically adjust its propagation speed during the attack session. [3] Wei Yu, Nan Zhang, Xinwen Fu and Wei Zhao, ”Self- Disciplinary Worms and Countermeasures: Modeling and Analysis”, Parallel and Distributed Systems, IEEE Transactions on, 2010 2018/11/29 NTUIM OPLAB

15 Worm Scanning Strategy
One of the biggest problems a worm faces in achieving a very rapid rate of infection is “getting off the ground.” Before initiating an attack, the worm should probe the system vulnerabilities of the target hosts. Blind scan Many worms in the wild use this scanning strategy. They choose a new host to scan in a random, permutation or sequential way. Hit-list scan Creates a target list which includes those hosts potentially infected before searching the susceptible hosts. [4] Stuart Staniford, Vern Paxsony and Nicholas Weaver, “How to 0wn the Internet in Your Spare Time”, Proceedings of the 11th USENIX Security Symposium, 2002 2018/11/29 NTUIM OPLAB

16 Defending Against Internet Worms
Worm Detection Signature-Based Anomaly-Based Worm Containment Slowing Down Infection Rate limiting Blocking Address Blocking Content Blocking [5]Pele Li, Mehdi Salour and Xiao Su, “A Survey of Internet Worm Detection and Containment”, IEEE Communications Surveys & Tutorials, 2008 2018/11/29 NTUIM OPLAB

17 Problem Description 2018/11/29 NTUIM OPLAB

18 Problem Description Attacker attributes Defender attributes
Attack-defense scenarios 2018/11/29 NTUIM OPLAB

19 Attacker attributes Objective
Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. 2018/11/29 NTUIM OPLAB

20 Attacker attributes Budget Preparing phase Attacking phase
Worm purchasing v.s development Social engineering Attacking phase Node compromising Worm injection 2018/11/29 NTUIM OPLAB

21 Attacker attributes Preparing phase Worm attributes Social engineering
Scanning method: blind v.s hitlist Propagation rate: static v.s dynamic Capability: basic v.s advanced Social engineering Number of edge nodes Number of hops from each core node 2018/11/29 NTUIM OPLAB

22 Attacker attributes Attacking phase Node compromising Worm injection
Next hop selection criteria: Link degree High link degree ─ information seeking Link utilization Low link utilization ─ stealth strategy Worm injection Candidate selection criteria: Link traffic High link traffic ─ high rate worm Low link traffic ─ low rate worm Node defense resource β(t) Defense resource 2018/11/29 NTUIM OPLAB

23 Defender attributes Objective Budget Protect core nodes Planning phase
Defending phase 2018/11/29 NTUIM OPLAB

24 Defender attributes Planning phase Defending phase Node protection
General defense resources allocation(ex: Firewall, IDS) Decentralized information sharing system deployment Defending phase Decentralized information sharing system Unknown worm detection & profile distribution Worm origin identification Rate limiting Firewall reconfiguration Dynamic topology reconfiguration 2018/11/29 NTUIM OPLAB

25 Attack-defense scenarios
2018/11/29 NTUIM OPLAB

26 Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall
Decentralized information sharing system K Type1 worm Type2 worm L 2018/11/29 NTUIM OPLAB

27 Scenarios Node compromise O G D J I F C E A B H M AS node N
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Node compromise L 2018/11/29 NTUIM OPLAB

28 Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2018/11/29 NTUIM OPLAB

29 Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2018/11/29 NTUIM OPLAB

30 Scenarios Worm injection & propagation Node compromise O G D J I F C E
B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system Node compromise K Type1 worm Type2 worm Attacker A L 2018/11/29 NTUIM OPLAB

31 Scenarios Node compromise Worm injection & propagation O G D J I F C E
B H M AS node Node compromise N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2018/11/29 NTUIM OPLAB

32 Scenarios Worm injection & propagation Worm injection & propagation O
D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2018/11/29 NTUIM OPLAB

33 Profile generation& distribution
Scenarios O Profile generation& distribution G D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A Detection alarm L Rate limiting 2018/11/29 NTUIM OPLAB

34 Firewall reconfiguration
Scenarios O G D J I F C E A B H M Worm injection & propagation Firewall reconfiguration AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2018/11/29 NTUIM OPLAB

35 Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2018/11/29 NTUIM OPLAB

36 Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2018/11/29 NTUIM OPLAB

37 Profile generation& distribution
Scenarios O Profile generation& distribution G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L Detection alarm 2018/11/29 NTUIM OPLAB

38 Worm origin identification Worm origin identification
Scenarios O G D J I F C E A B H M Worm injection & propagation Worm origin identification AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Worm origin identification Backdoor L 2018/11/29 NTUIM OPLAB

39 Scenarios Worm injection & propagation Node compromise O G D J I F C E
B H M Worm injection & propagation Node compromise AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2018/11/29 NTUIM OPLAB

40 Thanks for your listening
2018/11/29 NTUIM OPLAB

Download ppt "Research Progress Report"

Similar presentations

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.
Modeling of Complex Social Systems MATH 800 Fall 2011.

Modeling of Complex Social Systems MATH 800 Fall 2011.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.

1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Introduction to Network Defense

Introduction to Network Defense
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,

1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,
A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

Similar presentations

Ads by Google