Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson

Published byKristin Krause Modified over 6 years ago

Similar presentations

Presentation on theme: "Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson"— Presentation transcript:

1 Virus Throttling Restricting propagation to defeat malicious mobile code
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson HP Labs Bristol 05/03/2003

2 Overview Computer Security 101 Virus throttling What it is
17/04/2019 Overview Computer Security 101 Virus throttling What it is How it works How well it works 17/04/2019 HP Labs Bristol HP template

3 Security is Prevent, Detect and Respond
17/04/2019 Security is Prevent, Detect and Respond Attacks/problems occur at machine speed, response at human speed In the meantime, our computers are defenseless… …so attacks run riot until the response is implemented Economic balance trades cost of prevention/ response with risk As systems get bigger and more complex, the problem gets bigger Attacks that we can’t prevent and too fast to respond to… Fast problem space Resilient Infrastructure preventing problems occurring speed of attack/response responding Slow known type of problems unknown 17/04/2019 HP Labs Bristol HP template

4 Example of the problem: Slammer
Simple design, naive spreading strategy, tiny payload Too fast for human response 75000 machines in 30 mins Ran riot And so caused lots of damage Lots of machines infected Lots of network traffic We’re lucky it wasn’t malicious! 05:29 Jan 25 06:00 Jan 25 17/04/2019 HP Labs Bristol

5 A solution: resilient infrastructure
17/04/2019 A solution: resilient infrastructure Resilient Infrastructure: Automatically hampers, contains, mitigates attacks/problems before a more definite (human) response Buys time Complement and aid to existing approaches Humans good at decisions but slow Computers poor at decisions but fast type of problems responding preventing problems occurring speed of attack/response Fast Slow Resilient Infrastructure Resilient Infrastructure known unknown 17/04/2019 HP Labs Bristol HP template

6 What has this got to do with AI?
Prevent, Detect and Respond = Sense, Model, Plan, Act Just like GOFAI Present human with representation of system, human plans the action… Resilience more like behaviour based AI Feedback loops Little representation More like control Same problems in security as in other areas Increase in complexity Scaling Makes GOFAI difficult, opportunity for other approaches Sense Respond Sense Respond Resilient Infrastructure Traditional 17/04/2019 HP Labs Bristol

7 Resilient Infrastructure for viruses: Virus throttling
Rather than preventing infection, prevent an infected machine spreading the virus further This has two consequences Reduced global spread (slow it down) Reduced traffic from virus Response # infected machines Time 17/04/2019 HP Labs Bristol

8 How do you limit propagation?
Observation: Infected machine makes outgoing connections to many different machines at high rate eg. Nimda >100/sec Normal machines make outgoing connections to a few machines at a low rate e.g 1/sec This is fundamental – the virus cannot spread without spreading! So – limit rate of connections to “new” machines Slow the virus Not affect normal Response # infected machines Time 17/04/2019 HP Labs Bristol

9 How does it work? Intercept “requests” to connect to other hosts
Tcp connections, udp packets, s etc. Keep short list of recently made connections Like “working set” If request is in set, process as normal. Request not in set, add to “delay queue” to be processed later Regularly… Pop request off the queue, process 17/04/2019 HP Labs Bristol

10 Delay not drop Requests put on the delay queue are delayed not dropped
If exceed allowed rate a little, get small increase in delay queue = small delays False positives tolerated If exceed by a lot, long delay queue = large delays Virus heavily delayed Can detect virus with a threshold Take action – suspend the process, query user, contact admin etc. Allowed rate 1 connection/sec 17/04/2019 HP Labs Bristol

11 What protocols can be throttled?
Traffic collected and analysed Plot shows reasonable values that give constant average delay. 3 ms/request Some protocols have no delays SMTP, IMAP, Web Proxy Some with reasonable values for throttling Web, SSL, DNS, Microsoft naming (port 139) Some not good for throttling Microsoft netBios, WINS, etc. Some applications not suitable Scanner, notification service etc. 17/04/2019 HP Labs Bristol

12 Slowing and stopping viruses
Rate of connections made by virus is so much higher than normal To spread effectively, it has to go to different machines 120/s vs 1/s With delay queue length threshold of 100 [Max observed = 5] Nimda detected after 0.25 seconds, after making 1 connection Stops further propagation Virus Connection/second Stopping time Connections made Nimda 120 0.25 1 Slammer 850 0.02 Test worm 2 106 104 10 11.2 11 60 1.4 100 0.9 200 17/04/2019 HP Labs Bristol

13 Interfering with normal usage
All outgoing TCP connections from 3 users machines for 2 months 1 connection/second allowed 98% with no delay 1.7% with 1 second Max delay of 5 secs, once in connections Not noticeable – networks are full of delays! 0.01 1 5 0.02 2 4 0.03 29 3 0.36 300 1.7 1428 97.8 80641 Percent Number Delay 17/04/2019 HP Labs Bristol

14 Does preventing further propagation slow the virus?
Yes, but depends on how many machines have throttles Depends on topology Depends on other methods of fighting the virus (e.g. signature) Viruses like Code Red, Nimda – yes but unthrottled machines will spread at full speed. Flash worm (knows exactly what addresses to attack) – yes virus - yes 17/04/2019 HP Labs Bristol

15 Testbed Testbed: 16 HP blade servers, each with 4 windows machines
Outside world simulated by non-vulnerable server Infect with Nimda, measure rate of propagation Repeat with various machines with throttles Throttle as ethernet driver (using vmware for win2k), so after tcp/ip 17/04/2019 HP Labs Bristol

16 Global spread – variation with number of throttles
Nimda spreading over 16 machines with variable number of throttles All throttled, no spread More throttles, slower spread Effect on infrastructure linear (less spreaders) 17/04/2019 HP Labs Bristol

17 Global spread- variation with number of throttles
Simulation with 1 million machines on a simulated Internet More throttles Spreads slower Less traffic Both important 17/04/2019 HP Labs Bristol

18 Implementation Viruses spread using addresses, so…throttle on addresses http/ssh etc. by IP address Throttle in network stack, either as part of software firewall, or ethernet driver In network… etc. by address Throttle at server 17/04/2019 HP Labs Bristol

19 Where next? Throttling User trial Email Scanner
Other ideas in Resilient Infrastructure space… Topology Epidemiological models Others… References type of problems responding preventing problems occurring speed of attack/response Fast Slow Resilient Infrastructure Resilient Infrastructure known unknown 17/04/2019 HP Labs Bristol

20

Download ppt "Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guanjong High School Group 2. Physical Network Access Security Getting into a network closet could easily allow someone to disable computers and connect.

Guanjong High School Group 2. Physical Network Access Security Getting into a network closet could easily allow someone to disable computers and connect.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Similar presentations

Ads by Google