Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 November 2 nd, 2007WORM’07 Can You Infect Me Now? Chris Fleizach 1, Michael Liljenstam 3, Per Johansson 2, Geoffrey M. Voelker 1 and András Méhes 3 123123.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 November 2 nd, 2007WORM’07 Can You Infect Me Now? Chris Fleizach 1, Michael Liljenstam 3, Per Johansson 2, Geoffrey M. Voelker 1 and András Méhes 3 123123."— Presentation transcript:

1 1 November 2 nd, 2007WORM’07 Can You Infect Me Now? Chris Fleizach 1, Michael Liljenstam 3, Per Johansson 2, Geoffrey M. Voelker 1 and András Méhes 3 123123 Introduction

2 2 November 2 nd, 2007WORM’07 Can You Infect Me Now? Motivation Over 1.8 billion mobile subscriptions as of 2005 Phones are becoming general processing platforms. In Smartphones, the potential exists for malware developers to exploit the types of vulnerabilities that have long plagued Internet hosts – Mobile phone spam – Denial of service attacks – Mobile botnets (mobots) Ultimately, loss of service which leads to loss of revenue Mobile phones will become a highly attractive target for criminals. Introduction

3 3 November 2 nd, 2007WORM’07 Can You Infect Me Now? How will it happen? Mobile phones have multiple communication vectors: – Bluetooth – SMS and MMS – Voice and VoIP – Internet However, these channels are constricted by network topologies, contact graphs and bandwidth limitations – We cannot blindly apply the lessons learned from Internet worms. Introduction

4 4 November 2 nd, 2007WORM’07 Can You Infect Me Now? Goals Explore the range of malware propagation on mobile phone networks – Characterize its speed and severity – Understand how network provisioning impacts propagation – Understand how malware propagation impacts the network – Highlight the implications of network-based defenses against malware Introduction

5 5 November 2 nd, 2007WORM’07 Can You Infect Me Now? Methodology To accomplish these goals, we: – Created a realistic network topology generator (RACoON) – Modeled address books of cell phone users – Created an event-driven simulator: Model two attack vectors: Voice-over IP and MMS Investigate ways to speed up the spread of malware Examine network-based defenses Introduction

6 6 November 2 nd, 2007WORM’07 Can You Infect Me Now? Universal Mobile Telecommunications System Modeling mobile phone networks Network Elements Node B RNC SGSN GGSN MMS server We modeled a single carrier’s UMTS network

7 7 November 2 nd, 2007WORM’07 Can You Infect Me Now? Modeling mobile phone networks Networks are planned and provisioned using: – Population data – Land use data – Previous cell phone deployments – Radio effects We used U.S. census data to create a square grid of population densities to inform our placement of UMTS elements – Used a 1x1 sq. mi. resolution – Averaged population for regions based on county land area and total population Modeling mobile phone networks

8 8 November 2 nd, 2007WORM’07 Can You Infect Me Now? Population Data Areas of high population density are darker Modeling mobile phone networks

9 9 November 2 nd, 2007WORM’07 Can You Infect Me Now? Generating the network topology The Radio Access and Core Operator Network topology Generator (RACoON) – Uses population data as input to capture regional population differences – Divides the area into uniform grid cells – Uses a bottom-up placement strategy to place radio cells and Node Bs. – Adds fixed network nodes that obey capacity constraints Modeling mobile phone networks

10 10 November 2 nd, 2007WORM’07 Can You Infect Me Now? A generated network Highly populated regions correspond to regions that need more SGSNs SGNSs connected with the Waxman model – distance based random topology 200x200 sq. mi grid of northwest US Modeling mobile phone networks

11 11 November 2 nd, 2007WORM’07 Can You Infect Me Now? Topology Specifics The topology we used in our simulated was based on the Boston metropolitan area (northeast U.S.) – 100x100 sq. mi. grid – 7 million people (but scaled down based on 78% cell phone penetration statistics) – 9,616 Radio Cells – 49 RNCs, 49 SGSNs – 1 MMS server Modeling mobile phone networks

12 12 November 2 nd, 2007WORM’07 Can You Infect Me Now? Modeling social networks Existing viruses in cell phones (e.g. Commwarrior) use the entries in the address book to spread The implication is that there is an underlying social network topology – What is the degree distribution for address books? – How are nodes connected? Modeling Social Topology Networks

13 13 November 2 nd, 2007WORM’07 Can You Infect Me Now? Degree distributions Many real-world phenomena are modeled by scale- free networks (Internet AS topology, links between movie actors, file sizes, … ) Zou et al. said email lists were power-law 1 Newman et al. said email address books were scale- free 2 Liben-Nowell said connections in a social network community (LiveJournal.com) were log-normal 3 1 Zou, Towsley, Gong. “Email worm modeling and defense” 2 Newman, Forrest, Balthrop. “Email networks and the spread of computer viruses” 3 Liben-Nowell. “An algorithmic approach to social networks” Modeling Social Topology Networks

14 14 November 2 nd, 2007WORM’07 Can You Infect Me Now? Degree distributions But these models imply that most people have very few connections. Intuitively, this seems incorrect. We surveyed cell phone owners at UCSD CSE and Ericsson The distribution was more like a stretched Gaussian. Modeling Social Topology Networks

15 15 November 2 nd, 2007WORM’07 Can You Infect Me Now? Erlang Distribution In fact we found that the data fit an Erlang distribution Erlang is a shifted Gaussian Modeling Social Topology Networks

16 16 November 2 nd, 2007WORM’07 Can You Infect Me Now? How are the nodes connected? In power law distributions, some nodes act as “super-hubs”, while most have very few connections There is a preference for less popular nodes to attach to more popular nodes (creating more inbound connections) Intuitively, this seems unlikely in the cell phone domain Modeling Social Topology Networks

17 17 November 2 nd, 2007WORM’07 Can You Infect Me Now? Node Attachment Attachment instead can be influenced by geography and population Liben-Nowell found the probability that one person was connected to another was inversely proportional to the number of people between them P(x,y) = probability person x is a friend with person y D(x,y) = number of people between person x and person y Modeling Social Topology Networks

18 18 November 2 nd, 2007WORM’07 Can You Infect Me Now? Experiments We studied two scenarios with our modeling techniques: – Voice-over IP – MMS Measured the percentage of infected phones over a 12 hour period The malware contacts numbers from the address book until completed, and then randomly dials phone numbers Experimental Results

19 19 November 2 nd, 2007WORM’07 Can You Infect Me Now? Voice-over IP Attack A Voice-over IP exploit would subvert one of the stacks handling packetized voice data. Infecting another phone implies that an end- to-end connection can be made. The bandwidth used to send the payload is the maximum available bandwidth for all the paths between the two phones Voice over IP Results

20 20 November 2 nd, 2007WORM’07 Can You Infect Me Now? Voice over IP Not a standard S- curve infection - Complete reaches 90% after 4 hours - Erlang reaches 90% at 12 hours But in log-scale, the “S” curve returns Voice over IP Results

21 21 November 2 nd, 2007WORM’07 Can You Infect Me Now? Congestion in VoIP scenario Major bottleneck is at the RNC -> SGSN link. - RNCs have to little outbound bandwidth Congestion also decreases over time - Phones finish enumerating their contacts, start randomly dialing Average congestion across all elements Voice over IP Results

22 22 November 2 nd, 2007WORM’07 Can You Infect Me Now? MMS Scenario MMS-based malware infects a phone by being read by a victim The MMS server stores the message until the victim requests it The MMS server in our simulations had 100 message/s capacity for sending and receiving. Wait time before a user retrieves the MMS message Modeled as a mixture of Gaussians, centered at 20 seconds and 45 minutes MMS Results

23 23 November 2 nd, 2007WORM’07 Can You Infect Me Now? MMS Scenario Rate of infection significantly different from VoIP Primary constraint is the 100mps limit of the MMS server MMS Results

24 24 November 2 nd, 2007WORM’07 Can You Infect Me Now? Engineering malware for speed A clever attacker can use knowledge about the network to exacerbate the spread of malware We look at various ways that malware creators may try to speed up their worms: – Transferring contacts – Avoiding congestion – Using out of band channels Speedy Malware

25 25 November 2 nd, 2007WORM’07 Can You Infect Me Now? Combining Strategies Transferring contacts and avoiding congestion can be very effective Infection reaches 90% rate 4x faster than the standard scenario Speedy Malware

26 26 November 2 nd, 2007WORM’07 Can You Infect Me Now? Speeding up MMS The infection rate using an Internet server reaches 48 infections/s (nearly optimal) Standard malware only reaches 35 infections/s Speedy Malware Use an out-of-band channel (Internet) to coordinate. Malware can quickly build a global address book

27 27 November 2 nd, 2007WORM’07 Can You Infect Me Now? Defenses Network operators are in a better position than the Internet community Since the infrastructure is centrally managed and owned, defenses can be inserted at critical points to affect the spread However, the fact that the end nodes (phones) can be hard to disinfect introduces challenges We examined a few defensive scenarios: – Blacklisting – Rate limiting – Filtering Defenses  Removing the infected reduces congestion!  Can be effective for MMS. Possible, but difficult, for VoIP

28 28 November 2 nd, 2007WORM’07 Can You Infect Me Now? Conclusion Communications based worms can severely disrupt service and spread quickly if engineered correctly. Defenses need to be applied early and with extreme prejudice to stop an outbreak Still much work to be done in the area. – Our model is very coarse. It could use other sources of data to inform modeling. Conclusion

29 29 November 2 nd, 2007WORM’07 Can You Infect Me Now? Questions and Answers Conclusion

30 30 November 2 nd, 2007WORM’07 Can You Infect Me Now? Voice over IP infections Does the size of the address book affect when a phone is infected? Voice over IP Results

31 31 November 2 nd, 2007WORM’07 Can You Infect Me Now? Transferring Contacts Advanced malware could divide address books between infected phones This strategy would approximate a “complete” address book, while dividing work Speedy Malware

32 32 November 2 nd, 2007WORM’07 Can You Infect Me Now? Avoiding congestion The real bottleneck is bandwidth. If malware can recognize that their links are congested and back off, it will allow other phones to complete their connections Speedy Malware

33 33 November 2 nd, 2007WORM’07 Can You Infect Me Now? MMS and Users Almost all cell phone malware to- date has relied on user intervention We model the spread when 25%, 50%, 75% and 100% of the population intervene to cause an infection to occur MMS Results

34 34 November 2 nd, 2007WORM’07 Can You Infect Me Now? MMS and Capacity As MMS usage increases, operators will naturally increase capacity. We look at what happens when the MMS server can handle 2x and 5x the current capacity (with only one server) Bandwidth starts to affect spread more than capacity constraints MMS Results

35 35 November 2 nd, 2007WORM’07 Can You Infect Me Now? Blacklisting Blacklisting would use some heuristic to identify infected phones and then block their connectivity. Even aggressive blacklisting, done early, may still not be effective Standard VoIP malware Defenses

36 36 November 2 nd, 2007WORM’07 Can You Infect Me Now? Rate limiting A network operator could try to limit how many calls or messages could be sent within a time period This can have the adverse effect of reducing overall congestion Standard malware is occluded by rate limiting scenario Defenses

Download ppt "1 November 2 nd, 2007WORM’07 Can You Infect Me Now? Chris Fleizach 1, Michael Liljenstam 3, Per Johansson 2, Geoffrey M. Voelker 1 and András Méhes 3 123123."

Similar presentations

Performance in Decentralized Filesharing Networks Theodore Hong Freenet Project.

Performance in Decentralized Filesharing Networks Theodore Hong Freenet Project.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Supporting Cooperative Caching in Disruption Tolerant Networks

Supporting Cooperative Caching in Disruption Tolerant Networks
Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk email o Over 70% of email traffic  Bugs ---

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---
Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
The Connectivity and Fault-Tolerance of the Internet Topology

The Connectivity and Fault-Tolerance of the Internet Topology
Delay and Throughput in Random Access Wireless Mesh Networks Nabhendra Bisnik, Alhussein Abouzeid ECSE Department Rensselaer Polytechnic Institute (RPI)

Delay and Throughput in Random Access Wireless Mesh Networks Nabhendra Bisnik, Alhussein Abouzeid ECSE Department Rensselaer Polytechnic Institute (RPI)
UNIVERSITY OF JYVÄSKYLÄ Building NeuroSearch – Intelligent Evolutionary Search Algorithm For Peer-to-Peer Environment Master’s Thesis by Joni Töyrylä 3.9.2004.

UNIVERSITY OF JYVÄSKYLÄ Building NeuroSearch – Intelligent Evolutionary Search Algorithm For Peer-to-Peer Environment Master’s Thesis by Joni Töyrylä
A Preliminary Investigation of Worm Infections in a Bluetooth Environment PAPER REVIEW ANISH DUTTA- 50133679 RAGAVENDRAN SRINIVASAN-50134639 SABAREESWAR.

A Preliminary Investigation of Worm Infections in a Bluetooth Environment PAPER REVIEW ANISH DUTTA RAGAVENDRAN SRINIVASAN SABAREESWAR.
Generated Waypoint Efficiency: The efficiency considered here is defined as follows: As can be seen from the graph, for the obstruction radius values (200,

Generated Waypoint Efficiency: The efficiency considered here is defined as follows: As can be seen from the graph, for the obstruction radius values (200,
Presented at ICC 2012 – Wireless Network Symposium – June 14 th 2012.

Presented at ICC 2012 – Wireless Network Symposium – June 14 th 2012.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
4. PREFERENTIAL ATTACHMENT The rich gets richer. Empirical evidences Many large networks are scale free The degree distribution has a power-law behavior.

4. PREFERENTIAL ATTACHMENT The rich gets richer. Empirical evidences Many large networks are scale free The degree distribution has a power-law behavior.
Topology Generation Suat Mercan. 2 Outline Motivation Topology Characterization Levels of Topology Modeling Techniques Types of Topology Generators.

Topology Generation Suat Mercan. 2 Outline Motivation Topology Characterization Levels of Topology Modeling Techniques Types of Topology Generators.
Resilient Peer-to-Peer Streaming Paper by: Venkata N. Padmanabhan Helen J. Wang Philip A. Chou Discussion Leader: Manfred Georg Presented by: Christoph.

Resilient Peer-to-Peer Streaming Paper by: Venkata N. Padmanabhan Helen J. Wang Philip A. Chou Discussion Leader: Manfred Georg Presented by: Christoph.
University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.

University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.
The structure of the Internet. How are routers connected? Why should we care? –While communication protocols will work correctly on ANY topology –….they.

The structure of the Internet. How are routers connected? Why should we care? –While communication protocols will work correctly on ANY topology –….they.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Similar presentations

Ads by Google