1. On the Effectiveness of Automatic Patching Milan Vojnović & Ayalvadi Ganesh Microsoft Research Cambridge, United Kingdom WORM’05, Fairfax, VA, USA, Nov 11, 2005

2. 2 Problem Worms tend to appear soon after vulnerability public disclosure Witty (1 day) Nightmare: zero-day worm Worm appears before patch released Patching must be automatic (detection, patch generation, delivery, installation)

3. 3 Problem (cont’d) Problem: how fast patch delivery must be to contain a worm? Our results: Random scanning worms Goal: analytical bounds Other worms: future work

4. 4 Hierarchical patch delivery patching server subnet client Special: single subnet = centralized solution overlay

5. 5 Rest of the talk Models and required patching rates to contain worms by: Patching Patching & filtering P2P patching Conclusion

6. 6 Susceptible-Infective: model of worm spread Infected host scans IP address space  at instants of Poisson (  ) Independent at distinct hosts Rate of successful scans:  =  N /  I(t) = number of infected hosts at time t a Markov process High-level: model ignores network latency, congestion

7. 7 Susceptible-Infective (2) Large population limit: N→∞, η/Ω fixed i(t) = I(t)/N : fraction of infected hosts i(t) : density-dependent Markov process Uniform converges to the limit deterministic ODE: (d/dt)i(t) = β i(t) [1-i(t)] Used to model worms (Staniford+02) 1/  = 40 min (Code Red) = 10 sec (Slammer)

8. 8 Patching: one subnet  = polling frequency fraction of susceptible hosts Result Implicit function for final infectives i(+  )

9. 9 Patching: one subnet (2) Implication: Exponential with the ratio worm to patch rate ! Bound is tight whenever  /  is small = effective containment 10000 vulnerable hosts

10. 10 Patching: multiple subnets patching server subnet client overlay

11. 11 Patching: multiple subnets Overlay abstracted by broadcast curve: g(t) = fraction of alerted patch servers at time t Examples: 1 0 t 1 0 t T Known broadcast time Logistic function Flooding on Pastry

12. 12 Patching: multiple subnets (2) (S,I) dynamics same as for one subnet … but patching rate is a function of time

13. 13 Minimum broadcast curve A curve that lower bounds any broadcast curve for an overlay Result: using a minimum broadcast curve produces upper bound on the fraction of infected hosts Minimum broadcast curve Flooding over Pastry

14. 14 Patching: multiple subnets (…) Result: g() = logistic function  /  fixed, bot  and  tend to be small “overlay diameter”

15. 15 Patching & filtering i 0 (t) = fraction of infectives in non alerted subnets s 0 (t) = same for suceptible hosts alerted patch server block

16. 16 Patching & filtering (2) Result: u(t) = g(t)/g(0)  ’ =  (i 0 (0)+s 0 (0))/(1-g(0)) t i 0 (t) After subnet becomes alerted, it “decouples” from the rest of the system

17. 17 P2P Two epidemics: Patch epidemics with larger spread rate  Result:

18. 18 Conclusion Random scanning worms can be effectively contained Presuming patch rate is sufficiently larger than worm rate Need to constrain worm rate Future work: subnet preference worms topological worms?

19. 19 More http://research.microsoft.com/~milanv/ immunology.htm Thanks!