Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented.

Published byLorena Nash Modified over 9 years ago

Similar presentations

Presentation on theme: "ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented."— Presentation transcript:

1 ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented By: Adam Anthony

2 Outline Significance Basic epidemiology Case Classifications Transmission Chains Quarantining Progressive Immunization Implementation Discussion

3 Project Significance New: First study to bring the concepts of contact tracing and a transmission chain into network security Significant: It promises to lead to the similar heightened success that biological epidemiologists have experienced for years Novel: Addresses a computer virus much like a biological virus and rarely concerns itself with the technology behind the virus.

4 Basic Epidemiology DNA Fingerprinting Contact Chain Tracing

5 Case Classifications

6 Transmission Chains Structure Identification Algorithm Quarantining

7 Structure A B C  A has a primary (layer 1 contact) link to B  All of B's unique primary links become layer 2 contacts to A  Pattern continues into layer 3, layer 4, etc. Contains Email address for

8 Chain Identification Algorithm (Part 1) 1. Detect a host exceeding an activity threshold R d 2. If the host does not belong to another chain (it is a normal case) 1. Set it up as the first link in a new chain 2. Set the host’s category to Suspicious 3. Set the category of all normal hosts reachable by the activity to linked and place them in the next link in the chain

9 Chain Identification Algorithm (Part 2) 3. If the host does belong to another chain (it is not normal) 1. Set host’s category to Suspicious 2. Add the host’s normal recipients to the chain and set their category to Linked 4. If the length of the chain at the host’s connection is equal to a threshold K, 1. Change all suspicious cases to probable 2. Change all linked cases to potential 3. Send the address and category information of all nodes in the chain to the quarantine system

10 Quarantine Process Policy strictness based on potential threat to the network, overall network configuration Only for Probable or Potential cases Hard Quarantine -- block and warn Rational User -- no benefit, no risk Soft Quarantine -- reduce probability of risky users

11 Soft Quarantine reduce probability of users taking risks Based on the “Rational User Assumption” Red flag = high risk, user less probable to open Yellow flag = medium risk, user slightly more probable to open Unflagged = email is safe to open

12 Hard VS. Soft Quarantine Hard Practically Safer for a naive user More effective in slowing down virus spread False alarm = lost email Soft Requires Rational user assumption Less effective in slowing down virus spread No lost email

13 Experimentation Full simulation Generate network graphs Random and power law Allow the network to advance one step at a time Enforce different policies, record the results

14 Progressive Immunization Selective Immunization = don't immunize all nodes Choose to Immunize nodes: Randomly Highest Degree Probable cases

15 Implementation Suggestions Chain Tracing Server installed at a logical point Case Finding Process Transmission Chain Management Process Quarantine implemented by the service- providing server (if it has it) Run 2 TCMP’s

16 Critical Discussion Too much assumption of state? Subjective design of simulation Hard VS. Soft quarantine Implications of progressive Immunization Scalability?

17 Conclusion

18 Questions

19 Appendix: Transmission Chain Management Algorithms

20 Algorithm: Case Finding Process for all sending addresses do check n i, the number of emails host i has sent if n i >R d then report host i and its internal recipient addresses to the Transmission Chain Management Process end if end for

21 Algorithm: Contact Trace Stack Setup if (i is an internal normal host) or (i is an external host but is not an index case of any existing CTS) then assign i to be the index case of a new CTS S i for all receivers of i with normal category do add receivers to layer 1 of CTS S i change receivers' category to linked end for end if if i is an internal host then C i ⇐ suspicious end if

22 Algorithm: Update Contact Trace Stack C i ⇐ suspicious find (S i,L i ), the location of i for all r i, new recipients of i with normal category do S r ⇐ S i L r ⇐ L i +1 end for if L i = K then tc_finish(S i ) end if

23 Algorithm: Transmission Chain Finish for all suspicious hosts in CTS S i, do change their category to probable end for for all linked hosts in CTS S i, do change their category to potential end for pass the address and category information of all the nodes in S i to the quarantine process. Remove CTS S i

Download ppt "ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented."

Similar presentations

Mobile Communication Networks Vahid Mirjalili Department of Mechanical Engineering Department of Biochemistry & Molecular Biology.

Mobile Communication Networks Vahid Mirjalili Department of Mechanical Engineering Department of Biochemistry & Molecular Biology.
Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.

Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.
Garbage Collecting the World Bernard Lang Christian Queinnec Jose Piquer Presented by Yu-Jin Chia See also: pp 234-237 text.

Garbage Collecting the World Bernard Lang Christian Queinnec Jose Piquer Presented by Yu-Jin Chia See also: pp text.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
Sec-TEEN: Secure Threshold sensitive Energy Efficient sensor Network protocol Ibrahim Alkhori, Tamer Abukhalil & Abdel-shakour A. Abuznied Department of.

Sec-TEEN: Secure Threshold sensitive Energy Efficient sensor Network protocol Ibrahim Alkhori, Tamer Abukhalil & Abdel-shakour A. Abuznied Department of.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.

Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Scalable Application Layer Multicast Suman Banerjee Bobby Bhattacharjee Christopher Kommareddy ACM SIGCOMM Computer Communication Review, Proceedings of.

Scalable Application Layer Multicast Suman Banerjee Bobby Bhattacharjee Christopher Kommareddy ACM SIGCOMM Computer Communication Review, Proceedings of.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
OSI Model.

OSI Model.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Internet Networking Spring 2003

Internet Networking Spring 2003
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Similar presentations

Ads by Google