Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Published byVerity Pitts Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst."— Presentation transcript:

1 1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst

2 2 Motivation: automatic mitigation and its difficulties Fast spreading worms pose serious challenges:  SQL Slammer infected 90% within 10 minutes.  Manual counteractions out of the question. Difficulty of automatic mitigation  high false alarm cost.  Anomaly detection for unknown worm.  False alarms vs. detection speed.  Traditional mitigation:  No quarantine at all  …  long-time quarantine until passing human’s inspection.

3 3 Principles in real-world epidemic disease control Principle #1  Preemptive quarantine  Assuming guilty before proven innocent  Comparing with disease damage, we are willing to pay certain false alarm cost. Principle #2  Feedback adjustment  More serious epidemic, more aggressive quarantine action  Adaptive adjustment of the trade-off between disease damage and false alarm cost.

4 4 Dynamic Quarantine Assuming guilty before proven innocent  Quarantine on suspicion, release quarantine after a short time automatically  reduce false alarm cost  Can use any host-based, subnet-based anomaly detection system.  Host or subnet based quarantine (not whole network- level quarantine).  Quarantine is on suspicious port only. A graceful automatic mitigation: No quarantine Dynamic short-time quarantine long-time quarantine

5 5 Worm detection system Feedback Control Dynamic Quarantine Framework (host-level) Feedback : More suspicious, more aggressive action Predetermined constants: ( for each TCP/UDP port) Observation variables: : # of quarantined. Worm detection and evaluation variables: Control variables: Network Activities Worm Detection & Evaluation Decision & Control Anomaly Detection System Probability Damage Quarantine time Alarm threshold

6 6 Two-level Feedback Control Dynamic Quarantine Framework Network-level quarantine (Internet scale)  Dynamic quarantine is on routers/gateways of local networks.  Quarantine time, alarm threshold are recommended by MWC. Host-level quarantine (local network scale)  Dynamic quarantine is on individual host or subnet in a network.  Quarantine time, alarm threshold are determined by:  Local network’s worm detection system.  Advisory from Malware Warning Center. Host-level quarantine Malware Warning Center Network-level quarantine Local network

7 7 Host-level Dynamic Quarantine without Feedback Control First step: no feedback control/optimization  Fixed quarantine time, alarm threshold. Results and conclusions:  Derive worm models under dynamic quarantine.  Efficiently reduce worm spreading speed.  Give human precious time to react.  Cost: temporarily quarantine some healthy hosts.  Raise/generate epidemic threshold  Reduce the chance for a worm to spread out.

8 8 Worm modeling — simple epidemic model # of contacts  I  S Simple epidemic model for fixed population system: I(t) t susceptibleinfectious : # of susceptible : # of hosts : # of infectious : infection ability

9 9 Worm modeling — Kermack-McKendrick model State transition: : # of removed from infectious : removal rate Epidemic threshold theorem:  No outbreak happens if susceptible infectious removed t where : epidemic threshold

10 10 Analysis of Dynamic Quarantine I(t): # of infectious S(t): # of susceptible T : Quarantine time R(t) : # of quarantined infectious Q(t) : # of quarantined susceptible 1 : quarantine rate of infectious 2 : quarantine rate of susceptible Without “removal”: Assumptions:

11 11 Extended Simple Epidemic Model Before quarantine: After quarantine: I(t) R(t)=p’ 1 I(t) S(t) Q(t)=p’ 2 S(t) # of contacts  Susceptible Infectious

12 12 Extended Simple Epidemic Model Vulnerable population N=75,000, worm scan rate 4000 /sec T=4 seconds, 1 = 1, 2 =0.000023 (twice false alarms per day per node) Law of large number R(t) : # of quarantined infectious Q(t) : # of quarantined susceptible

13 13 Extended Kermack-McKendrick Model Before quarantine: After quarantine: removed

14 14 Extended Kermack-McKendrick Model Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2 =0.000023,  =0.005 R(t) : # of quarantined infectious Q(t) : # of quarantined susceptible

15 15 Dynamic Quarantine Model — Considering Human’s Counteraction A more realistic dynamic quarantine scenario:  Security staffs inspect quarantined hosts only.  Not enough time to check all quarantine hosts before their quarantine time expired --- removal only from quarantined infectious hosts R(t).  Model is similar to the Kermack-McKendrick model Introduced Epidemic threshold:

16 16 Dynamic Quarantine Model — Considering Human’s Counteraction R(t) : # of quarantined infectious Q(t) : # of quarantined susceptible Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2 =0.000023,  =0.005

17 17 Summary Learn the quarantine principles in real-world epidemic disease control:  Preemptive quarantine: Assuming guilty before proven innocent  Feedback adjustment: More serious epidemic, more aggressive quarantine action Two-level feedback control dynamic quarantine framework  Optimal control objective:  Reduce worm spreading speed, # of infected hosts.  Reduce false alarm cost. Derive worm models under dynamic quarantine  Efficiently reduce worm spreading speed  Give human precious time to react  Raise/generate epidemic threshold  Reduce the chance for a worm to spread out

Download ppt "1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst."

Similar presentations

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)

Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)
University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.

University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.
RUMORS: How can they work ? Summer School Math Biology, 2007 Nuno & Sebastian.

RUMORS: How can they work ? Summer School Math Biology, 2007 Nuno & Sebastian.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.

1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.

Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Virus Propagation Modeling Chenxi Wang, Christos Faloutsos Yang Wang, Deepayan Chakrabarti Carnegie Mellon University Center for Computer.

Virus Propagation Modeling Chenxi Wang, Christos Faloutsos Yang Wang, Deepayan Chakrabarti Carnegie Mellon University Center for Computer.
THE CASE FOR PROACTIVE NETWORK SECURITY: WORMS, VIRUSES & BUSINESS CONTINUITY Presented to Dr. Yan Chen MITP 458- Information Security & Assurance Business.

THE CASE FOR PROACTIVE NETWORK SECURITY: WORMS, VIRUSES & BUSINESS CONTINUITY Presented to Dr. Yan Chen MITP 458- Information Security & Assurance Business.
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.
Dynamic Network Security Deployment under Partial Information George Theodorakopoulos (EPFL) John S. Baras (UMD) Jean-Yves Le Boudec (EPFL) September 24,

Dynamic Network Security Deployment under Partial Information George Theodorakopoulos (EPFL) John S. Baras (UMD) Jean-Yves Le Boudec (EPFL) September 24,

Similar presentations

Ads by Google