Analyzing Cooperative Containment Of Fast Scanning Worms
description
Transcript of Analyzing Cooperative Containment Of Fast Scanning Worms
![Page 1: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/1.jpg)
Analyzing Cooperative Containment Of Fast Scanning
Worms
Jayanthkumar Kannan
Joint work with
Lakshminarayanan Subramanian, Ion Stoica, Randy Katz
![Page 2: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/2.jpg)
Motivation
Automatic containment of worms required
Slammer infected about 95% of vulnerable population within 10 mins
Easier to write: Worm = “Propagation” toolkit + new exploit
![Page 3: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/3.jpg)
Worm containment strategies
End-host instrumentation: CCCSRB 04, NS 05
specialized end-points
end-hosts
firewalls
core routers
Core-router augmentation: WWSGB 04 Specialized end-points (honeyfarms): P 04
Firewall-level containment: WSP 04, WESP 04
![Page 4: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/4.jpg)
Decentralized Cooperation
Internet firewalls exchange information with each other to contain the worm Suggested in recent work: WSP 04, NRL 03, AGIKL
03 Pros of decentralization: Scales with the system size No single point of failure / administrative control
Efficacy and limitations not well understood
![Page 5: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/5.jpg)
Questions we seek to answer
Cost of decentralization Effect of finite communication rate
between firewalls on containment
Effect of malice Impact of malicious firewalls on
containment Performance under partial
deployment
![Page 6: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/6.jpg)
Roadmap
Abstract model of cooperation Analysis of cooperation model Numerical Results
Analytical, Simulation Conclusion
![Page 7: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/7.jpg)
Model of Cooperation
Each firewall in the cooperative performs following actions:
Local Detection: Identify when its network is infected by analyzing outgoing traffic
Signaling: Informs other firewalls of its own infection along with filters
Filtering: A informed firewall drops incoming packets
![Page 8: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/8.jpg)
Firewall states
Infected
Normal
Alerted/Uninfected
Detected
Successful worm scan
Local Detection
Signals SentSignal Received
![Page 9: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/9.jpg)
Model of Signaling
Two kinds of signaling: Implicit: Piggyback signals on outgoing packets Explicit: Signals addressed to other firewalls
Setup attacks: Challenge-response verification of signals
Firewall sends false signal: Thresholding: Enter “alerted” state after receiving
signals from T different firewalls Firewall suppresses signal:
Even if up to 25% firewalls behave this way, good containment is possible
![Page 10: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/10.jpg)
Roadmap
Abstract model of cooperation Analysis of cooperation model Numerical Results
Analytical, Simulation Conclusion
![Page 11: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/11.jpg)
Analytical results
Main focus: Containment metric C: C = fraction of networks that escape
infection
Is Signaling Necessary? Cost of Decentralization:
Dependence of containment on signaling rate
Effect of malice: Dependence of containment on Threshold
T
![Page 12: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/12.jpg)
Parameters used in analysis
Worm model: Scanning: Topological scanning (zero
time) followed by global uniform scanning Probability of successful probe = p Scanning rate = s Vulnerable hosts uniformly distributed
behind these firewalls Local detection model:
After infection, the time required for the infection to be detected is an exponential variable with time td
Signaling model: Explicit signals sent at rate E
![Page 13: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/13.jpg)
Detection and Filtering
Worm probes only in interval between “infection” and “detection”
λ is the expected number of successful infections made by a infected network before detection λ = p s td Result: If λ < 1, C = 1 for large N Analogy to birth-death process
Implications Earlier worms like Blaster satisfied this constraint
![Page 14: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/14.jpg)
Detection and Filtering (2)
Surprisingly, even if λ > 1, containment can be achieved without signaling
Intuition: As the infection proceeds, harder to find new victims λ (= p s td) effectively decreases over time
For λ = 1.5, about 40% containment For λ = 2.0, about 20% containment
λ = 2.0 for a Slammer-like worm
![Page 15: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/15.jpg)
Analyzing Signaling
Signaling required if λ > 1
Differential equation model
For λ > 1 and σ = (λ-1)/td , the containment metric C is at least
![Page 16: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/16.jpg)
Asympotic Variations
Implicit Signaling: Worm spreads at rate “ps” Signals sent at rate “s” Linear drop with time to detection (td) Linear drop with threshold (T)
Explicit Signaling: Implicit signaling relies on (p << 1) Explicit signals essential for high p Linear drop with 1/E Tunable parameter
![Page 17: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/17.jpg)
Roadmap
Abstract model of cooperation Analysis of cooperation model Numerical Results
Analytical, Simulation Conclusion
![Page 18: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/18.jpg)
Numerical Results
Parameter Settings: Scan rate set to that of Slammer Size of vulnerable population = 2 x Blaster 1,00,000 networks: 20 vulnerable hosts per
network Start out with 10 infected networks and track worm
propagation
![Page 19: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/19.jpg)
Cost of Decentralization
Higher the detection time, lower the containment
![Page 20: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/20.jpg)
Effect of Malice
Defends against a few hundred malicious firewalls
![Page 21: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/21.jpg)
Conclusions
Contribution: Further the understanding of cooperative worm containment
Cost of Decentralization: With moderate overhead, good containment can be achieved
Effect of Malice: Can handle a few hundred malicious firewalls in the
cooperative
Cost of Deployment: Even with deployment levels as low as 10%, good
containment can be achieved
![Page 22: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/22.jpg)
Detection and Filtering
![Page 23: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/23.jpg)
Signaling
![Page 24: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/24.jpg)
Containment vs Vulnerable population size
![Page 25: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/25.jpg)
Containment vs Signaling Rate
![Page 26: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/26.jpg)
Containment vs Deployment
![Page 27: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/27.jpg)
Internet-like Scenario
Works well even under non-uniform distributions
![Page 28: Analyzing Cooperative Containment Of Fast Scanning Worms](https://reader030.fdocuments.us/reader030/viewer/2022032612/56813460550346895d9b4554/html5/thumbnails/28.jpg)
Conclusions
Main result: with moderate overhead, cooperation can provide good containment even under partial deployment
For earlier worms, cooperation may have been unnecessary Required for the fast scanning worms of today Our results can be used to benchmark local detection
schemes in their suitability for cooperation Our model and results can be applied to:
Internet-level / enterprise-level cooperation More sophisticated worms like hit-list worms
Room for improvement in terms of robustness Verifiable signals
Hybrid architecture: Fit in “well-informed” participants in the cooperative