Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Quarantine-WORM03
Document related concepts
no text concepts found
Transcript
Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst 1 Motivation: automatic mitigation and its difficulties Fast spreading worms pose serious challenges: SQL Slammer infected 90% within 10 minutes. Manual counteractions out of the question. Difficulty of automatic mitigation high false alarm cost. Anomaly detection for unknown worm. False alarms vs. detection speed. Traditional mitigation: No quarantine at all … long-time quarantine until passing human’s inspection. 2 Principles in real-world epidemic disease control Principle #1 Preemptive quarantine Assuming guilty before proven innocent Comparing with disease damage, we are willing to pay certain false alarm cost. Principle #2 Feedback adjustment More serious epidemic, more aggressive quarantine action Adaptive adjustment of the trade-off between disease damage and false alarm cost. 3 Dynamic Quarantine Assuming guilty before proven innocent Quarantine on suspicion, release quarantine after a short time automatically reduce false alarm cost Can use any host-based, subnet-based anomaly detection system. Host or subnet based quarantine (not whole networklevel quarantine). Quarantine is on suspicious port only. A graceful automatic mitigation: No quarantine Dynamic short-time quarantine long-time quarantine 4 Feedback Control Dynamic Quarantine Framework (host-level) Network Activities Anomaly Detection System Worm Detection It Pt , Dt & Evaluation Worm detection system Decision & Control Tt , H t Feedback : More suspicious, more aggressive action Predetermined constants: ( for each TCP/UDP port) Observation variables: :# of quarantined. Worm detection and evaluation variables: Probability Damage Control variables: Quarantine time Alarm threshold 5 Two-level Feedback Control Dynamic Quarantine Framework Malware Warning Center It Local network Host-level quarantine Network-level quarantine Network-level quarantine (Internet scale) Tt , H t Dynamic quarantine is on routers/gateways of local networks. Quarantine time, alarm threshold are recommended by MWC. Host-level quarantine (local network scale) Dynamic quarantine is on individual host or subnet in a network. Quarantine time, alarm threshold are determined by: Local network’s worm detection system. Advisory from Malware Warning Center. 6 Host-level Dynamic Quarantine without Feedback Control First step: no feedback control/optimization Fixed quarantine time, alarm threshold. Results and conclusions: Derive worm models under dynamic quarantine. Efficiently reduce worm spreading speed. Give human precious time to react. Cost: temporarily quarantine some healthy hosts. Raise/generate epidemic threshold Reduce the chance for a worm to spread out. 7 Worm modeling — simple epidemic model susceptible # of contacts infectious IS 5 x 10 Simple epidemic model for fixed population system: 3.5 3 2.5 I(t) 2 1.5 1 0.5 : # of susceptible : # of hosts : # of infectious : infection ability 0 0 100 200 300 t 400 500 600 8 Worm modeling — Kermack-McKendrick model State transition: susceptible infectious : # of removed from infectious removed : removal rate 5 10 x 10 9 8 7 6 =0 =N/16 =N/4 =N/2 Epidemic threshold theorem: No outbreak happens if 5 4 where 3 2 : epidemic threshold 1 0 10 t 20 30 40 9 Analysis of Dynamic Quarantine I(t): # of infectious S(t): # of susceptible T: Quarantine time R(t): # of quarantined infectious Q(t): # of quarantined susceptible 1: quarantine rate of infectious 2: quarantine rate of susceptible Without “removal”: Assumptions: 10 Extended Simple Epidemic Model Susceptible S(t) I(t) Q(t)=p’2S(t) # of contacts Infectious R(t)=p’1I(t) Before quarantine: After quarantine: 11 Extended Simple Epidemic Model x 10 4 x 10 7 7 Original system Quarantined system 6 6 5 5 4 4 3 3 2 2 1 1 0 0 200 400 600 Time t (second) 800 1000 0 0 4 1 I(t) R(t) 500 Q(t) 0.8 p'1 500 p'2 0.6 0.4 0.2 200 400 600 Time t (second) 800 1000 0 0 200 400 600 Time t (second) 800 Vulnerable population N=75,000, worm scan rate 4000/sec T=4 seconds, 1 = 1, 2=0.000023 (twice false alarms per day per node) R(t): # of quarantined infectious Q(t): # of quarantined susceptible Law of large number 12 1000 Extended Kermack-McKendrick Model removed Before quarantine: After quarantine: 13 Extended Kermack-McKendrick Model x 10 4 Original system Quarantine system 7 1 0.8 6 5 q'1 500 q'2 0.6 4 0.4 3 2 0.2 1 0 0 300 600 900 1200 Time t (second) 1500 0 0 300 600 900 Time t (second) 1200 1500 Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2=0.000023, =0.005 R(t): # of quarantined infectious Q(t): # of quarantined susceptible 14 Dynamic Quarantine Model — Considering Human’s Counteraction A more realistic dynamic quarantine scenario: Security staffs inspect quarantined hosts only. Not enough time to check all quarantine hosts before their quarantine time expired --- removal only from quarantined infectious hosts R(t). Model is similar to the Kermack-McKendrick model Introduced Epidemic threshold: 15 Dynamic Quarantine Model — Considering Human’s Counteraction x 10 4 Original system Quarantine system 7 1 0.8 6 5 q'1 500 q'2 0.6 4 0.4 3 2 0.2 1 0 0 300 600 900 1200 Time t (second) 1500 0 0 300 600 900 1200 Time t (second) 1500 Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2=0.000023, =0.005 R(t): # of quarantined infectious Q(t): # of quarantined susceptible 16 Summary Learn the quarantine principles in real-world epidemic disease control: Preemptive quarantine: Assuming guilty before proven innocent Feedback adjustment: More serious epidemic, more aggressive quarantine action Two-level feedback control dynamic quarantine framework Optimal control objective: Reduce worm spreading speed, # of infected hosts. Reduce false alarm cost. Derive worm models under dynamic quarantine Efficiently reduce worm spreading speed Give human precious time to react Raise/generate epidemic threshold Reduce the chance for a worm to spread out 17
Related documents