Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst 1 Motivation: automatic mitigation and its difficulties Fast spreading worms pose serious challenges: SQL Slammer infected 90% within 10 minutes. Manual counteractions out of the question. Difficulty of automatic mitigation high false alarm cost. Anomaly detection for unknown worm. False alarms vs. detection speed. Traditional mitigation: No quarantine at all … long-time quarantine until passing human’s inspection. 2 Principles in real-world epidemic disease control Principle #1 Preemptive quarantine Assuming guilty before proven innocent Comparing with disease damage, we are willing to pay certain false alarm cost. Principle #2 Feedback adjustment More serious epidemic, more aggressive quarantine action Adaptive adjustment of the trade-off between disease damage and false alarm cost. 3 Dynamic Quarantine Assuming guilty before proven innocent Quarantine on suspicion, release quarantine after a short time automatically reduce false alarm cost Can use any host-based, subnet-based anomaly detection system. Host or subnet based quarantine (not whole networklevel quarantine). Quarantine is on suspicious port only. A graceful automatic mitigation: No quarantine Dynamic short-time quarantine long-time quarantine 4 Feedback Control Dynamic Quarantine Framework (host-level) Network Activities Anomaly Detection System Worm Detection It Pt , Dt & Evaluation Worm detection system Decision & Control Tt , H t Feedback : More suspicious, more aggressive action Predetermined constants: ( for each TCP/UDP port) Observation variables: :# of quarantined. Worm detection and evaluation variables: Probability Damage Control variables: Quarantine time Alarm threshold 5 Two-level Feedback Control Dynamic Quarantine Framework Malware Warning Center It Local network Host-level quarantine Network-level quarantine Network-level quarantine (Internet scale) Tt , H t Dynamic quarantine is on routers/gateways of local networks. Quarantine time, alarm threshold are recommended by MWC. Host-level quarantine (local network scale) Dynamic quarantine is on individual host or subnet in a network. Quarantine time, alarm threshold are determined by: Local network’s worm detection system. Advisory from Malware Warning Center. 6 Host-level Dynamic Quarantine without Feedback Control First step: no feedback control/optimization Fixed quarantine time, alarm threshold. Results and conclusions: Derive worm models under dynamic quarantine. Efficiently reduce worm spreading speed. Give human precious time to react. Cost: temporarily quarantine some healthy hosts. Raise/generate epidemic threshold Reduce the chance for a worm to spread out. 7 Worm modeling — simple epidemic model susceptible # of contacts infectious IS 5 x 10 Simple epidemic model for fixed population system: 3.5 3 2.5 I(t) 2 1.5 1 0.5 : # of susceptible : # of hosts : # of infectious : infection ability 0 0 100 200 300 t 400 500 600 8 Worm modeling — Kermack-McKendrick model State transition: susceptible infectious : # of removed from infectious removed : removal rate 5 10 x 10 9 8 7 6 =0 =N/16 =N/4 =N/2 Epidemic threshold theorem: No outbreak happens if 5 4 where 3 2 : epidemic threshold 1 0 10 t 20 30 40 9 Analysis of Dynamic Quarantine I(t): # of infectious S(t): # of susceptible T: Quarantine time R(t): # of quarantined infectious Q(t): # of quarantined susceptible 1: quarantine rate of infectious 2: quarantine rate of susceptible Without “removal”: Assumptions: 10 Extended Simple Epidemic Model Susceptible S(t) I(t) Q(t)=p’2S(t) # of contacts Infectious R(t)=p’1I(t) Before quarantine: After quarantine: 11 Extended Simple Epidemic Model x 10 4 x 10 7 7 Original system Quarantined system 6 6 5 5 4 4 3 3 2 2 1 1 0 0 200 400 600 Time t (second) 800 1000 0 0 4 1 I(t) R(t) 500 Q(t) 0.8 p'1 500 p'2 0.6 0.4 0.2 200 400 600 Time t (second) 800 1000 0 0 200 400 600 Time t (second) 800 Vulnerable population N=75,000, worm scan rate 4000/sec T=4 seconds, 1 = 1, 2=0.000023 (twice false alarms per day per node) R(t): # of quarantined infectious Q(t): # of quarantined susceptible Law of large number 12 1000 Extended Kermack-McKendrick Model removed Before quarantine: After quarantine: 13 Extended Kermack-McKendrick Model x 10 4 Original system Quarantine system 7 1 0.8 6 5 q'1 500 q'2 0.6 4 0.4 3 2 0.2 1 0 0 300 600 900 1200 Time t (second) 1500 0 0 300 600 900 Time t (second) 1200 1500 Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2=0.000023, =0.005 R(t): # of quarantined infectious Q(t): # of quarantined susceptible 14 Dynamic Quarantine Model — Considering Human’s Counteraction A more realistic dynamic quarantine scenario: Security staffs inspect quarantined hosts only. Not enough time to check all quarantine hosts before their quarantine time expired --- removal only from quarantined infectious hosts R(t). Model is similar to the Kermack-McKendrick model Introduced Epidemic threshold: 15 Dynamic Quarantine Model — Considering Human’s Counteraction x 10 4 Original system Quarantine system 7 1 0.8 6 5 q'1 500 q'2 0.6 4 0.4 3 2 0.2 1 0 0 300 600 900 1200 Time t (second) 1500 0 0 300 600 900 1200 Time t (second) 1500 Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2=0.000023, =0.005 R(t): # of quarantined infectious Q(t): # of quarantined susceptible 16 Summary Learn the quarantine principles in real-world epidemic disease control: Preemptive quarantine: Assuming guilty before proven innocent Feedback adjustment: More serious epidemic, more aggressive quarantine action Two-level feedback control dynamic quarantine framework Optimal control objective: Reduce worm spreading speed, # of infected hosts. Reduce false alarm cost. Derive worm models under dynamic quarantine Efficiently reduce worm spreading speed Give human precious time to react Raise/generate epidemic threshold Reduce the chance for a worm to spread out 17