1 worm propagation modeling and analysis under dynamic quarantine defense cliff c. zou, weibo gong,...
TRANSCRIPT
1
Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense
Cliff C. Zou, Weibo Gong, Don Towsley
Univ. Massachusetts, Amherst
2
Motivation: automatic mitigation and its difficulties
Fast spreading worms pose serious challenges: SQL Slammer infected 90% within 10 minutes. Manual counteractions out of the question.
Difficulty of automatic mitigation high false alarm cost. Anomaly detection for unknown worm. False alarms vs. detection speed. Traditional mitigation:
No quarantine at all … long-time quarantine until passing human’s inspection.
3
Principles in real-world epidemic disease control
Principle #1 Preemptive quarantine Assuming guilty before proven innocent
Comparing with disease damage, we are willing to pay certain false alarm cost.
Principle #2 Feedback adjustment More serious epidemic, more aggressive
quarantine action Adaptive adjustment of the trade-off between disease
damage and false alarm cost.
4
Dynamic Quarantine
Assuming guilty before proven innocent Quarantine on suspicion, release quarantine after a
short time automatically reduce false alarm cost
Can use any host-based, subnet-based anomaly detection system.
Host or subnet based quarantine (not whole network-level quarantine).
Quarantine is on suspicious port only.
A graceful automatic mitigation:No quarantine Dynamic short-time
quarantine
long-timequarantine
5
Worm detection
system
Feedback Control Dynamic Quarantine Framework (host-level)
Feedback : More suspicious, more aggressive action Predetermined constants: ( for each TCP/UDP
port) Observation variables: :# of quarantined. Worm detection and evaluation variables:
Control variables:
NetworkActivities
Worm Detection
& Evaluation
Decision & Control
Anomaly DetectionSystem
tI tt DP ,
tt HT ,
ProbabilityDamage
Quarantine timeAlarm threshold
6
Two-level Feedback Control Dynamic Quarantine Framework
Network-level quarantine (Internet scale) Dynamic quarantine is on routers/gateways of local networks. Quarantine time, alarm threshold are recommended by MWC.
Host-level quarantine (local network scale) Dynamic quarantine is on individual host or subnet in a
network. Quarantine time, alarm threshold are determined by:
Local network’s worm detection system. Advisory from Malware Warning Center.
Host-level quarantine
Malware Warning Center
tt HT ,tI
Network-level
quarantine
Local network
7
Host-level Dynamic Quarantine without Feedback Control
First step: no feedback control/optimization Fixed quarantine time, alarm threshold.
Results and conclusions: Derive worm models under dynamic
quarantine. Efficiently reduce worm spreading speed.
Give human precious time to react. Cost: temporarily quarantine some healthy hosts.
Raise/generate epidemic threshold Reduce the chance for a worm to spread out.
8
Worm modeling —simple epidemic model
Infectious
ISusceptible
Scontact
# of contacts I S
Simple epidemic model for fixed population system:
0 100 200 300 400 500 6000
0.5
1
1.5
2
2.5
3
3.5x 10
5
I(t)
t
susceptible
infectious
: # of susceptible : # of hosts
: # of infectious : infection ability
9
Worm modeling —Kermack-McKendrick model
State transition:
: # of removed from infectious : removal rate
Epidemic threshold theorem:
No outbreak happens if
susceptible infectious removed
0 10 20 30 40
1
2
3
4
5
6
7
8
9
10x 10
5
=0=N/16=N/4=N/2
t
where
: epidemic threshold
10
Analysis of Dynamic Quarantine
I(t): # of infectious S(t): # of susceptible T: Quarantine time
R(t): # of quarantined infectious Q(t): # of quarantined susceptible
1: quarantine rate of infectious 2: quarantine rate of susceptible
Without “removal”:
Assumptions:
11
Extended Simple Epidemic Model
Before quarantine:
After quarantine:
I(t)
R(t)=p’1I(t)
S(t)
Q(t)=p’2S(t)
# of contacts
Susceptible Infectious
12
Extended Simple Epidemic Model
Vulnerable population N=75,000, worm scan rate 4000/secT=4 seconds, 1 = 1, 2=0.000023 (twice false alarms per day per node)
Law of large number
R(t): # of quarantined infectious
Q(t): # of quarantined susceptible
0 200 400 600 800 10000
1
2
3
4
5
6
7
x 104
Time t (second)
I(t)R(t)500 Q(t)
0 200 400 600 800 10000
0.2
0.4
0.6
0.8
1
Time t (second)
p'1
500 p'2
0 200 400 600 800 10000
1
2
3
4
5
6
7
x 104
Time t (second)
Original systemQuarantined system
13
Extended Kermack-McKendrick Model
Before quarantine:
After quarantine:
removed
14
Extended Kermack-McKendrick Model
Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2=0.000023, =0.005
R(t): # of quarantined infectious
Q(t): # of quarantined susceptible
0 300 600 900 1200 15000
1
2
3
4
5
6
7
x 104
Time t (second)
Original systemQuarantine system
0 300 600 900 1200 15000
0.2
0.4
0.6
0.8
1
Time t (second)
q'1
500 q'2
15
Dynamic Quarantine Model —Considering Human’s Counteraction
A more realistic dynamic quarantine scenario: Security staffs inspect quarantined hosts only. Not enough time to check all quarantine hosts before their
quarantine time expired --- removal only from quarantined infectious hosts R(t).
Model is similar to the Kermack-McKendrick model
Introduced Epidemic threshold:
16
Dynamic Quarantine Model —Considering Human’s Counteraction
R(t): # of quarantined infectious
Q(t): # of quarantined susceptible
Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2=0.000023, =0.005
0 300 600 900 1200 15000
1
2
3
4
5
6
7
x 104
Time t (second)
Original systemQuarantine system
0 300 600 900 1200 15000
0.2
0.4
0.6
0.8
1
Time t (second)
q'1
500 q'2
17
Summary
Learn the quarantine principles in real-world epidemic disease control:
Preemptive quarantine: Assuming guilty before proven innocent Feedback adjustment: More serious epidemic, more aggressive
quarantine action Two-level feedback control dynamic quarantine
framework Optimal control objective:
Reduce worm spreading speed, # of infected hosts. Reduce false alarm cost.
Derive worm models under dynamic quarantine Efficiently reduce worm spreading speed
Give human precious time to react Raise/generate epidemic threshold
Reduce the chance for a worm to spread out