Malware Malicious Software

1
Malware(Malicious Software)

• By
• Ho Jeong AN
• hjan_at_cse.ogi.edu

2
Modeling Worm

• D. Moore, Colleen Shannon, Geoffrey Voelker,
  Stefan Savage, "Internet Quarantine Requirements
  for Containing Self-Propagating Code", INFOCOM
  2003, paper
• Epidemiological model
• Z. Chen, L. Gao, K. Kwiat, "Modeling the Spread
  of Active Worms", INFOCOM 2003, paper
• Analytical Active Worm Propagation
• M. Garetto, W. Gong, D. Towsley, "Modeling
  Malware Spreading Dynamics", INFOCOM 2003, paper
• Interactive Markov Chain

3
Internet Quarantine

• Used traditional epidemiology method
• Vulnerability of population
• Length of the infectious period
• Rate of infection
• Potential interventions to mitigate the threat of
  worms
• Prevention, Treatment, and Containment.

4
Internet Quarantine

• Prevention reduce the size of vulnerable
  population
• Treatment use disinfection tools and system
  update features
• Containment block infectious communication
  between infected and uninfected hosts.
• Ex) firewall, content filters, routing blacklist.

5
Internet Quarantine

• Is containment strategy the most viable?
• Completely automated
• Easy to deploy
• Properties of containment system
• Time to detect and react
• Strategy
• Systems deployment

6
Basic Model

• Modeling Worm
• Classic SI epidemic model

7
Basic Model

• Modeling Containment System
• Prevalence of worm
• Reaction time
• Detecting -gt Informing -gt Activating
• Containment strategy
• Address blacklisting
• Content filtering
• Deployment scenario
• Best case
• Real case

8
Idealized Deployment

• Best case scenario
• Code-Red case study

9
Practical Deployment

• Network Model
• Develop a model among Autonomous Systems (ASes)
• Routing table for July 19, 2001 0800 PDT
• Identify a set of vulnerable Internet hosts and
  the ASes
• Host infected by the Code-Red v2 worm during the
  initial 24 hours of propagation
• Model AS paths among all vulnerable hosts
• Deployment Scenarios
• Customer Network
• Major ISPs

10
Practical Deployment

• Code-Red Case Study
• Generalized Worm Containment

11
Conclusion

• Reaction Time
• automated method to detect and react
• Containment Strategy
• Content filtering
• Blocking Location
• All of internet path

12
Analytical Active Worm Propagation (AAWP)

• Characterize the propagation of worm that employ
  random scanning
• Spread of active worm
• Scanning Mechanism
• Random scanning
• Local subnet scanning

13
AAWP vs. Epidemiological Model

• Mathematical bases
• Discrete time model
• Factors
• Patch rate and infection time
• Extra case
• Infect same destination

14
Simulating Code-Red v2 Worm
15
Apply AAWP Model

• Monitoring

• Detection Speed

16
Apply AAWP Model

• Defense System
• LaBrea Tool
• Performance
• At least 218 unused IP addresses

17
Conclusion

• How can we monitor the spread of active worms
  accurately?
• Monitoring a /8 network(224 addresses)
• How can we detect the spread of active worms in
  timely fashion?
• Simple sensor detection system
• How can we defend against the spread of active
  worms effectively?
• LaBrea

18
Stochastic Model

• Based on Interactive Markov Chains
• Provides a probabilistic analysis of the system.
• Modeling Approach
• Site node on the graph
• State collection of statuses of all of the
  sites at a given time

19
Stochastic Model

• Three status
• Susceptible (S)
• Infected (I)
• Immune (M)

20
Percolation Problem

• Small-world graph
• N number of nodes
• k connectivity
• S shortcuts

21
Percolation Problem
22
Percolation Problem

• Critical phase of the spreading of a virus is the
  very beginning of the infection

23
Conclusion

• Interactive Markov Chains (IMC) can be used to
  study the dynamics of malware propagation of a
  network
• Exact solution of a stochastic model appears to
  be a major challenge due to high computational
  complexity