Is There a Role for Modeling and Simulation in this New Battlespace

1
Is There a Role for Modeling and Simulation in
this New Battlespace?
Information Security, Virus Propagation and
Countermeasures

• Bernard P. Zeigler
• Professor of Electrical and Computer Engineering,
• University of Arizona, Tucson
• Director, Arizona Center for Integrative Modeling
  and Simulation
• Consultant to NGIT and JITC

2
Computer Viruses how bad is the problem?

• Fact
• The I Love You virus spread twice as fast as
  Melissa in its first ten hours
• affected 70 of US companies
• cost between 100 million and 1billion
• Conclusion
• computer viruses can do great harm to our
  economic and military infrastructures
• need countermeasures and conversely, could be a
  way to attack an adversary

3

Information Security, Virus Propagation and
Countermeasures

• A New Battlespace information warfare
• Modeling and simulation has proven its worth in
  the conventional battlespace
• Is there a Role for Modeling and Simulation in
  the new battlespace?
• How do we start thinking about this issue?

4
MS in the New Battlespace

• Computer modeling and simulation has been used in
  the conventional battlespace for
• understanding combat in the battle field
• weapons and systems design
• test and evaluation
• training
• many other uses
• How can we use MS for modeling the new
  battlefield ?
• how do viruses spread?
• how to detect them?
• how to neutralize them?

5
Computer vs Natural Viruses

• Are computer viruses like bio viruses?
• How far does this common analogy stretch?
• Does a computer get sick like a person?
• Did the love virus infect computers and spread
  like Asian flu infects a population?

6
Recent Case In Point MyDoom

• Incident Report from ECE Network Administrator
• There is a fast moving virus called MyDoom going
  around.
• Like many viruses this one will pick an e-mail
  address from the infected system and use it in
  the From field of the virus infected message it
  sends out.
• If your e-mail address is found on an infected
  system you will likely get a message from the
  mail server that your mail wasn't delivered.
• This would indicate that someone you have an
  association with has the virus.
• Sophos now has the signature to catch this virus
  and we will be pushing out the updates tonight
  and tomorrow.
• There are likely to be a few infected systems in
  ECE and we will be conducting network scans
  tomorrow.
• The virus comes as an attachment you will
  probably have a significant number of these
  messages by tomorrow.
• Just delete them and you are safe needs to be
  opened to propagate

7
Mode of Viral Transmission
mail server
infected computer
from a to x
from b to x
user opens attachment
from c to x
infected computer
infected computer
c
infected computer
b
a
address book

• Antiviral countermeasures
• spread word to recognize and not to open
  attachment
• add signature to anti-viral software
• scan LANs and disinfect
• turn systems off and reboot

8
Spread of Infection Through Internet
Topology of spread neigbors are addresses in
clients addressbook
9
Detecting Presence of Virus
Normal email behavior
Professor Salim Hariri is developing capability
to detect and neutralize viruses using
agent-based software technology over the Internet
Abnormal email behavior
termperature
Elevated Activity Level
10
Network Architectures of the Future, e.g.
GigBEwill allow built-in virus detection and
eradication
11
sentinel source (orange) and sink (green)
spreading virus
packet time marker wave
restoration of infected cells
slowing up of marker wave trigger counter-measure
spreading anti-virus
12
Viral and Antiviral Behavior
normal
revert
antiviral
infect
ping
ping
anti
revert
infected
anti
packet wave behavior
infect
anti-viral propagation
infect
ping
infection spread
13
Sentinel Based Viral Detection
sentinel
source
sink
ping
anti
periodically generate packets\ flood
detect travel time exceeds threshold
14
Virus Propagation Model
Demonstration
15
Virus Propagation and Countermeasures Design A
New Paradigm

• Develop models for information network
  protection applicable to new high speed
  infrastructure networks such as DoDs GIG-BE.
  Currently, there are few theories and models of
  virus propagation in large scale networks and
  design of effective counter-measures a notable
  exception Prof. Hariri and DARPA

• A framework for virus and anti-virus propagation
  and interaction has been developed in the
  Discrete Event Systems Specification (DEVS)
  formalism and implemented in the DEVSJAVA
  modeling and simulation environment. A notional
  design for detecting virus propagation and
  launching countermeasures has been implemented.

• Continue with the development of the framework,
  research
• feasible mechanisms for implementation in network
  hardware and software and test and evaluate them
  through more refined simulation.

16
Summary

• Interesting analogies and dis-analogies between
  natural and artificial virus propagation
• Need formal simulation-based methodology to
  characterize viral behaviors and countermeasures
• Current popular network simulators are too
  unwieldy to support this research and development
• The new paradigm discussed here can!

17
More Information on MS
www.acims.arizona.edu