Title: Is There a Role for Modeling and Simulation in this New Battlespace
1Is There a Role for Modeling and Simulation in
this New Battlespace?
Information Security, Virus Propagation and
Countermeasures
- Bernard P. Zeigler
- Professor of Electrical and Computer Engineering,
- University of Arizona, Tucson
- Director, Arizona Center for Integrative Modeling
and Simulation - Consultant to NGIT and JITC
2Computer Viruses how bad is the problem?
- Fact
- The I Love You virus spread twice as fast as
Melissa in its first ten hours - affected 70 of US companies
- cost between 100 million and 1billion
- Conclusion
- computer viruses can do great harm to our
economic and military infrastructures - need countermeasures and conversely, could be a
way to attack an adversary
3Information Security, Virus Propagation and
Countermeasures
- A New Battlespace information warfare
- Modeling and simulation has proven its worth in
the conventional battlespace - Is there a Role for Modeling and Simulation in
the new battlespace? - How do we start thinking about this issue?
4MS in the New Battlespace
- Computer modeling and simulation has been used in
the conventional battlespace for - understanding combat in the battle field
- weapons and systems design
- test and evaluation
- training
- many other uses
- How can we use MS for modeling the new
battlefield ? - how do viruses spread?
- how to detect them?
- how to neutralize them?
5Computer vs Natural Viruses
- Are computer viruses like bio viruses?
- How far does this common analogy stretch?
- Does a computer get sick like a person?
- Did the love virus infect computers and spread
like Asian flu infects a population?
6Recent Case In Point MyDoom
- Incident Report from ECE Network Administrator
- There is a fast moving virus called MyDoom going
around. - Like many viruses this one will pick an e-mail
address from the infected system and use it in
the From field of the virus infected message it
sends out. - If your e-mail address is found on an infected
system you will likely get a message from the
mail server that your mail wasn't delivered. - This would indicate that someone you have an
association with has the virus. - Sophos now has the signature to catch this virus
and we will be pushing out the updates tonight
and tomorrow. - There are likely to be a few infected systems in
ECE and we will be conducting network scans
tomorrow. - The virus comes as an attachment you will
probably have a significant number of these
messages by tomorrow. - Just delete them and you are safe needs to be
opened to propagate
7Mode of Viral Transmission
mail server
infected computer
from a to x
from b to x
user opens attachment
from c to x
infected computer
infected computer
c
infected computer
b
a
address book
- Antiviral countermeasures
- spread word to recognize and not to open
attachment - add signature to anti-viral software
- scan LANs and disinfect
- turn systems off and reboot
8Spread of Infection Through Internet
Topology of spread neigbors are addresses in
clients addressbook
9Detecting Presence of Virus
Normal email behavior
Professor Salim Hariri is developing capability
to detect and neutralize viruses using
agent-based software technology over the Internet
Abnormal email behavior
termperature
Elevated Activity Level
10Network Architectures of the Future, e.g.
GigBEwill allow built-in virus detection and
eradication
11sentinel source (orange) and sink (green)
spreading virus
packet time marker wave
restoration of infected cells
slowing up of marker wave trigger counter-measure
spreading anti-virus
12Viral and Antiviral Behavior
normal
revert
antiviral
infect
ping
ping
anti
revert
infected
anti
packet wave behavior
infect
anti-viral propagation
infect
ping
infection spread
13Sentinel Based Viral Detection
sentinel
source
sink
ping
anti
periodically generate packets\ flood
detect travel time exceeds threshold
14Virus Propagation Model
Demonstration
15Virus Propagation and Countermeasures Design A
New Paradigm
- Develop models for information network
protection applicable to new high speed
infrastructure networks such as DoDs GIG-BE.
Currently, there are few theories and models of
virus propagation in large scale networks and
design of effective counter-measures a notable
exception Prof. Hariri and DARPA
- A framework for virus and anti-virus propagation
and interaction has been developed in the
Discrete Event Systems Specification (DEVS)
formalism and implemented in the DEVSJAVA
modeling and simulation environment. A notional
design for detecting virus propagation and
launching countermeasures has been implemented.
- Continue with the development of the framework,
research - feasible mechanisms for implementation in network
hardware and software and test and evaluate them
through more refined simulation.
16Summary
- Interesting analogies and dis-analogies between
natural and artificial virus propagation - Need formal simulation-based methodology to
characterize viral behaviors and countermeasures - Current popular network simulators are too
unwieldy to support this research and development - The new paradigm discussed here can!
17More Information on MS
www.acims.arizona.edu