Post on 21-Dec-2015
Analyzing Cooperative Containment Of Fast Scanning
Worms
Jayanthkumar Kannan
Joint work with
Lakshminarayanan Subramanian, Ion Stoica, Randy Katz
Motivation
Automatic containment of worms required
Slammer infected about 95% of vulnerable population within 10 mins
Easier to write: Worm = “Propagation” toolkit + new exploit
Worm containment strategies
End-host instrumentation: CCCSRB 04, NS 05
specialized end-points
end-hosts
firewalls
core routers
Core-router augmentation: WWSGB 04 Specialized end-points (honeyfarms): P 04
Firewall-level containment: WSP 04, WESP 04
Decentralized Cooperation
Internet firewalls exchange information with each other to contain the worm Suggested in recent work: WSP 04, NRL 03, AGIKL
03 Pros of decentralization: Scales with the system size No single point of failure / administrative control
Efficacy and limitations not well understood
Questions we seek to answer
Cost of decentralization Effect of finite communication rate
between firewalls on containment
Effect of malice Impact of malicious firewalls on
containment Performance under partial
deployment
Roadmap
Abstract model of cooperation Analysis of cooperation model Numerical Results
Analytical, Simulation Conclusion
Model of Cooperation
Each firewall in the cooperative performs following actions:
Local Detection: Identify when its network is infected by analyzing outgoing traffic
Signaling: Informs other firewalls of its own infection along with filters
Filtering: A informed firewall drops incoming packets
Firewall states
Infected
Normal
Alerted/Uninfected
Detected
Successful worm scan
Local Detection
Signals SentSignal Received
Model of Signaling
Two kinds of signaling: Implicit: Piggyback signals on outgoing packets Explicit: Signals addressed to other firewalls
Setup attacks: Challenge-response verification of signals
Firewall sends false signal: Thresholding: Enter “alerted” state after receiving
signals from T different firewalls Firewall suppresses signal:
Even if up to 25% firewalls behave this way, good containment is possible
Roadmap
Abstract model of cooperation Analysis of cooperation model Numerical Results
Analytical, Simulation Conclusion
Analytical results
Main focus: Containment metric C: C = fraction of networks that escape
infection
Is Signaling Necessary? Cost of Decentralization:
Dependence of containment on signaling rate
Effect of malice: Dependence of containment on Threshold
T
Parameters used in analysis
Worm model: Scanning: Topological scanning (zero
time) followed by global uniform scanning Probability of successful probe = p Scanning rate = s Vulnerable hosts uniformly distributed
behind these firewalls Local detection model:
After infection, the time required for the infection to be detected is an exponential variable with time td
Signaling model: Explicit signals sent at rate E
Detection and Filtering
Worm probes only in interval between “infection” and “detection”
λ is the expected number of successful infections made by a infected network before detection λ = p s td Result: If λ < 1, C = 1 for large N Analogy to birth-death process
Implications Earlier worms like Blaster satisfied this constraint
Detection and Filtering (2)
Surprisingly, even if λ > 1, containment can be achieved without signaling
Intuition: As the infection proceeds, harder to find new victims λ (= p s td) effectively decreases over time
For λ = 1.5, about 40% containment For λ = 2.0, about 20% containment
λ = 2.0 for a Slammer-like worm
Analyzing Signaling
Signaling required if λ > 1
Differential equation model
For λ > 1 and σ = (λ-1)/td , the containment metric C is at least
Asympotic Variations
Implicit Signaling: Worm spreads at rate “ps” Signals sent at rate “s” Linear drop with time to detection (td) Linear drop with threshold (T)
Explicit Signaling: Implicit signaling relies on (p << 1) Explicit signals essential for high p Linear drop with 1/E Tunable parameter
Roadmap
Abstract model of cooperation Analysis of cooperation model Numerical Results
Analytical, Simulation Conclusion
Numerical Results
Parameter Settings: Scan rate set to that of Slammer Size of vulnerable population = 2 x Blaster 1,00,000 networks: 20 vulnerable hosts per
network Start out with 10 infected networks and track worm
propagation
Cost of Decentralization
Higher the detection time, lower the containment
Effect of Malice
Defends against a few hundred malicious firewalls
Conclusions
Contribution: Further the understanding of cooperative worm containment
Cost of Decentralization: With moderate overhead, good containment can be achieved
Effect of Malice: Can handle a few hundred malicious firewalls in the
cooperative
Cost of Deployment: Even with deployment levels as low as 10%, good
containment can be achieved
Detection and Filtering
Signaling
Containment vs Vulnerable population size
Containment vs Signaling Rate
Containment vs Deployment
Internet-like Scenario
Works well even under non-uniform distributions
Conclusions
Main result: with moderate overhead, cooperation can provide good containment even under partial deployment
For earlier worms, cooperation may have been unnecessary Required for the fast scanning worms of today Our results can be used to benchmark local detection
schemes in their suitability for cooperation Our model and results can be applied to:
Internet-level / enterprise-level cooperation More sophisticated worms like hit-list worms
Room for improvement in terms of robustness Verifiable signals
Hybrid architecture: Fit in “well-informed” participants in the cooperative