ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control

Jintao XiongProceedings of the 2004 ACM workshop on

Rapid malcode

Presented By: Adam Anthony

Outline

Significance Basic epidemiology Case Classifications Transmission Chains Quarantining Progressive Immunization Implementation Discussion

Project Significance

New: First study to bring the concepts of contact tracing and a transmission chain into network security

Significant: It promises to lead to the similar heightened success that biologicalepidemiologists have experienced for years

Novel: Addresses a computer virus much like a biological virus and rarely concerns itself with the technology behind the virus.

Basic Epidemiology

DNA Fingerprinting Contact Chain Tracing

Case Classifications

Transmission Chains

Structure Identification Algorithm Quarantining

Structure

A B CA has a primary (layer 1 contact) link to B

All of B's unique primary links become layer 2 contacts

to A

Pattern continues into layer 3, layer 4, etc.

Contains Email address for Contains Email address for

Chain Identification Algorithm (Part 1)

1. Detect a host exceeding an activity threshold Rd

2. If the host does not belong to another chain (it is a normal case)

1. Set it up as the first link in a new chain

2. Set the host’s category to Suspicious

3. Set the category of all normal hosts reachable by the activity to linked and place them in the next link in the chain

Chain Identification Algorithm (Part 2)3. If the host does belong to another chain (it is not

normal)1. Set host’s category to Suspicious2. Add the host’s normal recipients to the chain and set

their category to Linked

4. If the length of the chain at the host’s connection is equal to a threshold K,

1. Change all suspicious cases to probable

2. Change all linked cases to potential3. Send the address and category information of all nodes

in the chain to the quarantine system

Quarantine Process Policy strictness based on potential

threat to the network, overall network configuration

Only for Probable or Potential cases Hard Quarantine -- block and warn Rational User -- no benefit, no risk Soft Quarantine -- reduce probability of

risky users

Soft Quarantine reduce probability of users taking risks Based on the “Rational User

Assumption” Red flag = high risk, user less probable to

open Yellow flag = medium risk, user slightly

more probable to open Unflagged = email is safe to open

Hard VS. Soft Quarantine

Hard Practically Safer for

a naive user More effective in

slowing down virus spread

False alarm = lost email

Soft Requires Rational

user assumption Less effective in

slowing down virus spread

No lost email

Experimentation

Full simulation Generate network graphs

Random and power law Allow the network to advance one step at

a time Enforce different policies, record the

results

Progressive Immunization

Selective Immunization = don't immunize all nodes

Choose to Immunize nodes: Randomly Highest Degree Probable cases

Implementation Suggestions

Chain Tracing Server installed at a logical point Case Finding Process Transmission Chain Management Process

Quarantine implemented by the service-providing server (if it has it)

Run 2 TCMP’s

Critical Discussion

Too much assumption of state? Subjective design of simulation Hard VS. Soft quarantine Implications of progressive Immunization Scalability?

Conclusion

Questions

Appendix: Transmission Chain Management Algorithms

Algorithm: Case Finding Process

for all sending addresses do

check ni, the number of emails host i has sent

if ni>Rd then

report host i and its internal recipient addresses to the Transmission Chain Management Process

end ifend for

Algorithm: Contact Trace Stack Setup

if (i is an internal normal host) or (i is an external host but is not an index case of any existing CTS) then

assign i to be the index case of a new CTS Si

for all receivers of i with normal category do

add receivers to layer 1 of CTS Si

change receivers' category to linked

end for

end if

if i is an internal host then

Ci⇐suspicious

end if

Algorithm: Update Contact Trace Stack

Ci⇐suspicious

find (Si,Li), the location of i

for all ri, new recipients of i with normal category do

Sr⇐Si

Lr⇐Li+1

end for

if Li = K then

tc_finish(Si)

end if

Algorithm: Transmission Chain Finish

for all suspicious hosts in CTS Si, do

change their category to probableend for

for all linked hosts in CTS Si, do

change their category to potentialend forpass the address and category information of all the nodes in Si to the quarantine process.

Remove CTS Si