Analyzing Cooperative Containment Of Fast Scanning

Worms

Jayanthkumar Kannan

Joint work with

Lakshminarayanan Subramanian, Ion Stoica, Randy Katz

Motivation

Automatic containment of worms required

Slammer infected about 95% of vulnerable population within 10 mins

Easier to write: Worm = “Propagation” toolkit + new exploit

Worm containment strategies

End-host instrumentation: CCCSRB 04, NS 05

specialized end-points

end-hosts

firewalls

core routers

Core-router augmentation: WWSGB 04 Specialized end-points (honeyfarms): P 04

Firewall-level containment: WSP 04, WESP 04

Decentralized Cooperation

Internet firewalls exchange information with each other to contain the worm Suggested in recent work: WSP 04, NRL 03, AGIKL

03 Pros of decentralization: Scales with the system size No single point of failure / administrative control

Efficacy and limitations not well understood

Questions we seek to answer

Cost of decentralization Effect of finite communication rate

between firewalls on containment

Effect of malice Impact of malicious firewalls on

containment Performance under partial

deployment

Roadmap

Abstract model of cooperation Analysis of cooperation model Numerical Results

Analytical, Simulation Conclusion

Model of Cooperation

Each firewall in the cooperative performs following actions:

Local Detection: Identify when its network is infected by analyzing outgoing traffic

Signaling: Informs other firewalls of its own infection along with filters

Filtering: A informed firewall drops incoming packets

Firewall states

Infected

Normal

Alerted/Uninfected

Detected

Successful worm scan

Local Detection

Signals SentSignal Received

Model of Signaling

Two kinds of signaling: Implicit: Piggyback signals on outgoing packets Explicit: Signals addressed to other firewalls

Setup attacks: Challenge-response verification of signals

Firewall sends false signal: Thresholding: Enter “alerted” state after receiving

signals from T different firewalls Firewall suppresses signal:

Even if up to 25% firewalls behave this way, good containment is possible

Roadmap

Abstract model of cooperation Analysis of cooperation model Numerical Results

Analytical, Simulation Conclusion

Analytical results

Main focus: Containment metric C: C = fraction of networks that escape

infection

Is Signaling Necessary? Cost of Decentralization:

Dependence of containment on signaling rate

Effect of malice: Dependence of containment on Threshold

T

Parameters used in analysis

Worm model: Scanning: Topological scanning (zero

time) followed by global uniform scanning Probability of successful probe = p Scanning rate = s Vulnerable hosts uniformly distributed

behind these firewalls Local detection model:

After infection, the time required for the infection to be detected is an exponential variable with time td

Signaling model: Explicit signals sent at rate E

Detection and Filtering

Worm probes only in interval between “infection” and “detection”

λ is the expected number of successful infections made by a infected network before detection λ = p s td Result: If λ < 1, C = 1 for large N Analogy to birth-death process

Implications Earlier worms like Blaster satisfied this constraint

Detection and Filtering (2)

Surprisingly, even if λ > 1, containment can be achieved without signaling

Intuition: As the infection proceeds, harder to find new victims λ (= p s td) effectively decreases over time

For λ = 1.5, about 40% containment For λ = 2.0, about 20% containment

λ = 2.0 for a Slammer-like worm

Analyzing Signaling

Signaling required if λ > 1

Differential equation model

For λ > 1 and σ = (λ-1)/td , the containment metric C is at least

Asympotic Variations

Implicit Signaling: Worm spreads at rate “ps” Signals sent at rate “s” Linear drop with time to detection (td) Linear drop with threshold (T)

Explicit Signaling: Implicit signaling relies on (p << 1) Explicit signals essential for high p Linear drop with 1/E Tunable parameter

Roadmap

Abstract model of cooperation Analysis of cooperation model Numerical Results

Analytical, Simulation Conclusion

Numerical Results

Parameter Settings: Scan rate set to that of Slammer Size of vulnerable population = 2 x Blaster 1,00,000 networks: 20 vulnerable hosts per

network Start out with 10 infected networks and track worm

propagation

Cost of Decentralization

Higher the detection time, lower the containment

Effect of Malice

Defends against a few hundred malicious firewalls

Conclusions

Contribution: Further the understanding of cooperative worm containment

Cost of Decentralization: With moderate overhead, good containment can be achieved

Effect of Malice: Can handle a few hundred malicious firewalls in the

cooperative

Cost of Deployment: Even with deployment levels as low as 10%, good

containment can be achieved

Detection and Filtering

Signaling

Containment vs Vulnerable population size

Containment vs Signaling Rate

Containment vs Deployment

Internet-like Scenario

Works well even under non-uniform distributions

Conclusions

Main result: with moderate overhead, cooperation can provide good containment even under partial deployment

For earlier worms, cooperation may have been unnecessary Required for the fast scanning worms of today Our results can be used to benchmark local detection

schemes in their suitability for cooperation Our model and results can be applied to:

Internet-level / enterprise-level cooperation More sophisticated worms like hit-list worms

Room for improvement in terms of robustness Verifiable signals

Hybrid architecture: Fit in “well-informed” participants in the cooperative