1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

1

Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense

Cliff C. Zou, Weibo Gong, Don Towsley

Univ. Massachusetts, Amherst

2

Motivation: automatic mitigation and its difficulties

Fast spreading worms pose serious challenges: SQL Slammer infected 90% within 10 minutes. Manual counteractions out of the question.

Difficulty of automatic mitigation high false alarm cost. Anomaly detection for unknown worm. False alarms vs. detection speed. Traditional mitigation:

No quarantine at all … long-time quarantine until passing human’s inspection.

3

Principles in real-world epidemic disease control

Principle #1 Preemptive quarantine Assuming guilty before proven innocent

Comparing with disease damage, we are willing to pay certain false alarm cost.

Principle #2 Feedback adjustment More serious epidemic, more aggressive

quarantine action Adaptive adjustment of the trade-off between disease

damage and false alarm cost.

4

Dynamic Quarantine

Assuming guilty before proven innocent Quarantine on suspicion, release quarantine after a

short time automatically reduce false alarm cost

Can use any host-based, subnet-based anomaly detection system.

Host or subnet based quarantine (not whole network-level quarantine).

Quarantine is on suspicious port only.

A graceful automatic mitigation:No quarantine Dynamic short-time

quarantine

long-timequarantine

5

Worm detection

system

Feedback Control Dynamic Quarantine Framework (host-level)

Feedback : More suspicious, more aggressive action Predetermined constants: ( for each TCP/UDP

port) Observation variables: :# of quarantined. Worm detection and evaluation variables:

Control variables:

NetworkActivities

Worm Detection

& Evaluation

Decision & Control

Anomaly DetectionSystem

tI tt DP ,

tt HT ,

ProbabilityDamage

Quarantine timeAlarm threshold

6

Two-level Feedback Control Dynamic Quarantine Framework

Network-level quarantine (Internet scale) Dynamic quarantine is on routers/gateways of local networks. Quarantine time, alarm threshold are recommended by MWC.

Host-level quarantine (local network scale) Dynamic quarantine is on individual host or subnet in a

network. Quarantine time, alarm threshold are determined by:

Local network’s worm detection system. Advisory from Malware Warning Center.

Host-level quarantine

Malware Warning Center

tt HT ,tI

Network-level

quarantine

Local network

7

Host-level Dynamic Quarantine without Feedback Control

First step: no feedback control/optimization Fixed quarantine time, alarm threshold.

Results and conclusions: Derive worm models under dynamic

quarantine. Efficiently reduce worm spreading speed.

Give human precious time to react. Cost: temporarily quarantine some healthy hosts.

Raise/generate epidemic threshold Reduce the chance for a worm to spread out.

8

Worm modeling —simple epidemic model

Infectious

ISusceptible

Scontact

# of contacts I S

Simple epidemic model for fixed population system:

0 100 200 300 400 500 6000

0.5

1

1.5

2

2.5

3

3.5x 10

5

I(t)

t

susceptible

infectious

: # of susceptible : # of hosts

: # of infectious : infection ability

9

Worm modeling —Kermack-McKendrick model

State transition:

: # of removed from infectious : removal rate

Epidemic threshold theorem:

No outbreak happens if

susceptible infectious removed

0 10 20 30 40

1

2

3

4

5

6

7

8

9

10x 10

5

=0=N/16=N/4=N/2

t

where

: epidemic threshold

10

Analysis of Dynamic Quarantine

I(t): # of infectious S(t): # of susceptible T: Quarantine time

R(t): # of quarantined infectious Q(t): # of quarantined susceptible

1: quarantine rate of infectious 2: quarantine rate of susceptible

Without “removal”:

Assumptions:

11

Extended Simple Epidemic Model

Before quarantine:

After quarantine:

I(t)

R(t)=p’1I(t)

S(t)

Q(t)=p’2S(t)

# of contacts

Susceptible Infectious

12

Extended Simple Epidemic Model

Vulnerable population N=75,000, worm scan rate 4000/secT=4 seconds, 1 = 1, 2=0.000023 (twice false alarms per day per node)

Law of large number

R(t): # of quarantined infectious

Q(t): # of quarantined susceptible

0 200 400 600 800 10000

1

2

3

4

5

6

7

x 104

Time t (second)

I(t)R(t)500 Q(t)

0 200 400 600 800 10000

0.2

0.4

0.6

0.8

1

Time t (second)

p'1

500 p'2

0 200 400 600 800 10000

1

2

3

4

5

6

7

x 104

Time t (second)

Original systemQuarantined system

13

Extended Kermack-McKendrick Model

Before quarantine:

After quarantine:

removed

14

Extended Kermack-McKendrick Model

Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2=0.000023, =0.005

R(t): # of quarantined infectious

Q(t): # of quarantined susceptible

0 300 600 900 1200 15000

1

2

3

4

5

6

7

x 104

Time t (second)

Original systemQuarantine system

0 300 600 900 1200 15000

0.2

0.4

0.6

0.8

1

Time t (second)

q'1

500 q'2

15

Dynamic Quarantine Model —Considering Human’s Counteraction

A more realistic dynamic quarantine scenario: Security staffs inspect quarantined hosts only. Not enough time to check all quarantine hosts before their

quarantine time expired --- removal only from quarantined infectious hosts R(t).

Model is similar to the Kermack-McKendrick model

Introduced Epidemic threshold:

16

Dynamic Quarantine Model —Considering Human’s Counteraction

R(t): # of quarantined infectious

Q(t): # of quarantined susceptible

Population N=75,000, worm scan rate 4000/sec, T=4 seconds, 1 = 1, 2=0.000023, =0.005

0 300 600 900 1200 15000

1

2

3

4

5

6

7

x 104

Time t (second)

Original systemQuarantine system

0 300 600 900 1200 15000

0.2

0.4

0.6

0.8

1

Time t (second)

q'1

500 q'2

17

Summary

Learn the quarantine principles in real-world epidemic disease control:

Preemptive quarantine: Assuming guilty before proven innocent Feedback adjustment: More serious epidemic, more aggressive

quarantine action Two-level feedback control dynamic quarantine

framework Optimal control objective:

Reduce worm spreading speed, # of infected hosts. Reduce false alarm cost.

Derive worm models under dynamic quarantine Efficiently reduce worm spreading speed

Give human precious time to react Raise/generate epidemic threshold

Reduce the chance for a worm to spread out