cooperative response strategies for large scale attack mitigation
DESCRIPTION
Cooperative Response Strategies for Large Scale Attack Mitigation. D. Nojiri, J. Rowe, K. Levitt Univ of California Davis DARPA Info Survivability Conference and Exposition 2003 Presented by Hao Cheng, 2006.01. Contribution. Build a mathematical model for the cooperation defense model. - PowerPoint PPT PresentationTRANSCRIPT
Cooperative Response Strategies for Large Scale
Attack Mitigation
D. Nojiri, J. Rowe, K. LevittUniv of California Davis
DARPA Info Survivability Conference and Exposition
2003
Presented by Hao Cheng, 2006.01
Contribution
• Build a mathematical model for the cooperation defense model.
• Simulation results sound reasonable and confirm some meaningful understandings.
Why Cooperation & P2P?
• Large-scale Internet worm attack• attack- overwhelming, distributed• local knowledge- useless• hierarchical control- localized region
What Problems?
• Propagation of information- slow• Security issues• Responses- expensive• False alarms
- A formal study on automated mitigation control mechanism is necessary.
- Mathematical model + Simulation
Assumption
• Direct cooperation- limited number of friend organizations
• Two States.• if (detect/alerted suspicious attacks)
– follow local policy– blocking and sharing info with its own
set of friends.• Rate of propagation R(mitigating response) > R(worm
attacks)
Modeling
• Staniford’s Virus Propagation Model [2]
# of hosts to be compromised in this time slot
# of hosts already compromised
ratio of vulnerable hosts which each infected host can attack
Cont
• Kephart’s Virus Infection Model [3]
# of infested hosts which recovered during this time slot.
Mitigation Response
# of friends which are not alerted.
cumulative severity of messages sent to its friends.
# of response members which are alerted.
Cumulative severity of messages in the entire system
short comments: not all hosts are controlled in cooperation network.
Infection Rate
• Attacks from Inside/Outside• Local Infection Rate:
• Global Infection Rate:
probability of remote attack
probability of local attack
Plots
time step
propagation rate
Analysis: need to have enough number of cooperating members or friends.
Simulation
• base on Swarm simulation package.– http://www.swarm.org/wiki/Main_Page
• Biological science- population dynamics.
Experimental Settings
• Internet Topology – flat network.
• 5832 vulnerable hosts, 729 cooperating members (controlling 8 hosts).
• Responce device keeps an alert level and will become “alerted” if receiving enough alert messages.
• Alerted: block + informs friends.
Analysis Results
• Greater number of friends, Greater suppression of the worm, Shorter the time to recover, More false alarms.
• Higher severity threshold, Lower false alarms.
• Optimal friend lists.- graph theory problem, reduce the diameter of a directed graph with limited number of edges.
Weakness
• The mitigation response cost.
• Unclear in Presentation.• Not very realistic in Math modeling.
– already pointed during presentation.– A peer can go into alerted, not only by
receiving the warning information.
• Modeling results not totally convincing. • Security problem.
Reference
1. D. Nojiri, J. Rowe, K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. DARPA Info Survivability Conference and Exposition, 2003.
2. Jeffrey O. Kephart, Steve R. White. Directed Graph Epidemiological Models of Computer Viruses. IEEE Computer Society Symposium on Research in Security and Privacy. 1991.
3. Stuart Staniford, V. Paxon, N. Weaver. How to Own the Internet in Your Spare Time. Usenix Security Symposium 2002.
4. http://www.swarm.org/wiki/Main_Page