Cooperative Response Strategies for Large Scale

Attack Mitigation

D. Nojiri, J. Rowe, K. LevittUniv of California Davis

DARPA Info Survivability Conference and Exposition

2003

Presented by Hao Cheng, 2006.01

Contribution

• Build a mathematical model for the cooperation defense model.

• Simulation results sound reasonable and confirm some meaningful understandings.

alerted

alerted

Architecture

Internet

block

P2P Cooperative Structure

malicious

friend protocol

Why Cooperation & P2P?

• Large-scale Internet worm attack• attack- overwhelming, distributed• local knowledge- useless• hierarchical control- localized region

What Problems?

• Propagation of information- slow• Security issues• Responses- expensive• False alarms

- A formal study on automated mitigation control mechanism is necessary.

- Mathematical model + Simulation

Assumption

• Direct cooperation- limited number of friend organizations

• Two States.• if (detect/alerted suspicious attacks)

– follow local policy– blocking and sharing info with its own

set of friends.• Rate of propagation R(mitigating response) > R(worm

attacks)

Modeling

• Staniford’s Virus Propagation Model [2]

# of hosts to be compromised in this time slot

# of hosts already compromised

ratio of vulnerable hosts which each infected host can attack

Cont

• Kephart’s Virus Infection Model [3]

# of infested hosts which recovered during this time slot.

Mitigation Response

# of friends which are not alerted.

cumulative severity of messages sent to its friends.

# of response members which are alerted.

Cumulative severity of messages in the entire system

short comments: not all hosts are controlled in cooperation network.

Infection Rate

• Attacks from Inside/Outside• Local Infection Rate:

• Global Infection Rate:

probability of remote attack

probability of local attack

Numerical Solution

Differential Equation, solve in numerical way.

Plots

time step

propagation rate

Analysis: need to have enough number of cooperating members or friends.

Simulation

• base on Swarm simulation package.– http://www.swarm.org/wiki/Main_Page

• Biological science- population dynamics.

Experimental Settings

• Internet Topology – flat network.

• 5832 vulnerable hosts, 729 cooperating members (controlling 8 hosts).

• Responce device keeps an alert level and will become “alerted” if receiving enough alert messages.

• Alerted: block + informs friends.

Plots

time step

propagation rate varied number of friends

Analysis Results

• Greater number of friends, Greater suppression of the worm, Shorter the time to recover, More false alarms.

• Higher severity threshold, Lower false alarms.

• Optimal friend lists.- graph theory problem, reduce the diameter of a directed graph with limited number of edges.

Weakness

• The mitigation response cost.

• Unclear in Presentation.• Not very realistic in Math modeling.

– already pointed during presentation.– A peer can go into alerted, not only by

receiving the warning information.

• Modeling results not totally convincing. • Security problem.

Improvement

• study pointed problems.• Optimal friend list need to be

considered more seriously.

Reference

1. D. Nojiri, J. Rowe, K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. DARPA Info Survivability Conference and Exposition, 2003.

2. Jeffrey O. Kephart, Steve R. White. Directed Graph Epidemiological Models of Computer Viruses. IEEE Computer Society Symposium on Research in Security and Privacy. 1991.

3. Stuart Staniford, V. Paxon, N. Weaver. How to Own the Internet in Your Spare Time. Usenix Security Symposium 2002.

4. http://www.swarm.org/wiki/Main_Page

Questions?