on the effectiveness of automatic patching milan vojnović & ayalvadi ganesh microsoft research...
Post on 21-Dec-2015
215 views
TRANSCRIPT
On the Effectiveness of Automatic Patching
Milan Vojnović & Ayalvadi Ganesh
Microsoft Research
Cambridge, United Kingdom
WORM’05, Fairfax, VA, USA, Nov 11, 2005
2
Problem
Worms tend to appear soon after vulnerability public disclosureWitty (1 day)
Nightmare: zero-day wormWorm appears before patch released
Patching must be automatic(detection, patch generation, delivery,
installation)
3
Problem (cont’d)
Problem: how fast patch delivery must be to contain a worm?
Our results:Random scanning wormsGoal: analytical bounds
Other worms: future work
4
Hierarchical patch delivery
patching server
subnet
client
Special: single subnet = centralized solution
overlay
5
Rest of the talk
Models and required patching rates to contain worms by:PatchingPatching & filteringP2P patching
Conclusion
6
Susceptible-Infective: model of worm spread
Infected host scans IP address space at instants of Poisson ()
Independent at distinct hosts Rate of successful scans: = N / I(t) =
number of infected hosts at time ta Markov process
High-level: model ignores network latency, congestion
7
Susceptible-Infective (2)
0 5 10 15 20 250
0.5
1
1.5
2
2.5
3
3.5
4x 10
5
Time in hours, 0-24
# in
fect
ed h
osts
, 0-3
60,0
00
Large population limit:N→∞, η/Ω fixed
i(t) = I(t)/N : fraction of infected hosts
i(t) : density-dependent Markov process
Uniform converges to the limit deterministic ODE:(d/dt)i(t) = β i(t) [1-i(t)]
Used to model worms (Staniford+02)
1/ = 40 min (Code Red)= 10 sec (Slammer)
8
Patching: one subnet
)()()()(
)()()(
tstitstsdt
d
tstitidt
d
= polling frequency
fraction of susceptible hosts
Result
Implicit function for final infectives i(+) )0()0(log)( )0(
)( sii ii
9
Patching: one subnet (2)
Implication:
Exponential with the ratio worm to patch rate !
Bound is tight whenever / is small = effective containment
))0()0((
)0()(si
eii
10000 vulnerable hosts
))0()0((
)0()(si
eii
10
Patching: multiple subnets
patching server
subnet
clientoverlay
11
Patching: multiple subnets
Overlay abstracted by broadcast curve:g(t) = fraction of alerted patch servers at time t
Examples:
1
0 t
1
0 tTKnown broadcast time Logistic function Flooding on Pastry
12
Patching: multiple subnets (2)
)()())(()()(
)()()()()(
)()()(
2 tgtwtgtwtwdt
d
tstwtitstsdt
d
tstitidt
d
(S,I) dynamics same as for one subnet… but patching rate is a function of time
13
Minimum broadcast curve
A curve that lower bounds any broadcast curve for an overlay
Result: using a minimum broadcast curve produces upper bound on the fraction of infected hosts
Minimum broadcast curve
Flooding over Pastry
14
Patching: multiple subnets (…)
)0(1
)0()( log
)0(1
))0(1)(0()0()0( ~ log)( gi
i
g
wssii
Result: g() = logistic function/ fixed, bot and tend to be small
“overlay diameter”
15
Patching & filtering
i0(t) = fraction of infectives in non alerted subnets s0(t) = same for suceptible hosts
alerted patch server
blockblock
))(1)(()(
)()()()()(
)()()()()(
0000
0000
tgtgtgdt
d
tstgtitstsdt
d
titgtstitidt
d
16
Patching & filtering (2)
Result:
u(t) = g(t)/g(0) ’ = (i0(0)+s0(0))/(1-g(0))
)0(1
)()0(1)))((1()(
)0(1
)()0(1
)(
)()0()(
00
'
)0()0(
)0(
)0()0(
)0(
'00
00
0
00
0
g
tugtuits
g
tug
tu
tuiti
si
i
si
s
t
i0(t)
After subnet becomes alerted, it “decouples” from the rest of the system
17
P2P
Two epidemics:
Patch epidemics with larger spread rate Result:
))()(1)(()(
))()(1)(()(
tptitptpdt
d
tptititidt
d
)0()(1)0()( p
iii
)0(1log
)0()(p
eii
18
Conclusion
Random scanning worms can be effectively containedPresuming patch rate is sufficiently
larger than worm rateNeed to constrain worm rate
Future work: subnet preference wormstopological worms?
19
More
http://research.microsoft.com/~milanv/immunology.htm
Thanks!