peer-to-peer system-based active worm attacks: modeling, analysis and defense
DESCRIPTION
Peer-to-peer system-based active worm attacks: Modeling, analysis and defense. Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan. Computer Communications 31 (2008). Outlines. Introduction Modeling P2P-based active worm attacks Analyzing P2P-based active worm attacks - PowerPoint PPT PresentationTRANSCRIPT
112/04/21 1
Peer-to-peer system-based active worm attacks: Modeling, analysis and defense
Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan
Computer Communications 31 (2008)
2112/04/21
Outlines
Introduction Modeling P2P-based active worm attacks Analyzing P2P-based active worm attacks Defending against P2P-based active worm attacks Performance evaluation Final remarks
Introduction
Automatically propagate themselves and compromise hosts in the Internet.
Traditional worms predominantly adopt the random-based scan approach to propagate.
A more powerful worm attack strategy is the hit-list strategy, which collects a list of IP addresses prior to the attack to improve success rate of infection.
P2P systems can be a potential vehicle for the attacker.
3112/04/21
Modeling P2P-based active worm attacks
In general, there are two stages in an active worm attack: (1) scanning the network to select victim hosts;
(2) infecting the victim after discovering its vulnerability.
Pure Random Scan (PRS) Only 24% of addresses in the Internet space are used.
4112/04/21
Offline P2P-based hit-list scan (OPHLS)
The attacker collects IP address information of the P2P system offline. We denote this as the hit-list of the attacker.
After obtaining the hit-list,, there are two phases of attack model:
First, all newly infected hosts continuously attack the hit-list until all hosts in the hit-list have been scanned (called the P2P system attack phase).
In the second phase, all infected hosts continue to attack the Internet via PRS.
5112/04/21
Online P2P-based scan (OPS)
The host immediately launches the attack on its P2P neighbors as a high priority (using 60% of its attack capability), and attack the rest of the Internet with its remaining capability (40%) via PRS.
Note that there are two types of P2P systems: structured and unstructured. In the OPHLS model, it is the same in both types of
systems, since the attacker predetermines the hit-list before attacks.
In the OPS model, the number of neighbors is quite different.
6112/04/21
Model parameters
(1) P2P system size: A Super-P2P system. The size is the total number of users, denoted as m. The
remaining hosts are a part of the Non-P2P system. (2) P2P structured/unstructured topology:
Structured: all P2P nodes maintain the similar number of neighbors (average topology degree is ).
Unstructured:
is the mean value of topology degree, is a constant for a given , and denotes the power law degree.
7112/04/21
8112/04/21
9112/04/21
Analyzing P2P-based active worm attacks
In the OPHLS attack model,
Recursive formulas:
10112/04/21
Analyzing P2P-based active worm attacks
In the OPS attack model,
11112/04/21
Defending against P2P-based active worm attacks Defense framework:
Control center: it can be a system deployed node, or a stable P2P node itself.
A number of volunteer defense hosts: worm detection and response.
Threshold-based and trend-based worm detection schemes.
Threshold-based scheme: simple and easy to apply,but high false alarm rates.
12112/04/21
Performance evaluation
<SYS; ATT; DE> SYS: ATT: , where
OPSS & OPUS: the Online P2P-based scan attack model for the structured and unstructured P2P system.
DE: , where
WB: denotes results obtained using simulations for the which one attack model.D: Trend-based detection (D1), Threshold-based detection(D2)
13112/04/21
Worm Attack Performance Comparision of All Attack Models
14112/04/21
The Sensitivity of Attack Performance to P2P System Size
15112/04/21
The Sensitivity of Attack Performance to P2P Topology Degree
16112/04/21
OPSS(degree #)
The Sensitivity of Attack Performance to P2P Host Vulnerability
17112/04/21
The Sensitivity of Defense Performance to Different Attack Models
18112/04/21
Sensitivity of Detection Time to Defense Host Ratio
19112/04/21
Sensitivity of Detection Time to Defense Region Size
20112/04/21
The defense region size g denotes a region with a group of P2P defense hosts within g P2P hops from the region leader.
Region False Alarm Rate vs. Host False Alarm Rate
21112/04/21
Final remarks
P2P systems are gaining rapid popularity in the Internet. We believe that P2P-based active worm attacks are very dangerous threats for rapid worm propagation and infection.
Model and analyze P2P-based active worm propagation.
Design effective defense strategies against them. An offline P2P-based hit-list attack model (OPHLS)
and an online P2P-based attack model (OPS).
22112/04/21