Stopping computer viruses through dynamic immunization

E. Shir, J.Goldenberg,

Y. Shavitt, S. Solomon

The War on Viruses Is Being Lost A recent British survey conducted by PwC:

93% of British business have installed an anti virus solution Nonetheless, 50% (68% of the large ones) have reported suffering from

virus infection in the last year. And the situation gets worse and worse… Why would I buy a software

which guarantees merely

32% success rate?

Virus Spread in a Networked World

Several spread mechanisms for malicious code: Email infection Worms Web vulnerabilities Note: diskette/CD infection are not included

Similar behavior – different overlay networks: Address book network (social network) LAN/WAN (Internet Routing Network) Web links network

All broad-scale networks, can be modeled by a scale-free network model

Most of the economic damage is caused due to denial of network services and not due to information loss!!

The Anti Virus Industry Current Anti-virus approach has not been updated since

its incubation and is the same as in the “diskette virus” age: The anti-virus software defends only its owner A new threat defense must be updated centrally No real immunization against new viruses The distribution of the anti virus updates is a slow, stochastic

process, compared to the rapid spread of the viruses, the virus always has the upper end.

Current Immunization schemes Focus on changing the topology of the

network through nodes immunization, so to introduce an epidemic threshold (random nodes, targeted hubs, neighbors of random nodes) before the epidemic has approached

Static in nature (do not interact with the infection process)

New Virus Fighting Paradigms Distributed immunization revisited partially un-correlated networks Honey Traps and shrinking a small world

an Anti-virus Paradigm for a Networked World:Distributed Immunization

“Spread the word” – “Infecting” my neighborhood with new threat information in real-time

Enough to shout “danger”. Speed is more important than thorough analysis

We want to immune un-infected nodes, rather than curing infected ones

We want to suppress the infected cluster

an Anti-virus Paradigm for a Networked World: Partially Uncorrelated Overlay Networks

Spread the anti virus on a similar but not identical network

e.g. – the virus moves on the email network – the anti virus moves on email plus the SMS networks

We change the topology for the anti-virus, while leaving the virus topology intact. Thus allowing the anti-virus to win

Conjecture:For large enough networks, the virus cluster can be contained to any desirable portion of the network, if there are enough links that are unique to the anti-virus network

Honey Traps – Shrinking a Small World How do we engineer an effective system that

can immune distributively using a partially uncorrelated network?

Use a set of fully connected honey traps Effectively, a small amount shrinks the

network considerably for the anti virus by creating a virtual super-hub

Initial Math Analysis We statistically analyze the model as an interacting

random branching process on a graph Without anti virus the virus cluster layers are given by:

=>

With the anti virus, the ratio of the infected to immuned clusters size takes the form:

This ratio is thus inversely proportional to the relative edge addition

Model Description

Node possible states:1. Neutral 2. Infected 3. Immuned

4. Infected and Immuning (conform to SIR) Edge Types:

1. Common 2. Virus only

3. Anti-virus only

Model Description (cont.)

Model Description (Cont.) Rules of the dynamics:

1. Stochastic: Each process has an occurrence probability centered around a typical time scale (delay) Deterministic: Constant Delay2. The processes which occur are:

a. Infection – an infected node infects a neighbor which was neutral

b. Birth of an anti-virus – an infected node creates an anti-virus and sends it to a neutral neighbor

c. Immunization – an immuned node sends an anti-virus to a neutral neighbor

d. In the Honey Traps model, only the Honey Traps can create an anti virus3. Once immuned or infected, a node cannot change its status

Model Description (Cont.)

Both the virus and anti virus can move on edges of type “common”. Each of them also can move on its specific typed edges

By definition, there is always only one cluster of infected nodes. Not true for the anti-virus

In the scale free case, the typed degrees of a node are correlated (a “common” hub will also be a “virus” and an “anti-virus” hub, though possibly in a different scale)

Empirical Survey of email/SMS networks We surveyed hundreds of people, gaining

eventually a sample set containing 513 answers

People were asked for the size of their address book, the size of their phone book and the corresponding overlap

The average overlap was only 32.6%

The phone book data exhibited power law tale with exponent=-1.88

Empirical Survey of email/SMS networks - Results The address book data exhibited a close to

power law distribution with exponent=-0.75

Results

We studied both random and scale free networks in both deterministic and stochastic settings

We checked the dependence on the following parameters: Characteristic delay gap between infection and

virus birth Dependence on common, virus and anti virus

edge density Dependence on honey traps

Dependence on Delay Gap (Random, common density=0.01)

Dependence on delay gap(Scale Free - common, virus, anti=1)

Dependence on anti-virus edges degree (Random – delay gap=20, common degree=10)

The virus cluster can be suppressed to any desirable size by adding more anti-virus links

Dependence on link addition(SF – delay gap=0)

Dependency on Immunizing links density – random link addition(100000-170000 nodes networks)

Dependency on Honey Traps Density(100000 nodes network)Virus Cluster Size as a Function of Honey Traps density

0

0.2

0.4

0.6

0.8

1

1.2

0 0.001 0.002 0.003 0.004 0.005 0.006

Honey Traps Density

Vir

us C

luste

r S

ize

Dependence on the exponent (delay gap=20, common=1,anti=1)

Future Directions

Further in the future: Test and Implement in the real world w/ DIMES

and PlanetLab