stopping computer viruses through dynamic immunization e. shir, j.goldenberg, y. shavitt, s. solomon
TRANSCRIPT
Stopping computer viruses through dynamic immunization
E. Shir, J.Goldenberg,
Y. Shavitt, S. Solomon
The War on Viruses Is Being Lost A recent British survey conducted by PwC:
93% of British business have installed an anti virus solution Nonetheless, 50% (68% of the large ones) have reported suffering from
virus infection in the last year. And the situation gets worse and worse… Why would I buy a software
which guarantees merely
32% success rate?
Virus Spread in a Networked World
Several spread mechanisms for malicious code: Email infection Worms Web vulnerabilities Note: diskette/CD infection are not included
Similar behavior – different overlay networks: Address book network (social network) LAN/WAN (Internet Routing Network) Web links network
All broad-scale networks, can be modeled by a scale-free network model
Most of the economic damage is caused due to denial of network services and not due to information loss!!
The Anti Virus Industry Current Anti-virus approach has not been updated since
its incubation and is the same as in the “diskette virus” age: The anti-virus software defends only its owner A new threat defense must be updated centrally No real immunization against new viruses The distribution of the anti virus updates is a slow, stochastic
process, compared to the rapid spread of the viruses, the virus always has the upper end.
Current Immunization schemes Focus on changing the topology of the
network through nodes immunization, so to introduce an epidemic threshold (random nodes, targeted hubs, neighbors of random nodes) before the epidemic has approached
Static in nature (do not interact with the infection process)
New Virus Fighting Paradigms Distributed immunization revisited partially un-correlated networks Honey Traps and shrinking a small world
an Anti-virus Paradigm for a Networked World:Distributed Immunization
“Spread the word” – “Infecting” my neighborhood with new threat information in real-time
Enough to shout “danger”. Speed is more important than thorough analysis
We want to immune un-infected nodes, rather than curing infected ones
We want to suppress the infected cluster
an Anti-virus Paradigm for a Networked World: Partially Uncorrelated Overlay Networks
Spread the anti virus on a similar but not identical network
e.g. – the virus moves on the email network – the anti virus moves on email plus the SMS networks
We change the topology for the anti-virus, while leaving the virus topology intact. Thus allowing the anti-virus to win
Conjecture:For large enough networks, the virus cluster can be contained to any desirable portion of the network, if there are enough links that are unique to the anti-virus network
Honey Traps – Shrinking a Small World How do we engineer an effective system that
can immune distributively using a partially uncorrelated network?
Use a set of fully connected honey traps Effectively, a small amount shrinks the
network considerably for the anti virus by creating a virtual super-hub
Initial Math Analysis We statistically analyze the model as an interacting
random branching process on a graph Without anti virus the virus cluster layers are given by:
=>
With the anti virus, the ratio of the infected to immuned clusters size takes the form:
This ratio is thus inversely proportional to the relative edge addition
Model Description
Node possible states:1. Neutral 2. Infected 3. Immuned
4. Infected and Immuning (conform to SIR) Edge Types:
1. Common 2. Virus only
3. Anti-virus only
Model Description (cont.)
Model Description (Cont.) Rules of the dynamics:
1. Stochastic: Each process has an occurrence probability centered around a typical time scale (delay) Deterministic: Constant Delay2. The processes which occur are:
a. Infection – an infected node infects a neighbor which was neutral
b. Birth of an anti-virus – an infected node creates an anti-virus and sends it to a neutral neighbor
c. Immunization – an immuned node sends an anti-virus to a neutral neighbor
d. In the Honey Traps model, only the Honey Traps can create an anti virus3. Once immuned or infected, a node cannot change its status
Model Description (Cont.)
Both the virus and anti virus can move on edges of type “common”. Each of them also can move on its specific typed edges
By definition, there is always only one cluster of infected nodes. Not true for the anti-virus
In the scale free case, the typed degrees of a node are correlated (a “common” hub will also be a “virus” and an “anti-virus” hub, though possibly in a different scale)
Empirical Survey of email/SMS networks We surveyed hundreds of people, gaining
eventually a sample set containing 513 answers
People were asked for the size of their address book, the size of their phone book and the corresponding overlap
The average overlap was only 32.6%
The phone book data exhibited power law tale with exponent=-1.88
Empirical Survey of email/SMS networks - Results The address book data exhibited a close to
power law distribution with exponent=-0.75
Results
We studied both random and scale free networks in both deterministic and stochastic settings
We checked the dependence on the following parameters: Characteristic delay gap between infection and
virus birth Dependence on common, virus and anti virus
edge density Dependence on honey traps
Dependence on Delay Gap (Random, common density=0.01)
Dependence on delay gap(Scale Free - common, virus, anti=1)
Dependence on anti-virus edges degree (Random – delay gap=20, common degree=10)
The virus cluster can be suppressed to any desirable size by adding more anti-virus links
Dependence on link addition(SF – delay gap=0)
Dependency on Immunizing links density – random link addition(100000-170000 nodes networks)
Dependency on Honey Traps Density(100000 nodes network)Virus Cluster Size as a Function of Honey Traps density
0
0.2
0.4
0.6
0.8
1
1.2
0 0.001 0.002 0.003 0.004 0.005 0.006
Honey Traps Density
Vir
us C
luste
r S
ize
Dependence on the exponent (delay gap=20, common=1,anti=1)
Future Directions
Further in the future: Test and Implement in the real world w/ DIMES
and PlanetLab