Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer “immunization” Kjell Jørgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated 16.05.17 2 bots Malware defined Dialers Trojan horses Rootkits Viruses Malware —malicious software used to Keyloggers • disrupt computer operations Worms • gather sensitive information, or Spyware Ransomware • gain access to private systems Backdoors Adware 3 4
Infectious malware Spreading mechanisms (1) Random scanning selects target IP addresses at random (all nodes are neighbors) We’ll concentrate on infectious malware: • used by Code Red and Slammer worms • Viruses —need user intervention to spread • Worms —spread automatically Localized scanning selects most hosts in the “local” address space • used by Code Red II and Nimda worms 5 6 Spreading mechanisms (2) Spreading mechanisms (3) Topological-scanning relies on information Hitlist consists of potentially vulnerable contained in infected hosts to locate new targets machines that are gathered beforehand and • the information may include (BGP) routing targeted first when the worm is released tables, email addresses, a list of peers, and • the flash worm gathered all vulnerable Uniform Resource Locations (URLs) machines into its hitlist • used by the Morris worm 7 8
Software monoculture Software diversity (today’s situation) iden%cal binary for all We consider systems of networked computing users devices, such as computers, smartphones, and all users suscep%ble to iden%cal exploit tablets A5acker exploit Each device downloads software from application stores utilizing compilers with “ diversity engines ” 9 10 Software polyculture Diversity engine (the future?) creates So#ware different variants for different users So#ware Developer delivers to App Store Diversity Engine within App Store creates Variants A6acker a single exploit no longer affects all users exploit iden4cally cost to a6acker rises drama4cally subsequent downloaders receive func=onally iden=cal but internally different versions of the same so#ware 11 12
Immunization (2) Immunization (1) Software hardening, or immunization , consists of • removal of non-essential software programs • secure configuration of remaining programs • In extreme cases, trained personnel have to take a device off-line to wipe its memory • constant patching, and before installing new software • use of intrusion-detection systems, firewalls, intrusion-prevention systems, anti-malware programs, and spyware blockers 13 14 Combine diversity and Pragmatic approach immunization Despite the protection provided by computer “immunization,” it is nearly impossible to keep While community immunity usually entails immunization every devices free for malware at all times of nearly all entities in a monoculture, we’ll combine software diversity with the immunization of a small A more realistic goal is to provide a form of “community immunity,” where most devices are fraction of the computers to halt malware spreading protected against malware because there is little opportunity for new outbreaks to spread 15 16
Infected monoculture Epidemiological model Single sick node infects all other nodes Fragile We model viruses and worms as infectious diseases spreading over networks with varying software diversity Node size proportional to #adjacent edges 17 18 Diversity Hub defined Hub —network node with many more adjacent edges Nodes of L types have different than the average number of edges per node colors • see large nodes in previous figure The (software) diversity is • the number of adjacent edges is often referred equal to number of colors L to as the ‘degree’ 20 www.kjhole.com
Immunized polyculture Immunization L =2 node types L =2 malware types Eight immunized hubs A white immunized node never Robust gets infected or transmits an infection The malware types only spread to three nodes 21 www.kjhole.com 22 Seeds Network model Simple connected graph defines malware spreading pattern • N nodes • L ≥ 1 node types • one malware type per node type • discrete time t = 0,1,2, ... L = 3 node types • S infected seeds per node type at time t = 0 S = 1 seed per node type (a) 23 24
Malware spreading Types of spreading patterns Homogeneous network —all nodes have degrees k approximately equal to the average degree ⟨ k ⟩ A sick nodes infect all its neighbors during a single time step t Inhomogeneous network —a small fraction of nodes, the hubs, have degrees k much larger than the average degree ⟨ k ⟩ 25 26 Malware halting ( A ) Node type distribution analysis To halt malware on networks with several Let r l be the probability that an arbitrary node million nodes, we first determine is of type l = 1,2, …, L (A) desired distribution of node types, The entropy − ∑ r l log r l measures the (B) a lower bound on the needed diversity, and uncertainty of a node’s assigned type (C) the trade-off between diversity and It has maximum value log L when all r l = 1/ L immunization 27 28
Maximize entropy (1) Maximize entropy (2) When the entropy is maximized, the best spreading strategy for each malware type If there is less uncertainty about the distribution of is to select new nodes at random vulnerable nodes, e.g. a few node types occur more often than the other node types in a network, then The probability that a spreading mechanism the entropy is smaller and malware writers can chooses a node of wrong type is 1 − 1/ L create very efficient topological-aware spreading As L increases, this probability increases and mechanisms the speed of the malware spreading decreases 29 30 Observation 1 ( B ) Needed diversity Example : MMS malware exploits a smartphone’s address book to spread to new phones with the Skewed distributions of node types should be same OS avoided because they facilitate rapid malware spreading 31 32
MMS malware spreading Wang’s network model Phones on email list Based on location and calling data from 6.2 million mobile subscribers Market share determines whether devices with the same OS form a giant component in the calling Phone not Infected phone graph on email list 33 34 What is a component? Giant component A single-type component is a subset of nodes with the same type such that there A giant component of same-type nodes has size proportional to N • is a path between any pair of nodes in the set, and If a giant component contains a seed, then • it is not possible to add another node of the nearly all nodes in the network will be infected same type to the set while preserving this property 35 36
Wang’s network model C 1 0.8 No giant component OS 1 : 75% market share B C 0.6 G m Giant component Finite giant component 80% 0.4 0.2 Giant component 6% MMS 0 0 0.2 0.4 0.6 0.8 1 m c m OS 2 : 25% market share Small connected components and single nodes Wang et al. 2 D F 37 38 Android market share Roughly 45% of all phones in US were smartphones in March 2011 Androids’s share of the total mobile phone market was 0.45 X 0.35 = 0.16 (16%) About 62% of the users utilized Android Gingerbread 2.3.x • market share was 0.16 X 0.62 = 0.10 (10%) 39 40
Observation 2 C 1 0.8 No giant component 0.6 G m A malware epidemic can only occur when a Finite giant component 0.4 Ginger- network contains a giant component of nodes bread with the same type 0.2 was here MMS 0 0 0.2 0.4 0.6 0.8 1 m c m Wang et al. 2 D F 41 42 Diversity needed to avoid ( C ) Diversity vs immunization giant component The right-hand side of the bound is large when a network contains nodes with square degrees ( k i ) 2 degree k — a node’s number of adjacent edges much bigger than the corresponding degrees k i average degree ⟨ k ⟩ = 1/ N · ∑ k i If the node degrees are known, then we reduce average-square degree ⟨ k 2 ⟩ = 1/ N · ∑ ( k i ) 2 the lower bound by immunizing the nodes with largest degrees k i L ≥ ⎡ ⟨ k 2 ⟩ ∕ {2 · ⟨ k ⟩ } ⎤ 43 44
Halting method Observation 3 (based on observations) We can immunize a small fraction of all The method must handle spreading patterns with nodes (the hubs) in an inhomogeneous • unknown and changing topology network to reduce the need for diversity • because it is expensive to immunize • at least one million nodes computers, immunization is of limited • unreliable node communication use in large networks with many hubs 45 46 Malware halting method Approach (first version) Since the topology is unknown and communication is unreliable, it is difficult to modify the network 1. If practicable, immunize enough large-degree structure or ask nodes to change their types based nodes in a network to create a homogeneous on the types of the neighboring nodes subnet when the immunized nodes and their adjacent edges are removed It is more promising to use a simple method that is 2. Ensure that the node diversity of the • robust to varying topologies homogeneous subnet is large enough to halt • scale to very large networks multiple simultaneous malware outbreaks 47 48
Recommend
More recommend
