Responding to Mobile Worms with Location-Based Quarantine - PowerPoint PPT Presentation

Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab) Marco Gruteser (gruteser@winlab) Research Review 2006 1

Threats of Mobile Worms � Current Trends in Pervasive Devices � Multi-radio support : backhaul link (e.g., Cellular networks) and short- range communication (e.g., Bluetooth, DSRC) � Example: Cellular networks, Vehicular networks � Mobile Worms / Malware over Peer-to-Peer interaction � Vulnerability: Bluetooth buffer overflow (e.g., BlueSmack Attack) � This allows malware to spread without user intervention � Peer-to-peer replication over short-range wireless networks creates a challenge for intrusion detection and response � (High False Alarm) No conventional IDS deployed (Address blacklisting, Content filtering) over vehicular ad-hoc networks � No concentration point (e.g., gateways) � Resource limited nodes � (Distributed IDS) Delay needs special care on ‘Intrusion Response’ � No Partitioning of sub-network � Can we do virtually in ad-hoc?

A typical threat scenario (Vehicular Networks in New Jersey Southern Highway) 13000 12000 A p p r o x i m a t e l y , w o r m c a n 11000 i n f e c t a l l v e h i c l e s w i t h i n 1 1 . 6 k m r a d i u s d u r i n g How far worm propagates [m] 10000 1 0 mi n . 9000 ( c ) S t a b l e s t a g e 8000 7000 ( b ) A c c e l e r a t i o n s t a g e 6000 ( a ) E a r l y s t a g e 5000 4000 3000 0 500 1000 1500 2000 2500 3000 3500 time elapse [sec]

Do we have a short-term strategy for responding to unknown mobile worms spreading over NJ within 4 hours? Am I building too high wall for imaginary monster? -Do we have an example? -Do we have any ad-hoc network in operation? - Do we have a distributed IDS in 170 Miles real world? - Is Intrusion Response more important than Intrusion Detection? - Do we need Short-term strategy for developing a patch? I’m Don Quixote? But, I’m fighting with realistic monster?

Infrastructure-aided Wireless Intrusion response architecture: Geographical partitioning O u t b r e a k h a p p e n s a n d 1 : h u ma n a n a l y s i s s t p r o p a g a t e s E s t i m a t i o n o f w o r m t o t h e r i g h t p r o p a g a t i o n d u r i n g d e l a y ma k e s a n A 3 r d l a a c c u r a t e w a l l t o r m 2 n d s t o p i t ! ! ! s & R e s p 3 r d o n s e s O u t d a t e d Q u a r a n t i n e b o u n d a r y

Graphical example: One Drop 4 x 10 4 3.5 3 2.5 2 1.5 3 3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 4.8 5 4 x 10

Graphical example: Spread 4 x 10 3.2 3.1 3 2.9 2.8 2.7 2.6 2.5 2.4 2.3 3.4 3.5 3.6 3.7 3.8 3.9 4 4.1 4.2 4.3 4 x 10

Graphical example: Quarantined 4 x 10 3.1 3 2.9 2.8 2.7 2.6 2.5 2.4 2.3 2.2 3.4 3.5 3.6 3.7 3.8 3.9 4 4.1 4.2 4.3 4 x 10

The effect of imperfect containment: High detection but Low false positive O u r i n t r u s i o n a r c h i t e c t u r e p e r f o r m a n c e Wh e n d o u b l y a p p l i e d

Problem statement: ∆ T = T A - T O � A time delay between outbreak to alarm. � Mobile worms can spread further � imperfect containment � We need an accurate boundary estimation � We need an “Intrusion response planning strategy” � 1. Detect an accurate Patient 0 � 2. Set an accurate quarantine boundary � 3. Contain remotely under minimizing the impact of the worm (policy needed)

A Macroscopic Models of Worm Propagation from Ecology � Diffusion-Reaction model from ‘Spread of muskrats’ � Propagation Speed, Circle � Advection-Diffusion model from ‘Toxic pollutants in underground water’ � Propagation Speed, Rectangles � Estimating quarantine boundary in mobile worm is an analogous problem

Assumptions � IDS can accurately locate Patient 0 � Location server (infrastructure) : service provider can locate each mobile node. � Type of mobile worms: unknown malware (or polymorphous) � Detection method: a distributed anomaly detection � 5% of All vehicles are susceptible (e.g., discoverable mode in Bluetooth)

Quarantine boundary estimation � Step1: Estimating the worm propagation velocity (v’) � Pedestrian scenarios: empirically simulation - b ased approach � Vehicular scenarios: simple analytic model � Step2: Estimating the spatial distribution � Isotropic circle (R = v’ * ∆ T) � Rectangle (L = v’ * ∆ T, W = road width)

Step1 (Vehicular scenario): Propagation speed estimation C r < - S p e e d V - S < p e e d V R ( a ) F u l l s p e e d ( R > C ) r C - S < p e e d V < - S p e e d V r R ( b ) T r a f f i c j a m ( R < C ) r

Step2 (Vehicular scenario): Spatial Boundary � V’ = α *n*Cr + V ( α is a constant) � A traversal of the road network graph L e n g t h = ( Δ T - T 1 ) * V ’ Wi d t h = r o a d w i d t h T 1 = D 1 / V ’ T 2 = D 2 / V ’

Simulation Results: VANET � Southern New Jersey Highway Network

Experiment setup � Performance measures � Detection probability, False alarm probability � Simulation parameters � SIR model (infection probability=1) � Randomly chosen initially infected nodes on the link between J3 and J4 � Observation Time (25 sec ~ 45 sec) � Communication range (50m, 100m and 200m) � Vehicular scenario: PARAMICS � Calibrated from real traffic data

Detection Probability & False Positive

Discussion � 95% detection probability can slow the propagation of a worm � It yields additional analysis time for patch � It can act as a short-term defense � Repeated application of intrusion response � Analytical model for V’ works enough � It doesn’t need a laboring job (no prior information) � only V and R from D.O.T. � 10% inferior to the best in Pf � Patient 0 detection should be solved � Effect of inaccuracy on Pd & Pf � Method: Triangularization and Recursive Least Square

Conclusion & Further works � We proposed an architecture for a service provider � Infrastructure-based approach � Location-based quarantine boundary estimation � We verified algorithm to real road networks � Patient 0 detection algorithm � Design of robust algorithm to inaccurate patient 0 and time of outbreak. � State wide area simulation (NJ - T urnpike) � Ecology - S ecurity synergy: a stratified dispersal process