Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE - 588

Meltem YILDIRIM ( )2 Agenda  Purpose  Related Work  Epidemic Profiles  Computer Network Topologies  Simulation  Conclusion

Meltem YILDIRIM ( )3 Purpose  Defending a large network infrastructure from rapidly propagating malicious code  Study: worms, viruses and their infection strategies percolation and epidemic spread in scale-free networks protecting the “network mission” (reliable access to information)

Meltem YILDIRIM ( )4 e.g. Sapphire Worm Because of the tremendous speed of attacks, we are obligated to search for responsive and rapid defense measures. The geographic spread of Sapphire in 30 min after release

Meltem YILDIRIM ( )5 Related Work (1)  Moore: “No response time is fast enough to protect against widespread epidemic.”  Albert: “Scale-free networks are resilient against random error, but not against deliberate attack of highly connected nodes.”  Dezsö and Barabási: “Random cures are not very useful but protecting the hubs can rescue the whole network.”

Meltem YILDIRIM ( )6 Related Work (2)  Pastor-Satorras and Vespignani: worked on the BA model “There is no epidemic threshold that determines prevalence.”  Eguíluz and Klemm: worked on the KE model “There is a finite epidemic threshold that determines prevalence.”

Meltem YILDIRIM ( )7 Epidemic Profiles (1)  Infection Criteria: The criteria that a host must fullfill (the vulnerabilities that it must possess) in order to be infected.  Worms and viruses make use of these vulnerabilities and apply a number of infection methods Network service buffer overflows Macro and script insertion Deception of binary code  Malicious codes usually use a limited set of the infection methods.

Meltem YILDIRIM ( )8 Epidemic Profiles (2)  Infection Strategy: the method by which the epidemic seeks new targets  Sequential scanning process in order to find new victims, propagating to the new victims and so on.

Meltem YILDIRIM ( )9 Epidemic Profiles (3) Methods for Exploring New Victims: MethodDescriptionExample Mail-based use mail services and address books to propagate Melissa virus Topological gather internal topological information on each infected target to seek additional new targets Morris worm Contagion embeds contagions within normal communication channels Active Scanning randomly scans to identify potential targetsCodeRed Coordinated Scanning uses efficient segmentation of IP address space to accelerate scan coverage Warhol worms

Meltem YILDIRIM ( )10 Computer Network Topologies We divide models of network topologies into two categories: 1. Network models exhibiting a homogeneous degree distribution e.g. random graph (ER model) 2. Network models exhibiting a power law degree distribution (Scale-Free Networks) 2.1. BA Model 2.2. KE Model

Meltem YILDIRIM ( )11 BA Model (1)  developed by Barabási and Albert  3 parameters: m 0 : the number of initial nodes m: initial degree of every new node attached (m ≤ m 0 ) t: number of time steps  In every time step t, one new node with m new edges is added to the graph.  Preferential attachment: P(k i ) = k i /  j k j where k i is the degree of node i

Meltem YILDIRIM ( )12 BA Model (2) Example: m 0 = 3, m = 2 t = 1 t = 2 t = 3

Meltem YILDIRIM ( )13 KE Model (1)  developed by Klemm and Equíluz  2 parameters: m: number of initial nodes t: number of time steps  Start with m fully connected, active nodes. In every time step t, attach one new node to all active nodes. Make the new node active as well. Inactivate one of the nodes according to a probability P(k i ).  P(k i ) = ((  j k j –1 ) k i ) –1  Higher clustering coefficient, more similar to real computer networks

Meltem YILDIRIM ( )14 KE Model (2) Example: m = 3 (yellow:active, gray:inactive, red:new) t = 1 t = 2 t = 3

Meltem YILDIRIM ( )15 Fault Tolerance  Theorem: “In a nontrivial KE network with generation parameter m, there are m disjoint paths between any pairs of nodes.”

Meltem YILDIRIM ( )16 Simulation (1) Assumptions:  N = 50,000 nodes = 1000 LANs containing 50 nodes each  WAN: BA or KE model, LANs: completely connected  m 0 = m = 10 and t = N WAN - m = = 90 steps  At the beginning of each simulation, a node is infected randomly. Simulation runs for T = 25 time steps.  Infected nodes stay infected, continue to spread disease and do not change back to normal.   : Prevalence: number of infected nodes / number of all nodes If  exceeds a certain threshold, a certain number of most connected nodes are automatically immunized whether they are infected or not. 6 cases: 10 and 100 nodes immunized for  = 20%, 5%, 1%

Meltem YILDIRIM ( )17 Simulation (2) Threshold  = 20% No response to epidemic 1% nodes immunized 10% nodes immunized

Meltem YILDIRIM ( )18 Simulation (3) No response to epidemic 1% nodes immunized 10% nodes immunized ( Threshold  = 20% ) ( Threshold  = 1% )

Meltem YILDIRIM ( )19 Simulation (4) Explanation of Simulation Results:  Although defensive measures are taken, worm spreads extremely rapidly in BA networks. In only a few time steps, majority of the BA network is infected. KE networks are infected much more slowly.  Network defenses that are put in place after the attack can slow down the spread of infection in certain topologies.  It is easier to slow down the spread of infection in KE networks than in BA networks. Usually, there is no time to defend the rest of the computers in BA networks.

Meltem YILDIRIM ( )20 Conclusion  Some scale-free network topologies are inherently more defensible than others against rapidly spreading malicious code.  With a few alterations, inherently defensible networks can prevent or delay an infection from reaching its maximum potential. Network segmentation Lack of communication channels between vulnerable nodes IP filtering to limit scanning

Questions