Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1

Published byTerence Tyler Modified over 6 years ago

Similar presentations

Presentation on theme: "Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1"— Presentation transcript:

1 Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1
Controlling Risk of Data Exfiltration in Cyber Networks Due to Stealthy Propagating Malware Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1 1 2 MILCOM 2016

2 Motivation In 2015, Kaspersky Lab discovered malware (Duqu 2.0) that had been hiding in its network for months, spying on new technologies being developed at the lab Also in 2015, Bitdefender customers’ data was leaked after an attack that hijacked several servers in Amazon’s Elastic Compute Cloud These and other recent cyber attacks demonstrate that even the best contemporary security systems can not prevent well-resourced adversaries from infiltrating the computer networks of governments, companies, and organizations Once inside a network, self-propagating malware can spread throughout the network, causing damage, disrupting services, or exfiltrating sensitive information Stealthy malware can remain undetected by using zero-day exploits to spread and hiding malicious behavior in normal activity Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

3 Defender Model An intrusion detection system (IDS) monitors activity on a computer or network and sets off an alert when suspected malicious activity occurs, prompting human analysts to investigate and take defensive action as deemed necessary Alternatively, an intrusion prevention system (IPS) takes automated actions to block or purge a potential intrusion when an alert goes off We consider a defensive maneuver in which devices are taken offline while an automated recovery or reset operation is performed and then come back online clean of any malware Device could then get reinfected Implementation depends on the context and type of device Due to service availability needs, monetary constraints, or other operational requirements, there is often a limit to the number of devices that can be resetting at any one time Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

4 Network Model Each node in the network communicates with other nodes, and also uploads some information externally, e.g. to respond to user queries, report sensor readings, or send an The Attacker unleashes self-propagating malware, which spreads from infected nodes to clean nodes when they communicate Infected nodes additionally exfiltrate sensitive data at a rate pre-determined by the Attacker Each node has a detector that generates alerts when the total outgoing data rate is higher than expected, which prompts the recovery or reset operation The Defender controls the detection sensitivity, which along with the outgoing data rate determines the alert rate and therefore the reset rate Aside from their observed outgoing data rate (uploads + exfiltration), the detector can not distinguish between clean and infected nodes Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

5 Problem Statement The Game:
Attacker chooses the exfiltration rate, which is hard-coded into the malware (and therefore the same for all infected nodes) Defender chooses the detection sensitivity, with the constraint that the number of resetting nodes does not violate the operational requirement The higher the exfiltration rate, the faster data will be exfiltrated from each infected node, but the easier it will be to detect them, resulting in fewer infected nodes Objective: Attacker: Maximize total rate of data exfiltration from all infected nodes Defender: Minimize total rate of data exfiltration from all infected nodes Our goal: Establish bounds on the total rate of data exfiltration by an optimal attacker, expressed in terms of network parameters Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

6 Related Work Kephart & White (1991) apply compartmental (SIR-type) models from epidemiology to study malware spread Okhravi and Nicol (2008) evaluate the tradeoff between the time spent on pre-deployment testing and the timely deployment of patches for software vulnerabilities Khouzani et al. (2012) explore how to allocate resources to prevent malware spread in mobile wireless networks Eshghi et al. (2016) propose patching strategies for countering propagating malware in both a replicative context (patches can be transmitted by other patched devices) and a non-replicative context (patches are only disseminated by designated sources) These approaches rely on patching known vulnerabilities or knowing which nodes are infected, so aren’t applicable to stealthy attacks Proactive defense mechanisms have also been proposed, but typically for a single system rather than a coordinated effort over networked devices, thus are not sensitive to the needs of the network as a whole Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

7 Our Approach We take a mean-field approach, using a compartmental Markov model to describe the fraction of nodes in each possible state (Clean, Infected, or Resetting) and the transition rates between them, which are captured by a set of differential equations: 𝑑 𝜋 𝐶 𝑡 𝑑𝑡 =𝛼 𝜋 𝑅 𝑡 − 𝛽 𝑡 + 𝜌 𝐶 𝜋 𝐶 𝑡 𝑑 𝜋 𝐼 𝑡 𝑑𝑡 =𝛽 𝑡 𝜋 𝐶 𝑡 − 𝜌 𝐼 𝜋 𝐼 𝑡 𝑑 𝜋 𝑅 𝑡 𝑑𝑡 = 𝜌 𝐶 𝜋 𝐶 𝑡 + 𝜌 𝐼 𝜋 𝐼 𝑡 −𝛼 𝜋 𝑅 𝑡 Model Parameter Description 𝛼 activation rate for each node 𝛽 𝑡 infection rate for each clean node at time 𝑡 𝜌 𝐶 reset rate for each clean node 𝜌 𝐼 reset rate for each infected node 𝜋 𝐶 𝑡 fraction of nodes that are Clean at time 𝑡 𝜋 𝐼 𝑡 fraction of nodes that are Infected at time 𝑡 𝜋 𝑅 𝑡 fraction of nodes that are Resetting at time 𝑡 Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

8 Theoretical Analysis We express the transition rates in terms of several network parameters: Solving for 𝑑 𝜋 𝐶 𝑡 𝑑𝑡 = 𝑑 𝜋 𝐼 𝑡 𝑑𝑡 = 𝑑 𝜋 𝑅 𝑡 𝑑𝑡 =0 and 𝜋 𝐶 𝑡 + 𝜋 𝐼 𝑡 + 𝜋 𝑅 𝑡 =1 yields the equilibrium distribution 𝜋 𝐶 , 𝜋 𝐼 , 𝜋 𝑅 over node states: 𝛼= 1 𝑟 𝛽 𝑡 =𝜆⋅ 𝜋 𝐼 𝑡 𝜋 𝐶 𝑡 + 𝜋 𝐼 𝑡 𝜌 𝐶 =𝜎⋅𝜐 𝜌 𝐼 =𝜎⋅ 𝜐+𝜉 Param Description 𝑟 time to perform the reset operation 𝜆 communication rate for each node 𝜎 detection sensitivity 𝜐 normal upload rate for each node 𝜉 exfiltration rate for each infected node 𝜃 operational threshold for the network 𝜋 𝐶 = 𝜎 𝜐+𝜉 𝜆+𝑟𝜎 𝜐+𝜉 𝜆−𝜎𝜉 𝜋 𝐼 = 𝜆−𝜎 𝜐+𝜉 𝜆+𝑟𝜎 𝜐+𝜉 𝜆−𝜎𝜉 𝜋 𝑅 =1− 𝜆 𝜆+𝑟𝜎 𝜐+𝜉 𝜆−𝜎𝜉 Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

9 Theoretical Analysis The optimal detection sensitivity for the Defender is the maximum value of 𝜎 that respects the operational threshold, i.e. the solution to 𝜋 𝑅 𝜎 =1− 𝜆 𝜆+𝑟𝜎 𝜐+𝜉 𝜆−𝜎𝜉 =1−𝜃 which is The Attacker wants to maximize the total data exfiltration rate: max 𝜉 𝑓 𝜉 where 𝑓 𝜉 =𝜉⋅ 𝜋 𝐼 𝜉 which occurs when yielding a total data exfiltration rate of 𝜎= 𝜆 2𝜉 ⋅ 1− 1− 4𝜉 1−𝜃 𝑟𝜆𝜃 𝜐+𝜉 𝜉=𝜐⋅ 1− 1−𝜃 𝑟𝜆𝜃 −𝜃 𝑟𝜆𝜃 −1 𝑓 𝜉 = 𝜐⋅𝜃⋅ 2−3 1−𝜃 𝑟𝜆𝜃 −𝜃 𝑟𝜆𝜃 −1 − −𝜃 𝑟𝜆𝜃 −1 Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

10 Results Examining the boundary cases, we find that:
If 1−𝜃 𝑟𝜆𝜃 ≥ 4 9 , the Defender will purge the malware from the network, regardless of the data exfiltration rate If 1−𝜃 𝑟𝜆𝜃 ≤ 1 4 , the Defender can not keep up with the spread of the malware, so the Attacker can exfiltrate data at an arbitrarily high rate without being purged from the network For 1 4 ≤ 1−𝜃 𝑟𝜆𝜃 ≤ 4 9 , the optimal total rate of data exfiltration that the Attacker can achieve is Note that these are dependent on 𝑟 (reset time), 𝜆 (communication rate), 𝜐 (normal upload rate), and 𝜃 (operational threshold) 𝑓 𝜉 = 𝜐⋅𝜃⋅ 2−3 1−𝜃 𝑟𝜆𝜃 −𝜃 𝑟𝜆𝜃 −1 − −𝜃 𝑟𝜆𝜃 −1 Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

11 Conclusions Our model represents a worst-case scenario, where:
Malware spreads instantaneously every time that an infected node communicates with a clean node Any node can communicate with any other node Detectors can not distinguish between clean and infected nodes Without modifying normal network behavior (node communication and upload rate) or knowing anything about the Attacker’s strategy, the Defender can control the maximum total rate of data exfiltration by: reducing the time required to perform the reset or recovery operation reducing the operational threshold, e.g. by acquiring additional nodes Our results allow cybersecurity decision-makers to assess the maximal risk to their network estimate the benefit of investing additional resources in improving the robustness of their network Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

12 Questions? Brian Thompson bthompso8784@gmail.com
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware

Download ppt "Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1"

Similar presentations

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.
Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.

Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.

Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.
Robust Allocation of a Defensive Budget Considering an Attacker’s Private Information Mohammad E. Nikoofal and Jun Zhuang Presenter: Yi-Cin Lin Advisor:

Robust Allocation of a Defensive Budget Considering an Attacker’s Private Information Mohammad E. Nikoofal and Jun Zhuang Presenter: Yi-Cin Lin Advisor:
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Dynamic Network Security Deployment under Partial Information George Theodorakopoulos (EPFL) John S. Baras (UMD) Jean-Yves Le Boudec (EPFL) September 24,

Dynamic Network Security Deployment under Partial Information George Theodorakopoulos (EPFL) John S. Baras (UMD) Jean-Yves Le Boudec (EPFL) September 24,
Copyright © 2007 VDG, Sept 27, 2007 1 Handling New Adversaries in Secure MANETs Virgil D. Gligor Electrical and Computer Engineering University of Maryland.

Copyright © 2007 VDG, Sept 27, Handling New Adversaries in Secure MANETs Virgil D. Gligor Electrical and Computer Engineering University of Maryland.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.

Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
Topic 5: Basic Security.

Topic 5: Basic Security.

Similar presentations

Ads by Google