Beruflich Dokumente
Kultur Dokumente
http://earth.google.com/userguide/v4/ug_3dviewer.html
Background
http://www.slimeland.com/images/pictures/SkyBackground.jpg
History of Computer Viruses
► 1971: Creeper (ARPANET)
► 1982: Elk Cloner (floppy, Apple-II)
► 1986: Cohen’s thesis
► 1988: Morris worm (Internet)
► Late 1980’s: floppy, DOS
► 1990’s: macro viruses
► Late 1990’s: worms
► 2000’s: bot-nets
http://www.crime-research.org/news/01.01.2007/2436/
Early Theoretical Work
► Cohen: viruses [Cohen, 1986]
► Proved: Universal detection is impossible
(with zero false positives/negatives)
Detection is imprecise
Arms-race
http://www.slic2.wsu.edu:82/hurlbert/micro101/pages/Chap11.html
Viral Epidemiology
► Epidemiology models [Murray, 1988]
► Models:
Continuous vs. discrete
SI, SIS, SIR, etc.
Detection/Countermeasures
► Traditional method (used today)
Analyze specimen
Create anti-virus module
Distribute to users (usually by daily update)
► Too slow!
Artificial Immune System?
Behavioral?
Heuristic?
http://intrinsicsecurity.com/intrusion-suppression/the-patch-gap/
Evolution of the threat
► Earlyworms: joke/curiosity
► Then fame (peer recognition)
► Now: money
Spyware
Rootkits
http://news.nationalgeographic.com/news/bigphotos/images/070305-evolution-germs_big.jpg
Worm-Spread Metrics
http://www.istockphoto.com/file_closeup/?id=1383490&refnum=7907&Lang=en
Worm-spread representations
► Number of infected machines over time
► Number of new infections over time
► Worm traffic over time
Possible metrics
► Peak number of infected machines by saturation
► Cumulative infections by saturation
► Maximum rate of infections
► Minimum doubling time
► Area under curve
► Fraction of susceptible infected …
► Time to saturation
► Infectious traffic …
► etc.
http://www.holagent.co.uk/metrics-solution.asp
What to measure?
► What are we really interested in?
► Impact on society
Assumptions
►Each computer is “worth” the same
►Most devastating payload
Suggested metrics
► Peaknumber of infections
► Cumulative total of infections
► But!
http://www.labwashers.com/models/lab_673.html
Comparison
► Real-life data?
Not representative!
► AAWP [Chen, 2003]
► Reason:
Analytical model
1
rI t
I t 1 I t S t I t 1 1
N http://www.fancyamortgage.co.uk/
http://www.eweek.com/
Research Questions
► How effective is behavioral detection
against email worms?
► How to extend Undo to email?
► Is Undo helpful?
Challenges with Email Recall
► General email recall is problematic
Not primarily technical but social
Removal of evidence
Authentication
http://eia.egreen.wednet.edu/courses/science/global/what_is_a_hypothesis.htm
Results
Future Work
► Design extension to SMTP protocol to
include short-term recall
► Compare the effectiveness to other
techniques
e.g. Throttling [Williamson, 2003]
Conclusions
► Effectiveness of behavioral detection
Even if “leaky”
► Emailrecall can reduce the epidemic even
further
To the point of elimination with good detector
► Recall is for short term only
Policy Distribution
Motivation
► General network-level undo is unfeasible
Distribute defenses instead
► Self-organization has many desirable
properties
Simple on individual level
Emergent patterns
Adaptive
http://ming.tv/flemming2.php/__show_article/_a000010-000290.htm http://www.nd.edu/~malber/sem_un/sem_und.html
Research Questions
► How effective is SO compared to other,
simpler methods?
► How do networks with and without
transmission failures compare?
Self-organization method
► Neighbor selection is probabilistic
Learned behavior –
Version difference –
Topology information –
pij t
t
ij
ij
ij
ih
t
ih
ih
hJ i
Based on [Mamei, 2006]