Malicious Mobile Code

Related Experiments with

an Extensible Network
Simulator
Dissertation presentation
by
Attila Ondi

Major Advisor: Dr. Richard Ford

 Overview
► Background
► Research:
 Worm-spread metrics
 Hephaestus
 Email recall
 Policy distribution
 Background traffic
► Summary

http://earth.google.com/userguide/v4/ug_3dviewer.html
Background

http://www.slimeland.com/images/pictures/SkyBackground.jpg
 History of Computer Viruses
► 1971: Creeper (ARPANET)
► 1982: Elk Cloner (floppy, Apple-II)
► 1986: Cohen’s thesis
► 1988: Morris worm (Internet)
► Late 1980’s: floppy, DOS
► 1990’s: macro viruses
► Late 1990’s: worms
► 2000’s: bot-nets

http://www.crime-research.org/news/01.01.2007/2436/
 Early Theoretical Work
► Cohen: viruses [Cohen, 1986]
► Proved: Universal detection is impossible
(with zero false positives/negatives)
 Detection is imprecise
 Arms-race

http://www.slic2.wsu.edu:82/hurlbert/micro101/pages/Chap11.html
 Viral Epidemiology
► Epidemiology models [Murray, 1988]
► Models:
 Continuous vs. discrete
 SI, SIS, SIR, etc.
 Detection/Countermeasures
► Traditional method (used today)
 Analyze specimen
 Create anti-virus module
 Distribute to users (usually by daily update)

► Too slow!
 Artificial Immune System?
 Behavioral?
 Heuristic?

http://intrinsicsecurity.com/intrusion-suppression/the-patch-gap/
 Evolution of the threat
► Earlyworms: joke/curiosity
► Then fame (peer recognition)
► Now: money
 Spyware
 Rootkits

http://news.nationalgeographic.com/news/bigphotos/images/070305-evolution-germs_big.jpg
 Worm-Spread Metrics

How good is good enough? Metrics for worm/anti-

worm evaluation
A. Ondi and R. Ford
Journal in Computer Virology, 3(2), pp. 93-101, 2007
 Motivation
► Lack of discussion in the literature
► Use of ad-hoc metrics
 Time to saturation
 Peak number of infections
► Comparison by eye
 “We can see…”

http://www.istockphoto.com/file_closeup/?id=1383490&refnum=7907&Lang=en
Worm-spread representations
► Number of infected machines over time
► Number of new infections over time
► Worm traffic over time
 Possible metrics
► Peak number of infected machines by saturation
► Cumulative infections by saturation
► Maximum rate of infections
► Minimum doubling time
► Area under curve
► Fraction of susceptible infected …
► Time to saturation
► Infectious traffic …
► etc.

http://www.holagent.co.uk/metrics-solution.asp
 What to measure?
► What are we really interested in?

► Impact on society
 Assumptions
►Each computer is “worth” the same
►Most devastating payload
 Suggested metrics
► Peaknumber of infections
► Cumulative total of infections

► But!

► Must take countermeasures into account

 No countermeasures can only be a baseline
 Arguments
► Must be universal
 Applicable to past, present, and future MMC
► Payloads cannot be compared
► Time is secondary
 If we consider all possible countermeasures
► Traffic can be derived
How to carry out experiments?
► Real-life
experiments
► Protected laboratory
 DETER [Benzel, 2006]
► Voluntary machines
 PlanetLab [Peterson, 2002]
► Analyticalmodels
► Stochastic computer simulations
 Existing Simulators
► Custom tailored
 [Vogt, 2003]
 [Weaver, 2004]
 Hephaestus [Shirey, 2004]
 NWS [Ediger, 2005]
► General network simulators
 ns-2 [Yuksel, 2000]
 GTNetS [Riley, 2003]
 Hephaestus

Modeling Malcode with Hephaestus:

Beyond Simple Spread
A. Ondi and R. Ford
ACM SE, pp. 379-384, 2007
 Overview
► Extensible
► Mixed-level
► Network simulator
► For worm-spread simulations
 Though capable of much more (e.g. HSLS
routing in a MANET)
Architecture
 Extensions to Hephaestus
► 2004 ► 2007
 Fully connected topology  Arbitrary topologies
 Node libraries  Node libraries
 Views  Views
 + Service libraries
 + Pre-simulation libraries
 + Arbitrary stop conditions
 + Save/load
 Validation

http://www.labwashers.com/models/lab_673.html
 Comparison
► Real-life data?
 Not representative!
► AAWP [Chen, 2003]
► Reason:
 Analytical model
  1 
rI t

I t 1  I t   S t  I t   1  1   
  N   http://www.fancyamortgage.co.uk/

I t – infectable N – IP address space size

St – susceptible (incl. infected) r – infection rate
 Experimental Setup
► Code Red I v2-like worm
► 360,000 infectable machines
► Spread for ~14h simulated time
► Fully connected topology
► No countermeasures
► No background traffic
Results
 Conclusion
► Validatedbasic worm-spread capabilities
► Importance of stochastic simulations
 vs. analytical methods
 Email Recall
On the impact of short-term
email undo on the spread of
malicious mobile code
I. K. El-Far, R. Ford, A. Ondi,
and M. Pancholi
Proc. EICAR Conference Best
Paper, pp. 175–189, 2005
Suppressing the Spread of Email
Malcode using Short-term
Message Recall
I. K. El-Far, R. Ford, A. Ondi,
and M. Pancholi
Journal in Computer Virology,
1(1-2), pp. 4-12, 2005
 Motivation
► EmailWorms
► Behavioral detection (Leaky!)
► Undo

http://www.eweek.com/
 Research Questions
► How effective is behavioral detection
against email worms?
► How to extend Undo to email?
► Is Undo helpful?
 Challenges with Email Recall
► General email recall is problematic
 Not primarily technical but social
 Removal of evidence
 Authentication

► Our solution is short term recall!

 Experimental Setup
► Realistic email network [Newman, 2002]
 100k nodes
► Scenarios:
 No defense
 Detection
 Recall
► Contacts in address books
► 3% per time steps
► Time step ~ few sec.
 Hypotheses
► Behavioraldetection reduces spread
► Adding Recall can practically eliminate
spread

http://eia.egreen.wednet.edu/courses/science/global/what_is_a_hypothesis.htm
Results
 Future Work
► Design extension to SMTP protocol to
include short-term recall
► Compare the effectiveness to other
techniques
 e.g. Throttling [Williamson, 2003]
 Conclusions
► Effectiveness of behavioral detection
 Even if “leaky”
► Emailrecall can reduce the epidemic even
further
 To the point of elimination with good detector
► Recall is for short term only
 Policy Distribution

Swarming computer security: Network Distribution of Security

An experiment in policy Policies via Ant-like Foraging
distribution Behavior
R. Menezes, R. Ford, and A. A. Ondi, R. Menezes, and R.
Ondi Ford
Proc, IEEE Swarm Intelligence ICIW, pp. 64-69, 2007
Symposium, pp. 436–439, 2005
http://www.bioteams.com/2006/06/22/selforganization_is_the.html http://www.nd.edu/~malber/sem_un/sem_und.html

Motivation
► General network-level undo is unfeasible
 Distribute defenses instead
► Self-organization has many desirable
properties
 Simple on individual level
 Emergent patterns
 Adaptive

http://ming.tv/flemming2.php/__show_article/_a000010-000290.htm http://www.nd.edu/~malber/sem_un/sem_und.html
 Research Questions
► How effective is SO compared to other,
simpler methods?
► How do networks with and without
transmission failures compare?
 Self-organization method
► Neighbor selection is probabilistic
 Learned behavior – 
 Version difference – 
 Topology information – 

pij  t  
  t        
ij

ij

ij



 ih
  t   
   ih  
  ih  

hJ i
Based on [Mamei, 2006]

• i, j, h – node indices • Ji – neighbors of node i

• t – time
•  ,  ,  – weights
 Experimental Setup
► 100 nodes, scale-free topology
► Distribution algorithms:
 All-Tell-All
 All-Tell-All + Backoff
 Simple polling
 Polling with Foraging
► 50 policy updates (introduced at a fix point)
► Scenarios:
 No transmission failure
 Random transmission failure
 Hypotheses
► SO is beneficial in policy distribution
► Foraging improves simple polling
Results
 Future Work
► Dynamic introduction
► Multiple policies
► MANET
 Conclusion
► All-tell-all with backoff seems the best
 But very fragile
► Ideas of SO help in policy distribution
 Molding
 Foraging
Background traffic

A drawback of current anti-virus simulation:

The need for background traffic
A. Ondi
ACM SE, pp. 734-735, 2006
 Motivation
► False positive
 “Background” traffic
► Current simulations lack such traffic
 Or use pre-recorded trace
► BG traffic models
 Measured on a single link
 Research Questions
► How can we extend the existing traffic
models to reflect realistic client-server
communication patterns?
► Can we use this model in worm-spread
simulations?
 Approach
► Client-server communication
 Song Luo’s model [Luo, 2005]
► Client-server dynamics
 Bruce Mah’s suggestion [Mah, 1997]
Validation
 Simple model
►1 client – 1 server
► HTTP protocol
► 10,000 simulation steps

► Results agree with theoretical model

 Experimental Setup
Extended model
► 1,000 clients – 100 servers (HTTP)
 Double preferential selection (based on [Albert,
2000])
► 10,000 simulation steps (~ 2h 45m)
 Hypothesis
► Thestatistical distributions, measured on a
randomly selected server, agree with the
simple model
Results
Application: Worm spread
 Experimental Setup
Worm spread
► 100,000 clients – 1,000 servers (HTTP)
► Code Red-like worm
► 900 simulation steps (~15m)
 Hypothesis
► Theeffect of the worm-spread is observable
on the network traffic
Results
23,283
 Future Work
► Add realistic “white noise” traffic
► Incorporate other protocols (FTP, chat, P2P)
► Use it!
 Conclusion
► Traditional
models useful
► But need extension
 Client-server distribution
 White noise
► Runs in reasonable time limits
 Summary
► Community must agree on a metric
► Behavioral detection + Recall is very
effective against email-based worms
► Self organization can help in rapidly and
reliably distributing policy information
► Simulation can be a cost-effective way to
conduct worm-spread experiments
 With the right simplifications
 And realistic background traffic models
 Acknowledgement
► Dr.Richard Ford
► Committee members
 Dr. Ronaldo Menezes
 Dr. William Allen
 Dr. Mark Bush
► Officeof Naval Research
► Manan Pancholi
► Ibrahim K. El-Far
► Sarah Rhodes
 References
► [Cohen, 1986] F. Cohen, Computer Viruses, PhD Thesis, University of
Southern California
► [Murray, 1988] W. H. Murray, The application of epidemiology to
computer viruses, Computers & Security, 7, pp. 367–370
► [Mah, 1997] B. Mah, An empirical model of HTTP network traffic, Proc.
INFOCOMM, 2, pp. 592–600
► [Albert, 2000] R. Albert et al., Error and attack tolerance of complex
networks, Nature, 406, pp. 378–382
► [Yuksel, 2000] M. Yuksel et al., Workload for ns simulations of wide
area networks and the Internet, Proc. CNDS, pp. 93–98
► [Newman, 2002] M. Newman et al., Email networks and the spread of
computer viruses, Physical Review E, 66(3), pp. 035101
► [Peterson, 2002] L. Peterson et al., A blueprint for introducing
distruptive technology to the Internet, Proc. 1st HotNets
► [Mamei, 2006] M. Mamei et al., Case studies for self-organization in
coomputer science, Journal of System Architecture, 52(8), pp. 443–
460
► [Chen, 2003], S. Chen et al., Modeling the spread of active worms,
Proc. INFOCOMM, 3, pp. 1890–1900
 References (cont.)
► [Riley, 2003] G. F. Riley, The Georgia Tech network simulator, ACM
SIGCOMM, pp. 5–12
► [Vogt, 2003] T. Vogt, Simulating and optimizing worm propagation
algorithms, Tech. Report, Security Focus
► [Williamson, 2003] M. M. Williamson, Design, implementation and test
of an email virus throttle, Tech. Report, HP Labs
► [Shirey, 2004] C. B. Shirey, Modeling the spread and prevention of
malicious mobile code via simulation, Master’s Thesis, Florida Institute
of Technology
► [Weaver, 2004] N. Weaver et al., A very fast containment for scanning
worms, Proc. 13th USENIX, pp. 29–44
► [Ediger, 2005] B. Ediger, Simulating network worms, Website
► [Luo, 2005] S. Luo, Generating models of Internet background traffic
suitable for use in network detection systems, PhD Thesis, University
of Central Florida
► [Benzel, 2006] T. Benzel et al., Experience with DETER: A testbed for
security research, Proc. 2nd International Tridentcom, pp. 379–388
 Publications
► I. K. El-Far, R. Ford, A. Ondi, and M. Pancholi, On the impact of
short-term email undo on the spread of malicious mobile code,
Proc. EICAR Conference Best Paper, pp. 175–189, 2005
► I. K. El-Far, R. Ford, A. Ondi, and M. Pancholi, Suppressing the
Spread of Email Malcode using Short-term Message Recall,
Journal in Computer Virology, 1(1-2), pp. 4-12, 2005
► R. Menezes, R. Ford, and A. Ondi, Swarming computer security:
An experiment in policy distribution, Proc, IEEE Swarm
Intelligence Symposium, pp. 436–439, 2005
► A. Ondi, A drawback of current anti-virus simulations: The need
for background traffic, ACM SE, pp. 734-735, 2006
► A. Ondi, R. Menezes, and R. Ford, Network Distribution of
Security Policies via Ant-like Foraging Behavior, ICIW, pp. 64-69,
2007
► A. Ondi and R. Ford, How good is good enough? Metrics for
worm/anti-worm evaluation, Journal in Computer Virology, 3(2),
pp. 93-101, 2007