We view malware outbreaks as infectious diseases and use software diversity and computer “immunization” (or hardening) to prevent the outbreaks from spreading. Malware Halting Part I: Method Development Kjell Jørgen Hole Simula@UiB Last updated 16.05.17 Overview 1. Malware 2. Software diversity 3. Computer “immunization” 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method 2 Malware defined Malware —malicious software used to • disrupt computer operations • gather sensitive information, or • gain access to private systems 3
Trojan horse —any program that invites the user to run it, concealing bots malicious code. Dialers Rootkits —prevent a malicious process from being visible in the system's Trojan horses Rootkits list of processes, or keep its files from being read. Viruses Spyware —program used to surreptitiously track and/or transmit data to an Keyloggers unauthorized third party. Worms Spyware Ransomware Backdoors Adware 4 We’ll concentrate on how to best halt infectious malware in very large Infectious malware networks. We’ll concentrate on infectious malware: • Viruses —need user intervention to spread • Worms —spread automatically 5 The malware writer chooses the spreading mechanism. Spreading mechanisms (1) Random scanning selects target IP addresses at random (all nodes are neighbors) • used by Code Red and Slammer worms Localized scanning selects most hosts in the “local” address space • used by Code Red II and Nimda worms 6
As we move from IPv4 (32 bit addresses) to IPv6 (128 bit addresses), Spreading mechanisms (2) topological scanning may become more popular than random scanning because IPv6’s huge address space will make it hard for random-scanning malware to find new vulnerable machines. Topological-scanning relies on information contained in infected hosts to locate new targets • the information may include (BGP) routing tables, email addresses, a list of peers, and Uniform Resource Locations (URLs) • used by the Morris worm 7 Spreading mechanisms (3) Hitlist consists of potentially vulnerable machines that are gathered beforehand and targeted first when the worm is released • the flash worm gathered all vulnerable machines into its hitlist 8 Google Play and iOS App Store are popular application stores. Software diversity We consider systems of networked computing devices, such as computers, smartphones, and tablets Each device downloads software from application stores utilizing compilers with “ diversity engines ” 9
Figure taken from [Franz]. Application stores without “diversity engines” Software monoculture create software monocultures. A long period without any serious malware spreading in a monoculture convinces stakeholders that the “traditional” (today’s situation) malware countermeasures are working and that there is only a very small iden%cal binary for all risk of a malware epidemic. The monoculture appears robust to malware users until a surprising epidemic occurs, revealing that the malware risk was all users suscep%ble to iden%cal exploit much higher than foreseen by the stakeholders. A5acker exploit 10 The diversity engine generates diverse machine code images from a single Diversity engine source code submitted by a software developer. creates So#ware So#ware Developer delivers to App Store Diversity Engine within App Store creates Variants subsequent downloaders receive func=onally iden=cal but internally different versions of the same so#ware 11 Application stores with “diversity engines” create software polycultures. Software polyculture Figure from [Franz]. (the future?) different variants for different users A6acker a single exploit no longer affects all users exploit iden4cally cost to a6acker rises drama4cally 12
It is expensive to apply software hardening, or immunization, to many Immunization (1) computers with di fg erent software. Software hardening, or immunization , consists of • removal of non-essential software programs • secure configuration of remaining programs • constant patching, and • use of intrusion-detection systems, firewalls, intrusion-prevention systems, anti-malware programs, and spyware blockers 13 Immunization (2) • In extreme cases, trained personnel have to take a device off-line to wipe its memory before installing new software 14 “Some have to die for the group to survive.” Pragmatic approach Despite the protection provided by computer “immunization,” it is nearly impossible to keep every devices free for malware at all times A more realistic goal is to provide a form of “community immunity,” where most devices are protected against malware because there is little opportunity for new outbreaks to spread 15
Combine diversity and immunization While community immunity usually entails immunization of nearly all entities in a monoculture, we’ll combine software diversity with the immunization of a small fraction of the computers to halt malware spreading 16 Epidemiological model We model viruses and worms as infectious diseases spreading over networks with varying software diversity 17 Inhomogeneous network with hubs (see next slide) representing the Infected monoculture spreading pattern of a malware outbreak. Red nodes are infected. Note that a single sick node infects all other nodes because the network is connected Single sick node infects all other nodes and because all nodes are of the same type (contain the same exploitable vulnerability). Fragile Node size proportional to #adjacent edges 18
Hub defined Hub —network node with many more adjacent edges than the average number of edges per node • see large nodes in previous figure • the number of adjacent edges is often referred to as the ‘degree’ Nodes with the same color have a common exploitable vulnerability, while Diversity nodes of di fg erent colors have no common vulnerability. Nodes of L types have different colors The (software) diversity is equal to number of colors L 20 www.kjhole.com Immunization A white immunized node never gets infected or transmits an infection 21 www.kjhole.com
Immunized polyculture L =2 node types L =2 malware types Eight immunized hubs Robust The malware types only spread to three nodes 22 Note that the graph defining a malware spreading pattern is likely to have a Network model very di fg erent topology from the underlying physical network because the spreading pattern is, to a large degree, determined by the spreading Simple connected graph defines malware spreading mechanism selected by the malware writer. We’ll study multiple pattern simultaneous malware, or multi-malware outbreaks, since the deployment • N nodes of multiple malware types is an obvious strategy to counter software • L ≥ 1 node types diversity. • one malware type per node type • discrete time t = 0,1,2, ... • S infected seeds per node type at time t = 0 23 Figure taken from [Hole]. Only the yellow seed is able to infect other nodes. Seeds L = 3 node types S = 1 seed per node type (a) 24
We ignore the fact that computers are not infected instantaneously. It takes Malware spreading time for the worm to transfer its code to a new machine. A sick nodes infect all its neighbors during a single time step t 25 Types of spreading patterns Homogeneous network —all nodes have degrees k approximately equal to the average degree ⟨ k ⟩ Inhomogeneous network —a small fraction of nodes, the hubs, have degrees k much larger than the average degree ⟨ k ⟩ 26 Malware halting analysis To halt malware on networks with several million nodes, we first determine (A) desired distribution of node types, (B) a lower bound on the needed diversity, and (C) the trade-off between diversity and immunization 27
( A ) Node type distribution Let r l be the probability that an arbitrary node is of type l = 1,2, …, L The entropy − ∑ r l log r l measures the uncertainty of a node’s assigned type It has maximum value log L when all r l = 1/ L 28 Remember that an infected node (or actually the malware on the node) can Maximize entropy (1) only infect a susceptible node of the same type, i.e., both nodes must have the same exploitable vulnerability. When the entropy is maximized, the best spreading strategy for each malware type is to select new nodes at random The probability that a spreading mechanism chooses a node of wrong type is 1 − 1/ L As L increases, this probability increases and the speed of the malware spreading decreases 29 Maximize entropy (2) If there is less uncertainty about the distribution of vulnerable nodes, e.g. a few node types occur more often than the other node types in a network, then the entropy is smaller and malware writers can create very efficient topological-aware spreading mechanisms 30
Observation 1 Skewed distributions of node types should be avoided because they facilitate rapid malware spreading 31 Multimedia messaging system (MMS) malware can send a copy of itself to all ( B ) Needed diversity mobile phones whose numbers are found in the infected phone’s address book, generating a long-range spreading pattern previously exploited only by computer malware. Example : MMS malware exploits a smartphone’s address book to spread to new phones with the same OS 32 MMS malware spreading Phones on email list Phone not Infected phone on email list 33
Recommend
More recommend
