Responding to Mobile Worms with Location-Based Quarantine - - PowerPoint PPT Presentation

Research Review 2006

1

Responding to Mobile Worms with Location-Based Quarantine Boundaries

Baik Hoh (baikhoh@winlab) Marco Gruteser (gruteser@winlab)

Threats of Mobile Worms

Current Trends in Pervasive Devices

Multi-radio support: backhaul link (e.g., Cellular networks) and short-

range communication (e.g., Bluetooth, DSRC)

Example: Cellular networks, Vehicular networks

Mobile Worms / Malware over Peer-to-Peer interaction

Vulnerability: Bluetooth buffer overflow (e.g., BlueSmack Attack) This allows malware to spread without user intervention

Peer-to-peer replication over short-range wireless networks creates

a challenge for intrusion detection and response

(High False Alarm) No conventional IDS deployed (Address blacklisting,

Content filtering) over vehicular ad-hoc networks

No concentration point (e.g., gateways) Resource limited nodes

(Distributed IDS) Delay needs special care on ‘Intrusion Response’ No Partitioning of sub-network Can we do virtually in ad-hoc?

A typical threat scenario (Vehicular Networks in New Jersey Southern Highway)

500 1000 1500 2000 2500 3000 3500 3000 4000 5000 6000 7000 8000 9000 10000 11000 12000 13000 time elapse [sec] How far worm propagates [m]

( b ) A c c e l e r a t i

• n

s t a g e ( a ) E a r l y s t a g e A p p r

• x

i m a t e l y , w

• r

m c a n i n f e c t a l l v e h i c l e s w i t h i n 1 1 . 6 k m r a d i u s d u r i n g 1 mi n . ( c ) S t a b l e s t a g e

Do we have a short-term strategy for responding to unknown mobile worms spreading over NJ within 4 hours?

Am I building too high wall for imaginary monster?

• Do we have an example?
• Do we have any ad-hoc network in
• peration?
• Do we have a distributed IDS in

real world?

• Is Intrusion Response more

important than Intrusion Detection?

• Do we need Short-term strategy for

developing a patch? I’m Don Quixote? But, I’m fighting with realistic monster?

170 Miles

Infrastructure-aided Wireless Intrusion response architecture: Geographical partitioning

3 r d 2 n d 1

s t

: h u ma n a n a l y s i s 3 r d A l a r m s & R e s p

• n

s e s O u t d a t e d Q u a r a n t i n e b

• u

n d a r y E s t i m a t i

• n
• f

w

• r

m p r

• p

a g a t i

• n

d u r i n g d e l a y ma k e s a n a c c u r a t e w a l l t

• s

t

• p

i t ! ! ! O u t b r e a k h a p p e n s a n d p r

• p

a g a t e s t

• t

h e r i g h t

Graphical example: One Drop

3 3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 4.8 5 x 10

4

1.5 2 2.5 3 3.5 4 x 10

4

Graphical example: Spread

3.4 3.5 3.6 3.7 3.8 3.9 4 4.1 4.2 4.3 x 10

4

2.3 2.4 2.5 2.6 2.7 2.8 2.9 3 3.1 3.2 x 10

4

Graphical example: Quarantined

3.4 3.5 3.6 3.7 3.8 3.9 4 4.1 4.2 4.3 x 10

4

2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 3 3.1 x 10

4

The effect of imperfect containment: High detection but Low false positive

O u r i n t r u s i

• n

a r c h i t e c t u r e p e r f

• r

m a n c e Wh e n d

• u

b l y a p p l i e d

Problem statement: ∆T = TA - TO

A time delay between outbreak to alarm.

Mobile worms can spread further imperfect

containment

We need an accurate boundary estimation

We need an “Intrusion response planning

strategy”

• 1. Detect an accurate Patient 0
• 2. Set an accurate quarantine boundary
• 3. Contain remotely under minimizing the impact of

the worm (policy needed)

A Macroscopic Models of Worm Propagation from Ecology

Diffusion-Reaction model from ‘Spread of muskrats’

Propagation Speed, Circle

Advection-Diffusion model from ‘Toxic pollutants in

underground water’

Propagation Speed, Rectangles

Estimating quarantine boundary in mobile worm is an

analogous problem

Assumptions

IDS can accurately locate Patient 0 Location server (infrastructure): service

provider can locate each mobile node.

Type of mobile worms: unknown malware (or

polymorphous)

Detection method: a distributed anomaly

detection

5% of All vehicles are susceptible (e.g.,

discoverable mode in Bluetooth)

Quarantine boundary estimation

Step1: Estimating the worm propagation velocity

(v’)

Pedestrian scenarios: empirically simulation

• b

ased approach

Vehicular scenarios: simple analytic model

Step2: Estimating the spatial distribution

Isotropic circle (R = v’ * ∆T) Rectangle (L = v’ * ∆T, W = road width)

Step1 (Vehicular scenario): Propagation speed estimation

( a ) F u l l s p e e d ( R > C

r

) ( b ) T r a f f i c j a m ( R < C

r

) C

r

C

r

R R

<

• S

p e e d V <

• S

p e e d V <

• S

p e e d V <

• S

p e e d V

Step2 (Vehicular scenario): Spatial Boundary

V’ = α*n*Cr + V (α is a constant) A traversal of the road network graph

T 1 = D 1 / V ’ T 2 = D 2 / V ’ L e n g t h = ( Δ T

• T

1 ) * V ’ Wi d t h = r

• a

d w i d t h

Simulation Results: VANET

Southern New Jersey Highway Network

Experiment setup

Performance measures Detection probability, False alarm probability Simulation parameters SIR model (infection probability=1) Randomly chosen initially infected nodes on

the link between J3 and J4

Observation Time (25 sec ~ 45 sec) Communication range (50m, 100m and

200m)

Vehicular scenario: PARAMICS Calibrated

from real traffic data

Detection Probability & False Positive

Discussion

95% detection probability can slow the propagation of a

worm

It yields additional analysis time for patch It can act as a short-term defense Repeated application of intrusion response

Analytical model for V’ works enough

It doesn’t need a laboring job (no prior information) only V and

R from D.O.T.

10% inferior to the best in Pf

Patient 0 detection should be solved

Effect of inaccuracy on Pd & Pf Method: Triangularization and Recursive Least Square

Conclusion & Further works

We proposed an architecture for a service provider

Infrastructure-based approach Location-based quarantine boundary estimation

We verified algorithm to real road networks Patient 0 detection algorithm Design of robust algorithm to inaccurate patient 0 and

time of outbreak.

State wide area simulation (NJ

• T

urnpike)

Ecology

• S

ecurity synergy: a stratified dispersal process