Information Security, Virus
Propagation and Countermeasures:
Is There a Role for Modeling
and Simulation in this New
Battlespace?
Bernard P. Zeigler
Professor of Electrical and Computer Engineering,
University of Arizona, Tucson
Director, Arizona Center for Integrative Modeling and
Simulation
Consultant to NGIT and JITC
Computer Viruses –
how bad is the problem?
Fact:
• The “I Love You” virus spread twice as fast
as Melissa in its first ten hours
• affected 70% of US companies
• cost between $100 million and $1billion
Conclusion:
• computer viruses can do great harm to our
economic and military infrastructures
• need countermeasures and conversely,
could be a way to attack an adversary
Information Security, Virus
Propagation and Countermeasures
• A New Battlespace – information
warfare
• Modeling and simulation has proven its
worth in the conventional battlespace
• Is there a Role for Modeling and
Simulation in the new battlespace?
• How do we start thinking about this
issue?
M&S in the New Battlespace
Computer modeling and simulation has been
used in the conventional battlespace for:
–
–
–
–
–
understanding combat in the battle field
weapons and systems design
test and evaluation
training
many other uses
How can we use M&S for modeling the
new “battlefield” ?
– how do viruses spread?
– how to detect them?
– how to neutralize them?
Computer vs Natural Viruses
– Are computer viruses like bio viruses?
– How far does this common analogy
stretch?
– Does a computer get “sick” like a
person?
– Did the “love” virus infect computers
and spread like Asian flu infects a
population?
Recent Case In Point: MyDoom
Incident Report from ECE Network Administrator:
• There is a fast moving virus called MyDoom going around.
• Like many viruses this one will pick an e-mail address from the
infected system and use it in the From: field of the virus infected
message it sends out.
• If your e-mail address is found on an infected system you will likely
get a message from the mail server that your mail wasn't delivered.
• This would indicate that someone you have an association with has
the virus.
• Sophos now has the signature to catch this virus and we will be
pushing out the updates tonight and tomorrow.
• There are likely to be a few infected systems in ECE and we will be
conducting network scans tomorrow.
• The virus comes as an attachment; you will probably have a
significant number of these messages by tomorrow.
• Just delete them and you are safe – needs to be opened to propagate
Mode of Viral Transmission
mail
server
infected
computer
from a to x
from b to x
user opens
attachment
from c to x
c
infected
infected
computer
infected
b
computer
computer
a
address
book
Antiviral countermeasures:
• spread word to recognize and not to open attachment
• add signature to anti-viral software
• scan LANs and disinfect
• turn systems off and reboot
Spread of Infection Through Internet
Topology of spread – neigbors are addresses in client’s addressbook
Detecting Presence of Virus
Normal
Email
Behavior
Normal
email
behavior
Professor Salim Hariri
is developing capability
to detect and neutralize
viruses using agent-based
software technology over
the Internet
number of invocations
1.2
1
0.8
0.6
0.4
0.2
0
-0.2 0
500
1000
1500
2000
Abnormal
email
behavior
Abnormal Email
Behavior
Time (1.0s)
1
0.8
0.6
0.4
0.2
0
-0.2
0
20
40
60
80
100
120
140
Node VI (Under Attack)
Node VI (No Attackl)
Elevated
Activity
Level
160
Number of Invocations
“termperature”
1.2
16
14
12
10
8
6
4
2
0
-2 0
500
1000
Time (1.0s)
1500
2000
Network Architectures of the Future, e.g. GigBE
will allow built-in virus detection and eradication
control plane
data plane
sentinel source
(orange) and sink
(green)
packet time
marker wave
spreading
virus
restoration of
infected cells
spreading
anti-virus
slowing up of
marker wave
trigger
countermeasure
Viral and Antiviral Behavior
normal
revert
antiviral
infect
ping
ping
anti
revert
anti
infected
packet
wave
behavior
infect
anti-viral
propagation
infect
ping
infection
spread
cell type/signal
ping
infect
anti
normal
normal
infected
anti-virus
infected
no
effect
no
effect
anti-virus
anti-virus
no
effect
no
effect
no effect
Sentinel Based Viral Detection
sentinel
source
sink
ping
anti
periodically
generate
packets\ flood
detect
travel time
exceeds
threshold
Virus Propagation Model
Demonstration
Virus Propagation and Countermeasures
Design: A New Paradigm
• Develop models for information network protection applicable
to new high speed infrastructure networks such as DoD’s GIGBE. Currently, there are few theories and models of virus
propagation in large scale networks and design of effective
counter-measures – a notable exception: Prof. Hariri and DARPA
• A framework for virus and anti-virus propagation and
interaction has been developed in the Discrete Event Systems
Specification (DEVS) formalism and implemented in the
DEVSJAVA modeling and simulation environment. A notional
design for detecting virus propagation and launching
countermeasures has been implemented.
• Continue with the development of the framework, research
feasible mechanisms for implementation in network hardware and
software and test and evaluate them through more refined
simulation.
Summary
• Interesting analogies and dis-analogies
between natural and artificial virus
propagation
• Need formal simulation-based methodology
to characterize viral behaviors and
countermeasures
• Current popular network simulators are too
unwieldy to support this research and
development
• The new paradigm discussed here can!
More Information on M&S
www.acims.arizona.edu