is there a role for modeling and simulation in this new battlespace? bernard p. zeigler professor of...
TRANSCRIPT
Is There a Role for Modeling and Simulation in this New
Battlespace?
Bernard P. ZeiglerProfessor of Electrical and Computer Engineering,
University of Arizona, Tucson
Director, Arizona Center for Integrative Modeling and Simulation
Consultant to NGIT and JITC
Information Security, Virus Propagation and Countermeasures:
Computer Viruses – how bad is the problem?
Fact: • The “I Love You” virus spread twice as fast
as Melissa in its first ten hours• affected 70% of US companies• cost between $100 million and $1billionConclusion: • computer viruses can do great harm to our
economic and military infrastructures• need countermeasures and conversely,
could be a way to attack an adversary
• A New Battlespace – information warfare
• Modeling and simulation has proven its worth in the conventional battlespace
• Is there a Role for Modeling and Simulation in the new battlespace?
• How do we start thinking about this issue?
Information Security, Virus Propagation and Countermeasures
M&S in the New Battlespace
Computer modeling and simulation has been used in the conventional battlespace for: – understanding combat in the battle field– weapons and systems design– test and evaluation – training– many other uses
How can we use M&S for modeling the new “battlefield” ?
– how do viruses spread?– how to detect them?– how to neutralize them?
Computer vs Natural Viruses
– Are computer viruses like bio viruses?– How far does this common analogy
stretch?– Does a computer get “sick” like a
person?– Did the “love” virus infect computers
and spread like Asian flu infects a population?
Recent Case In Point: MyDoom
Incident Report from ECE Network Administrator:
• There is a fast moving virus called MyDoom going around.
• Like many viruses this one will pick an e-mail address from the infected system and use it in the From: field of the virus infected message it sends out.
• If your e-mail address is found on an infected system you will likely get a message from the mail server that your mail wasn't delivered.
• This would indicate that someone you have an association with has the virus.
• Sophos now has the signature to catch this virus and we will be pushing out the updates tonight and tomorrow.
• There are likely to be a few infected systems in ECE and we will be conducting network scans tomorrow.
• The virus comes as an attachment; you will probably have a significant number of these messages by tomorrow.
• Just delete them and you are safe – needs to be opened to propagate
Mode of Viral Transmission
infectedcomputer
infectedcomputer
mailserver
addressbook
infectedcomputerinfected
computer
from a to xfrom b to x
from c to xuser opensattachment c
b a
Antiviral countermeasures: • spread word to recognize and not to open attachment• add signature to anti-viral software• scan LANs and disinfect• turn systems off and reboot
Spread of Infection Through Internet
Topology of spread – neigbors are addresses in client’s addressbook
Detecting Presence of Virus
Normal Email Behavior
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
0 500 1000 1500 2000
Time (1.0s)
nu
mb
er
of
invo
cati
on
s
Abnormal Email Behavior
-2
0
2
4
6
8
10
12
14
16
0 500 1000 1500 2000
Time (1.0s)
Nu
mb
er o
f In
voca
tio
ns
Normal email behavior
Abnormal email behavior
Professor Salim Haririis developing capability to detect and neutralizeviruses using agent-basedsoftware technology over the Internet
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
0 20 40 60 80 100 120 140 160
Node VI (Under Attack) Node VI (No Attackl)
“termp
erature”
Elevated Activity Level
control plane
data plane
Network Architectures of the Future, e.g. GigBEwill allow built-in virus detection and eradication
packet time marker wave
spreading virus
sentinel source (orange) and sink
(green)
slowing up of marker wave
trigger counter-measure
spreading anti-virus
restoration of infected cells
normal
infected
antiviral
packetwave behavior
infect
infectionspread
anti
revert
anti-viralpropagation
ping
infect
anti
ping
revert
infect
pingcell type/signal ping infect anti
normal normal infected anti-virus
infected no effect
no effect
anti-virus
anti-virus no effect
no effect
no effect
Viral and Antiviral Behavior
sentinel
periodicallygeneratepackets\ flood
source sink
detect travel timeexceeds threshold
pinganti
Sentinel Based Viral Detection
Virus Propagation and Countermeasures Design: A New Paradigm
• Develop models for information network protection applicable to new high speed infrastructure networks such as DoD’s GIG-BE. Currently, there are few theories and models of virus propagation in large scale networks and design of effective counter-measures – a notable exception: Prof. Hariri and DARPA
• A framework for virus and anti-virus propagation and interaction has been developed in the Discrete Event Systems Specification (DEVS) formalism and implemented in the DEVSJAVA modeling and simulation environment. A notional design for detecting virus propagation and launching countermeasures has been implemented.
• Continue with the development of the framework, research feasible mechanisms for implementation in network hardware and software and test and evaluate them through more refined simulation.
Summary
• Interesting analogies and dis-analogies between natural and artificial virus propagation
• Need formal simulation-based methodology to characterize viral behaviors and countermeasures
• Current popular network simulators are too unwieldy to support this research and development
• The new paradigm discussed here can!