On the Effectiveness of Automatic Patching

Milan Vojnović & Ayalvadi Ganesh

Microsoft Research

Cambridge, United Kingdom

WORM’05, Fairfax, VA, USA, Nov 11, 2005

2

Problem

Worms tend to appear soon after vulnerability public disclosureWitty (1 day)

Nightmare: zero-day wormWorm appears before patch released

Patching must be automatic(detection, patch generation, delivery,

installation)

3

Problem (cont’d)

Problem: how fast patch delivery must be to contain a worm?

Our results:Random scanning wormsGoal: analytical bounds

Other worms: future work

4

Hierarchical patch delivery

patching server

subnet

client

Special: single subnet = centralized solution

overlay

5

Rest of the talk

Models and required patching rates to contain worms by:PatchingPatching & filteringP2P patching

Conclusion

6

Susceptible-Infective: model of worm spread

Infected host scans IP address space at instants of Poisson ()

Independent at distinct hosts Rate of successful scans: = N / I(t) =

number of infected hosts at time ta Markov process

High-level: model ignores network latency, congestion

7

Susceptible-Infective (2)

0 5 10 15 20 250

0.5

1

1.5

2

2.5

3

3.5

4x 10

5

Time in hours, 0-24

# in

fect

ed h

osts

, 0-3

60,0

00

Large population limit:N→∞, η/Ω fixed

i(t) = I(t)/N : fraction of infected hosts

i(t) : density-dependent Markov process

Uniform converges to the limit deterministic ODE:(d/dt)i(t) = β i(t) [1-i(t)]

Used to model worms (Staniford+02)

1/ = 40 min (Code Red)= 10 sec (Slammer)

8

Patching: one subnet

)()()()(

)()()(

tstitstsdt

d

tstitidt

d

= polling frequency

fraction of susceptible hosts

Result

Implicit function for final infectives i(+) )0()0(log)( )0(

)( sii ii

9

Patching: one subnet (2)

Implication:

Exponential with the ratio worm to patch rate !

Bound is tight whenever / is small = effective containment

))0()0((

)0()(si

eii

10000 vulnerable hosts

))0()0((

)0()(si

eii

10

Patching: multiple subnets

patching server

subnet

clientoverlay

11

Patching: multiple subnets

Overlay abstracted by broadcast curve:g(t) = fraction of alerted patch servers at time t

Examples:

1

0 t

1

0 tTKnown broadcast time Logistic function Flooding on Pastry

12

Patching: multiple subnets (2)

)()())(()()(

)()()()()(

)()()(

2 tgtwtgtwtwdt

d

tstwtitstsdt

d

tstitidt

d

(S,I) dynamics same as for one subnet… but patching rate is a function of time

13

Minimum broadcast curve

A curve that lower bounds any broadcast curve for an overlay

Result: using a minimum broadcast curve produces upper bound on the fraction of infected hosts

Minimum broadcast curve

Flooding over Pastry

14

Patching: multiple subnets (…)

)0(1

)0()( log

)0(1

))0(1)(0()0()0( ~ log)( gi

i

g

wssii

Result: g() = logistic function/ fixed, bot and tend to be small

“overlay diameter”

15

Patching & filtering

i0(t) = fraction of infectives in non alerted subnets s0(t) = same for suceptible hosts

alerted patch server

blockblock

))(1)(()(

)()()()()(

)()()()()(

0000

0000

tgtgtgdt

d

tstgtitstsdt

d

titgtstitidt

d

16

Patching & filtering (2)

Result:

u(t) = g(t)/g(0) ’ = (i0(0)+s0(0))/(1-g(0))

)0(1

)()0(1)))((1()(

)0(1

)()0(1

)(

)()0()(

00

'

)0()0(

)0(

)0()0(

)0(

'00

00

0

00

0

g

tugtuits

g

tug

tu

tuiti

si

i

si

s

t

i0(t)

After subnet becomes alerted, it “decouples” from the rest of the system

17

P2P

Two epidemics:

Patch epidemics with larger spread rate Result:

))()(1)(()(

))()(1)(()(

tptitptpdt

d

tptititidt

d

)0()(1)0()( p

iii

)0(1log

)0()(p

eii

18

Conclusion

Random scanning worms can be effectively containedPresuming patch rate is sufficiently

larger than worm rateNeed to constrain worm rate

Future work: subnet preference wormstopological worms?

19

More

http://research.microsoft.com/~milanv/immunology.htm

Thanks!