ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control Jintao Xiong Proceedings...
-
Upload
lorena-nash -
Category
Documents
-
view
221 -
download
3
Transcript of ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control Jintao Xiong Proceedings...
ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control
Jintao XiongProceedings of the 2004 ACM workshop on
Rapid malcode
Presented By: Adam Anthony
Outline
Significance Basic epidemiology Case Classifications Transmission Chains Quarantining Progressive Immunization Implementation Discussion
Project Significance
New: First study to bring the concepts of contact tracing and a transmission chain into network security
Significant: It promises to lead to the similar heightened success that biologicalepidemiologists have experienced for years
Novel: Addresses a computer virus much like a biological virus and rarely concerns itself with the technology behind the virus.
Basic Epidemiology
DNA Fingerprinting Contact Chain Tracing
Case Classifications
Transmission Chains
Structure Identification Algorithm Quarantining
Structure
A B CA has a primary (layer 1 contact) link to B
All of B's unique primary links become layer 2 contacts
to A
Pattern continues into layer 3, layer 4, etc.
Contains Email address for Contains Email address for
Chain Identification Algorithm (Part 1)
1. Detect a host exceeding an activity threshold Rd
2. If the host does not belong to another chain (it is a normal case)
1. Set it up as the first link in a new chain
2. Set the host’s category to Suspicious
3. Set the category of all normal hosts reachable by the activity to linked and place them in the next link in the chain
Chain Identification Algorithm (Part 2)3. If the host does belong to another chain (it is not
normal)1. Set host’s category to Suspicious2. Add the host’s normal recipients to the chain and set
their category to Linked
4. If the length of the chain at the host’s connection is equal to a threshold K,
1. Change all suspicious cases to probable
2. Change all linked cases to potential3. Send the address and category information of all nodes
in the chain to the quarantine system
Quarantine Process Policy strictness based on potential
threat to the network, overall network configuration
Only for Probable or Potential cases Hard Quarantine -- block and warn Rational User -- no benefit, no risk Soft Quarantine -- reduce probability of
risky users
Soft Quarantine reduce probability of users taking risks Based on the “Rational User
Assumption” Red flag = high risk, user less probable to
open Yellow flag = medium risk, user slightly
more probable to open Unflagged = email is safe to open
Hard VS. Soft Quarantine
Hard Practically Safer for
a naive user More effective in
slowing down virus spread
False alarm = lost email
Soft Requires Rational
user assumption Less effective in
slowing down virus spread
No lost email
Experimentation
Full simulation Generate network graphs
Random and power law Allow the network to advance one step at
a time Enforce different policies, record the
results
Progressive Immunization
Selective Immunization = don't immunize all nodes
Choose to Immunize nodes: Randomly Highest Degree Probable cases
Implementation Suggestions
Chain Tracing Server installed at a logical point Case Finding Process Transmission Chain Management Process
Quarantine implemented by the service-providing server (if it has it)
Run 2 TCMP’s
Critical Discussion
Too much assumption of state? Subjective design of simulation Hard VS. Soft quarantine Implications of progressive Immunization Scalability?
Conclusion
Questions
Appendix: Transmission Chain Management Algorithms
Algorithm: Case Finding Process
for all sending addresses do
check ni, the number of emails host i has sent
if ni>Rd then
report host i and its internal recipient addresses to the Transmission Chain Management Process
end ifend for
Algorithm: Contact Trace Stack Setup
if (i is an internal normal host) or (i is an external host but is not an index case of any existing CTS) then
assign i to be the index case of a new CTS Si
for all receivers of i with normal category do
add receivers to layer 1 of CTS Si
change receivers' category to linked
end for
end if
if i is an internal host then
Ci⇐suspicious
end if
Algorithm: Update Contact Trace Stack
Ci⇐suspicious
find (Si,Li), the location of i
for all ri, new recipients of i with normal category do
Sr⇐Si
Lr⇐Li+1
end for
if Li = K then
tc_finish(Si)
end if
Algorithm: Transmission Chain Finish
for all suspicious hosts in CTS Si, do
change their category to probableend for
for all linked hosts in CTS Si, do
change their category to potentialend forpass the address and category information of all the nodes in Si to the quarantine process.
Remove CTS Si