1 / 22

Peer-to-peer system-based active worm attacks: Modeling, analysis and defense

Peer-to-peer system-based active worm attacks: Modeling, analysis and defense. Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan. Computer Communications 31 (2008). Outlines. Introduction Modeling P2P-based active worm attacks Analyzing P2P-based active worm attacks

aqua
Download Presentation

Peer-to-peer system-based active worm attacks: Modeling, analysis and defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications 31 (2008)

  2. Outlines • Introduction • Modeling P2P-based active worm attacks • Analyzing P2P-based active worm attacks • Defending against P2P-based active worm attacks • Performance evaluation • Final remarks

  3. Introduction Automatically propagate themselves and compromise hosts in the Internet. Traditional worms predominantly adopt the random-based scan approach to propagate. A more powerful worm attack strategy is the hit-list strategy, which collects a list of IP addresses prior to the attack to improve success rate of infection. P2P systems can be a potential vehicle for the attacker.

  4. Modeling P2P-based active worm attacks • In general, there are two stages in an active worm attack: (1) scanning the network to select victim hosts; (2) infecting the victim after discovering its vulnerability. • Pure Random Scan (PRS) • Only 24% of addresses in the Internet space are used.

  5. Offline P2P-based hit-list scan (OPHLS) The attacker collects IP address information of the P2P system offline. We denote this as the hit-list of the attacker. After obtaining the hit-list,, there are two phases of attack model: First, all newly infected hosts continuously attack the hit-list until all hosts in the hit-list have been scanned (called the P2P system attack phase). In the second phase, all infected hosts continue to attack the Internet via PRS.

  6. Online P2P-based scan (OPS) • The host immediately launches the attack on its P2P neighbors as a high priority (using 60% of its attack capability), and attack the rest of the Internet with its remaining capability (40%) via PRS. • Note that there are two types of P2P systems: structured and unstructured. • In the OPHLS model, it is the same in both types of systems, since the attacker predetermines the hit-list before attacks. • In the OPS model, the number of neighbors is quite different.

  7. Model parameters • (1) P2P system size: • A Super-P2P system. • The size is the total number of users, denoted as m. The remaining hosts are a part of the Non-P2P system. • (2) P2P structured/unstructured topology: • Structured: all P2P nodes maintain the similar number of neighbors (averagetopology degree is ). • Unstructured: is the mean value of topology degree, is a constant for a given , and denotes the power law degree.

  8. Analyzing P2P-based active worm attacks In the OPHLS attack model, Recursive formulas:

  9. Analyzing P2P-based active worm attacks In the OPS attack model,

  10. Defending against P2P-based active worm attacks • Defense framework: • Control center: it can be a system deployed node, or a stable P2P node itself. • A number of volunteer defense hosts: worm detection and response. • Threshold-based and trend-based worm detection schemes. • Threshold-based scheme: simple and easy to apply,but high false alarm rates.

  11. Performance evaluation • <SYS; ATT; DE> • SYS: • ATT: , where OPSS & OPUS: the Online P2P-based scan attack model for the structured and unstructured P2P system. • DE: , where WB: denotes results obtained using simulations for the which one attack model.D: Trend-based detection (D1), Threshold-based detection(D2)

  12. Worm Attack Performance Comparision of All Attack Models

  13. The Sensitivity of Attack Performance to P2P System Size

  14. The Sensitivity of Attack Performance to P2P Topology Degree OPSS(degree #)

  15. The Sensitivity of Attack Performance to P2P Host Vulnerability

  16. The Sensitivity of Defense Performance to Different Attack Models

  17. Sensitivity of Detection Time to Defense Host Ratio

  18. Sensitivity of Detection Time to Defense Region Size The defense region size g denotes a region with a group of P2P defense hosts within g P2P hops from the region leader.

  19. Region False Alarm Rate vs. Host False Alarm Rate

  20. Final remarks P2P systems are gaining rapid popularity in the Internet. We believe that P2P-based active worm attacks are very dangerous threats for rapid worm propagation and infection. Model and analyze P2P-based active worm propagation. Design effective defense strategies against them. An offline P2P-based hit-list attack model (OPHLS) and an online P2P-based attack model (OPS).

More Related