research-article

On the Efficiency of Sampling and Countermeasures to Critical-Infrastructure-Targeted Malware Campaigns

Authors:

Michael Grottke,

Alberto Avritzer,

Daniel S. Menasché,

Leandro P. de Aguiar,

Eitan AltmanAuthors Info & Claims

ACM SIGMETRICS Performance Evaluation Review, Volume 43, Issue 4

Pages 33 - 42

https://doi.org/10.1145/2897356.2897361

Published: 25 February 2016 Publication History

Abstract

Ensuring system survivability in the wake of advanced persistent threats is a big challenge that the security community is facing to ensure critical infrastructure protection. In this paper, we define metrics and models for the assessment of coordinated massive malware campaigns targeting critical infrastructure sectors. First, we develop an analytical model that allows us to capture the effect of neighborhood on different metrics (e.g., infection probability and contagion probability). Then, we assess the impact of putting operational but possibly infected nodes into quarantine. Finally, we study the implications of scanning nodes for early detection of malware (e.g., worms), accounting for false positives and false negatives. Evaluating our methodology using an hierarchical topology typical of factory automation networks, we find that malware infections can be effectively contained by using quarantine and appropriate rates of scanning for soft impacts.

References

[1]

A. Avritzer, L. Carnevali, H. Ghasemieh, L. Happe, B. R. Haverkort, A. Koziolek, D. Menasché, A. Remke, S. S. Sarvestani, and E. Vicario, "Survivability evaluation of gas, water and electricity infrastructures," Electronic Notes in Theoretical Computer Sci., vol. 310, pp. 5--25, 2015.

Digital Library

[2]

World Economic Forum, "Global risks report 2014." {Online}. Available: http://www3.weforum.org/docs/ WEF GlobalRisks Report 2014.pdf

[3]

Intel, "Mandiant APT1 report: exponsing one of China's cyber espionage units," Intel, Technical Report, 2013, http://intelreport.mandiant.com/Mandiant APT1 Report.pdf.

[4]

McAfee, "Global energy cyberattacks: 'Night Dragon'," 2011. {Online}. Available: http://www.mcafee.com/us/resources/white-papers/ wp-global-energy-cyberattacks-night-dragon.pdf

[5]

A. Avritzer, R. G. Cole, and E. J. Weyuker, "Using performance signatures and software rejuvenation for worm mitigation in tactical manets," in Proc. WOSP, 2007, pp. 172--180.

Digital Library

[6]

E. Altman, A. Avritzer, R. El-Azouzi, L. Aguiar, and D. S. Menasché, "Rejuvenation and the spread of epidemics in general topologies," in Proc. WoSAR, 2014.

Digital Library

[7]

P. Van Mieghem, J. Omic, and R. Kooij, "Virus spread in networks," ToN, vol. 17, no. 1, pp. 1--14, 2009.

Digital Library

[8]

G. Bianchi, "Performance analysis of the ieee 802.11 distributed coordination function," JSAC, vol. 18, no. 3, pp. 535--547, 2000.

Digital Library

[9]

M. Grottke, A. Avritzer, D. S. Menasché, J. Alonso, L. Aguiar, and S. Alvarez, "Models and metrics for the assessment of critical-infrastructure-targeted malware campaigns," in Proc. ISSRE, 2015, pp. 330--335.

[10]

J. Macker, Ed., "Simplified multicast forwarding (RFC 6621)," IETF, Tech. Rep., 2012. {Online}. Available: https://tools.ietf.org/pdf/rfc6621.pdf

[11]

J. Yi, U. Herberg, and T. Clausen, "Security threats for NHDP (RFC 7186)," Internet Engineering Task Force, Tech. Rep., 2014. {Online}. Available: https://tools.ietf.org/pdf/rfc7186.pdf

[12]

W. Kandek, "The laws of vulnerabilities 2.0," BlackHat, Las Vegas, NV, USA, 2009.

[13]

NIST, "Guide for conducting risk assessments (NIST special publication 800-30)," 2012, http://csrc.nist.gov/.

[14]

C. A. MacKenzie, H. Baroud, and K. Barker, "Static and dynamic resource allocation models for recovery of interdependent systems: application to the Deepwater Horizon oil spill," Annals of Operations Research, vol. 23, no. 1, pp. 103--129, 2016.

[15]

A. Roy, D. S. Kim, and K. Trivedi, "Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees," in Proc. DSN, 2012, pp. 1--12.

Digital Library

[16]

Y. Hayel, S. Trajanovski, E. Altman, H. Wang, and P. Van Mieghem, "Complete game-theoretic characterization of SIS epidemics protection strategies," in Proc. ACDC, 2014, pp. 1179--1184.

[17]

C. Nowzari, V. M. Preciado, and G. J. Pappas, "Analysis and control of epidemics," arXiv:1505.00768, 2015.

[18]

L. Feng, X. Liao, Q. Han, and H. Li, "Dynamical analysis and control strategies on malware propagation model," Applied Mathematical Modelling, vol. 37, no. 16, pp. 8225--8236, 2013.

[19]

B. Madan, K. Goševa-Popstojanova, K. Vaidyanathan, and K. Trivedi., "A method for modeling and quantifying the security attributes of intrusion tolerant systems," Performance Evaluation, vol. 56, no. 1, pp. 167--186, 2004.

Digital Library

[20]

M. Ouyang, "Review on modeling and simulation of interdependent critical infrastructure systems," Reliability Engineering & System Safety, vol. 121, pp. 43--60, 2014.

[21]

E. LeMay, W. Unkenholz, D. Parks, C. Muehrcke, K. Keefe, and W. H. Sanders, "Adversary-driven statebased system security evaluation," in Proc. Workshop on Security Measurements and Metrics, 2010.

Digital Library

[22]

Z. Xu, A. Khanafer, and T. Basar, "Competition over epidemic networks: Nash and Stackelberg games," in Proc. ACC, 2015, pp. 2063--2068.

[23]

C. C. Zou, D. Towsley, and W. Gong, "On the performance of Internet worm scanning strategies," Performance Evaluation, vol. 63, no. 7, pp. 700--723, 2006.

Digital Library

[24]

A. Avritzer, R. Tanikella, K. James, R. G. Cole, and E. Weyuker, "Monitoring for security intrusion using performance signatures," in ICPE, 2010, pp. 93--104.

Digital Library

[25]

R. Vogt, J. Aycock, and M. J. Jacobson Jr, "Army of botnets." in Proc. NDSS, 2007, 13 pages.

[26]

A. Kleinmann and A. Wool, "Accurate modeling of the Siemens S7 SCADA protocol for intrusion detection and digital forensic," Journal of Digital Forensics, Security and Law, vol. 9, no. 2, pp. 37--50, 2014.

[27]

N. J. Watkins, C. Nowzari, V. M. Preciado, and G. J. Pappas, "Deterministic bounding systems for stochastic compartmental spreading processes," arXiv preprint arXiv:1507.05208, 2015.

[28]

E. Cator and P. Van Mieghem, "Nodal infection in Markovian SIS and SIR epidemics on networks are non-negatively correlated," Physical Review E, vol. 89, no. 5, 2014.

[29]

A. Mandelbaum and G. Pats, "State-dependent stochastic networks. Part I: Approximations and applications with continuous diffusion limits," Annals of Applied Probability, vol. 8, no. 2, pp. 569--646, 1998.

Cited By

Frieswijk KZino LCao M(2023)A Polarized Temporal Network Model to Study the Spread of Recurrent Epidemic Diseases in a Partially Vaccinated PopulationIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.3272472(1-12)Online publication date: 2023
https://doi.org/10.1109/TNSE.2023.3272472
Gonçalves CMenasché DAvritzer AAntunes NVieira M(2023)Detecting Anomalies Through Sequential Performance Analysis in Virtualized EnvironmentsIEEE Access10.1109/ACCESS.2023.329364311(70716-70740)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3293643
Miranda LLima CMenasch DDomingues G(2022)Sequential Performance Analysis of Systems that Age and Rejuvenate2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW55968.2022.00061(146-153)Online publication date: Oct-2022
https://doi.org/10.1109/ISSREW55968.2022.00061
Show More Cited By

Index Terms

On the Efficiency of Sampling and Countermeasures to Critical-Infrastructure-Targeted Malware Campaigns
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Enhancing malware detection: clients deserve more protection

Sophisticated malware is designed to spread over the network and infect as many connected client machines as possible before being detected. Network security engineers have always been challenged to detect and track down such malware before infecting ...
HACKING EXPOSED MALWARE AND ROOTKITS

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGMETRICS Performance Evaluation Review

ACM SIGMETRICS Performance Evaluation Review Volume 43, Issue 4

March 2016

61 pages

ISSN:0163-5999

DOI:10.1145/2897356

Editor:
Nidhi Hegde
Bell Labs France, Alcatel-Lucent Centre de Villarceaux Route de Villejust, Nozay, France

Issue’s Table of Contents

Copyright © 2016 Copyright is held by the owner/author(s).

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 February 2016

Published in SIGMETRICS Volume 43, Issue 4

Check for updates

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
206
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Frieswijk KZino LCao M(2023)A Polarized Temporal Network Model to Study the Spread of Recurrent Epidemic Diseases in a Partially Vaccinated PopulationIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.3272472(1-12)Online publication date: 2023
https://doi.org/10.1109/TNSE.2023.3272472
Gonçalves CMenasché DAvritzer AAntunes NVieira M(2023)Detecting Anomalies Through Sequential Performance Analysis in Virtualized EnvironmentsIEEE Access10.1109/ACCESS.2023.329364311(70716-70740)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3293643
Miranda LLima CMenasch DDomingues G(2022)Sequential Performance Analysis of Systems that Age and Rejuvenate2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW55968.2022.00061(146-153)Online publication date: Oct-2022
https://doi.org/10.1109/ISSREW55968.2022.00061
Huang YZhu Q(2022)Game-Theoretic Frameworks for Epidemic Spreading and Human Decision-Making: A ReviewDynamic Games and Applications10.1007/s13235-022-00428-0Online publication date: 14-Feb-2022
https://doi.org/10.1007/s13235-022-00428-0
Goncalves CMenasche DAvritzer AAntunes NVieira M(2020)A Model-Based Approach to Anomaly Detection Trading Detection Time and False Alarm Rate2020 Mediterranean Communication and Computer Networking Conference (MedComNet)10.1109/MedComNet49392.2020.9191549(1-8)Online publication date: Jun-2020
https://doi.org/10.1109/MedComNet49392.2020.9191549
Rufino VNogueira MAvritzer AMenasche DRusso BJanes AFerme VVan Hoorn ASchulz HLima C(2020)Improving Predictability of User-Affecting Metrics to Support Anomaly Detection in Cloud ServicesIEEE Access10.1109/ACCESS.2020.30285718(198152-198167)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3028571
Rufino VPfleger De Aguiar LSadoc Menasche DLima CCunha IAltman EEl-Azouzi RDe Pellegrini FAvritzer AGrottke M(2020)Beyond Herd Immunity Against Strategic AttackersIEEE Access10.1109/ACCESS.2020.29836528(66365-66399)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2983652
Menasche DTrivedi KAltman E(2019)Rejuvenation and the Age of Information2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW.2019.00076(225-231)Online publication date: Oct-2019
https://doi.org/10.1109/ISSREW.2019.00076
Avritzer ABinder WCortellessa VKoziolek ASmirni EPoess M(2017)Performance Assessment of High-availability Systems using Markov ChainsProceedings of the 8th ACM/SPEC on International Conference on Performance Engineering Companion10.1145/3053600.3053645(209-209)Online publication date: 18-Apr-2017
https://dl.acm.org/doi/10.1145/3053600.3053645

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents