22-11-2012, 03:36 PM
Dynamics of Malware Spread in Decentralized Peer-to-Peer Networks
Dynamics_of_Malware_Spread_in_Decentralized_Peer-to-Peer_Networks.pdf (Size: 368.79 KB / Downloads: 50)
INTRODUCTION
THE use of peer-to-peer (P2P) networks as a vehicle to spread
malware offers some important advantages over worms that spread
by scanning for vulnerable hosts. This is primarily due to the
methodology employed by the peers to search for content. For
instance, in decentralized P2P architectures such as Gnutella [1]
where search is done by flooding the network, a peer forwards the
query to it’s immediate neighbors and the process is repeated until a
specified threshold time-to-live, TTL, is reached. Here TTL is the
threshold representing the number of overlay links that a search
query travels. A relevant example here is theMandragore worm [2],
that affected Gnutella users. Having infected a host in the network,
the worm cloaks itself for other Gnutella users. Every time a
Gnutella user searches for media files in the infected computer, the
virus always appears as an answer to the request, leading the user to
believe that it is the file the user searched for. The design of the
search technique has the following implications: first, the worms can
spread much faster, since they do not have to probe for susceptible
hosts and second, the rate of failed connections is less. Thus, rapid
proliferation of malware can pose a serious security threat to the
functioning of P2P networks.
Search Mechanism
The transfer of information in a P2P network is initiated with a
search request for it. This paper assumes that the search
mechanism employed is flooding, as in Gnutella networks. In this
scenario, a peer searching for a file forwards a query to all its
neighbors. A peer receiving the query first responds affirmatively
if in possession of the file and then checks the TTL of the query. If
this value is greater than zero, it forwards the query outwards to
its neighbors, else, the query is discarded. In our scenario, it
suffices to distinguish any file in the network as being either
malware or otherwise.
MODEL ANALYSIS
In this section, we analyze the model presented in the previous
section and obtain the expressions governing the global stability of
the malware free equilibrium (MFE).
Malware Free Equilibrium
We now proceed with the derivation of the basic reproduction
number, R0, a metric that governs the global stability of the MFE.
Here, R0 quantifies the number of vulnerable peers whose security
is compromised by an infected host during it’s lifetime. It is an
established result in epidemiology that R0 < 1 ensures that the
epidemic dies out fast and does not attain an endemic state [18].
Stability information of the MFE is important since this guarantees
that the system continues to be malware free even if newly infected
peers are introduced.
RESULTS
In this section, we validate our model using simulations and also
demonstrate its capability to illustrate the effect of various system
parameters on malware dynamics. The simulations were conducted
using a custom built simulator. Results are reported for a
10,000 node network with a power-law graph topology with
¼ 3:4. The initial network state for all simulations consisted of
4,950 randomly selected nodes in the susceptible online state,
5,000 randomly selected nodes in the susceptible offline state, and
50 randomly selected nodes in the infected online state. Other
parameters that stayed constant in all simulations (unless otherwise
noted) were on ¼ 0:1, off ¼ 0:2, ¼ 0:5, ¼ 0:3, r1 ¼ 0:1,
r2 ¼ 0:1, and # ¼ 0:1. The results for each parameter setting are
averaged over 20 runs and the 90 percent confidence interval was
within 10 percent of the mean.