Two-Factor Worm Propagation Model in Cloud Security Network

2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing

Two-factor Worm Propagation Model in Cloud Security Network Zhang wei, Qin facheng, Wang ruchuan College of Computer Nanjing University of Posts & Telecommunications Nanjing, China [email protected] individuals, the literature [7][10] extend these assumptions to heterogeneous networks: stochastic network, grid, tree-like hierarchical network. When we study the worm propagation model, human countermeasure should not be overlooked, for example, in the classical SIR model, the third state of R (Removed) is a result of the individual to be immune in the status S (Susceptible) and I (Infective). The traditional defense behavior depends on the virus detection and patch installation in terminal PC, but at the same time, it also means the terminal PC must face some serious problems: the virus signature database continually increases and the data scale becomes too large to maintain, furthermore, the defense method is at a very disadvantageous position when facing zero day viruses. To solve these problems, in 2008 some major information security vendors rolled out new security architecture [11], cloud security, in which the antivirus focus is transformed from terminal PC to the network. Cloud security will collect suspicious information from a large number of participants then send the information to process center. Process center identifies various threats by automatic processing and manual analysis, and feedbacks virus information immediately to the antivirus server group in network. So the unsafe URLs and malicious packets will be filtered or discarded directly in the clouds network, thus they can not be sent to the terminal. Cloud security takes the new challenge to counter worm propagation and we first need to know what advantages the cloud security will bring to us. This paper focuses on the worm propagation model in cloud security, considering the participant degree of cloud security and the impact of huge worm traffic The rest of this paper is organized as follows: Section 2 introduces the cloud security model; Section 3 describes the operating mechanism of cloud security and two-factor worm propagation model in cloud security network, TWPMCS; Section 4 analyzes the stability of TWPMCS; and Section 5 concludes the paper with some further discussions.

Abstract—Worm propagation model is an important issue in network information security. Based on the knowledge of infectious disease dynamics, the major methods to research worm propagation are related to some characteristics of network, such as topology, traffic, user behavior. In 2008, with the transformation of key antivirus work from the terminal PC to network server group, the industry put forward a novel infrastructure, cloud security, that means the new challenge to counter worm is coming. This paper proposes a Two-factor Worm Propagation Model in Cloud Security Network (TWPMCS), which derives from the classical SIR model and considers two important factors in cloud security network: the participant degree of cloud security and the impact of worm traffic. The TWPMCS model is a necessary and significant study of worm propagation behavior in the new network environment, cloud security network. Keywords- Worm Propagation Model; Cloud Security; SIR

I.

INTRODUCTION

Modern computer virus is a collection of a variety of technologies, such as scanners, worms, Trojan, Rootkit, and the method of worm propagation is often used by malicious code. The study of worm propagation model can help us understand the worm spreading process, final results and various factors in the process. Since the spread of worms and biological propagations have many similarities, the study for the spread of the worms is usually based on the traditional infectious disease models, SI[1], SIS[2], SIR[3], SEIR[4], but on the other hand we also need to consider some other factors, which include the behavior of users, network topology, network communications status and so on [5][6][7][8]. Changchun Zou proposes the two-factor worm model [5], which considers not only the active immunization, but also the negative impact of increasing traffic as the increasing number of infected individuals in the later period of the spreading of worms. David Dagon considers the time zones feature of network usage pattern, in that pattern the time zones of the world are divided into three major parts: Asia, North America and Europe as the clustering of PC [9]. Because most PC will be shut down at night and no longer involve in the spread of worms, so the effect of worm infection has the significant fluctuations in diurnal properties. The research results can help to choose the optimal time to release the worm or plan the better defense policy. In additional, network are considered as homogeneous in tradition propagation models, an infected individual is equally likely to infect any of other susceptible

II.

Supported by the National Postdoctoral Science Foundation of China, No. 20090451241, 2009.

978-0-7695-4011-5/10 $26.00 © 2010 IEEE DOI 10.1109/NSWCTC.2010.224

CLOUD SECURITY

Cloud security is a special cloud technology application, the concept of cloud is derived from the 60’s of this century. But until the late 90's Internet bandwidth is greatly increased, cloud technology has got the rapid development. As the popularity of cloud security technology, the traditional signature-based malware detection method has been increasingly unable to meet the requirements. In 2008, some famous information security vendors, such as Trend, Rising,

386 385

ρ

Kaspersky, have launched their own cloud security plan and products. The first key work of cloud security is to design cloud storage for the virus sample database and virus signature database to meet the requirements of the mass storage. The second key work is to utilize cloud computing to mine the threats involving the large amounts of data and the complex computational, which is launched by the virus control center. The center deals data both of manual analysis and machine processing, and the main suspicious data source is the network probes and the cloud participants. Based on the analysis results, the characteristics of threats are found and stocked in the network servers as signature database for users and network services to use. As the next generation of content security architecture, cloud security technology is designed to filter the malicious data before they access to the goals through the dynamic assessment of the information security level. Currently the development of cloud security still faces many problems, such as the cloud computing efficiency, the cloud storage security, and the network dependence, but it is a basic consensus that the cloud security will replace the current antivirus system. Before the cloud security is adopted, we first need to know the changes during the spread of worms in the new network environment, the advantages of cloud security architecture in controlling worms compared to the traditional c architecture, and the appropriate participant degree in the cloud security. This paper is to address these issues for discussion. III.

S

β1 (t )

S1 Not be cloud security member

μN

S2

β (t ) β 2 (t )

Be cioud security member

μ

I

γ1

I1 Not be cloud security member

R1 Not be cloud security member

γ

γ2

I2

R

be cloud security member

R2 be cloud security member

μ

μ

Figure 1 The TWPMCS model Fig. 1 describes TWPMCS model, Table 1 describes the model parameters. The three states, S, I, R, are divided into two parts, the proportions of the participants of cloud security in the three states have the same value, k (0İkİ1). Since to be a member of cloud security or not just decides to report suspicious information or not in TWPMCS model, cloud security members and non-members have the same contact rate and the removal rates, ȕ(t)=ȕ1(t)=ȕ2(t), Ȗ=Ȗ1=Ȗ2. Table 1 Notation of the TWPMCS model Notation S S1 S2 I I1

THE TWPMCS MODEL

I2

To study the process of worm propagation under cloud security environment, we propose a new model, TWPMCS, which is based on the classical propagation model, KermackMckendrick model. TWPMCS also has three basic states, S(Susceptible), I(Infective) and R(Removed). In TWPMCS model, regardless of which state the individuals stay in, we just consider whether the individual is a participant of the cloud security scheme to decide it will take action to report suspicious information or not. Since supporting report information or not are two states, therefore, TWPMCS model has six states. The states transition graph of the TWPMCS model is as Fig.1, and this model uses the following assumptions: z Because of the huge population and the small fluctuation, the total number of individuals N is a constant value over time. z Model mainly considers the active propagation worm, and does not consider the infection time and latency of worm. z Worm can infect susceptible individuals equally, and does not distinguish the different defense capability of individuals. z The collected samples mainly depend on individuals’ report in cloud security, exclude honeypots and network probes. The participant degree of cloud security directly affects the virus detecting speed of cloud security.

R R1 R2 N ȕ Ȗ ȡ μ K

Explanation Number of susceptible individuals S= S1 + S2 Number of susceptible individuals that are not cloud security members S1 = (1-k) S Number of susceptible individuals that are cloud security members S2 = k S Number of infectious individuals I = I1+I2 Number of infectious individuals that are not cloud security members Number of infectious individuals that are cloud security members Number of removed individuals from the infectious population R = R1+R2 Number of removed individuals that are not cloud security members Number of removed individuals that are cloud security members Total number of individuals under consideration, N=S+I+R Infection rate of susceptible individuals Removed rate of infectious individuals Active immunization rate of susceptible and infectious individuals Individual's birth and death rate The proportion of participants of cloud security, 0İkİ1

The number of susceptible individuals is related to the birth rate, the death rate, the immunization rate and the removal rate. Assume the total number of individuals is proportional to the birth rate and all newborn individuals are susceptible. We can get (1), (2). S1 (t + Δt) − S1(t) = μ N (1− k )Δt − S1 (t)μΔt − S1 (t)ρΔt − S1 (t)β1(t)I1(t)Δt (1) S2 (t + Δt) − S2 (t) = μ NkΔt − S2 (t)μΔt − S2 (t)ρΔt − S2 (t )β2 (t)I2 (t )Δt

(2)

By (1) (2),

S (t + Δt ) − S (t ) = μ N Δt − S (t ) μΔt − S (t ) ρΔt − S (t ) β (t ) I (t )Δt

(3) The fourth item of (3),ȕ(t)S(t)I(t)¨(t), is the most complex part that represents the number of new infected individuals in the time range ¨(t). Cloud security servers collect a lot of suspicious information and network traffic to help to monitor and control network. The capability of collecting information depends on two factors, the scale of cloud security participants

386 387

and the scale of worm propagation. If the scales are large at start-up phase, it is easy to collect enough suspicious information to identify and filter the worms, and so the infection rate ȕ(t) will become small in the network; On the other hand, if the scales are small, it will take more time to collect suspicious information, and the decline of ȕ(t) also will take longer time. So in cloud security the more participants and reported information, the higher efficiency and the stronger ability to counter the worm. Considering these factors we design the infection rate of susceptible individuals as (4). ⎧ β ( t ) = β 0 ( t )θ 1 ( t )θ 2 ( t ) ⎪ (4) η ⎨ θ 1 = (1 − k )

⎡−ρ − μ 0 ⎤ − β (t ) S1* (t ) ⎢ ⎥ β (t ) S1* (t ) − γ − ρ − μ 0 ⎥ (9) J ( EQ1 ) = ⎢ 0 ⎢ ρ − μ ⎥⎦ γ +ρ ⎣ The corresponding eigenvalues of J((4)are ⎧λ1 = − ρ − μ  ⎪λ = β (t ) S * (t ) − γ − ρ − μ (10) ⎨ 2 1 ⎪λ = − μ ⎩ 3

All parameters of TWPMCS are assumed to be positive, thus Ȝ, Ȝ. For a worm-free equilibrium to be locally asymptotically stable, the following condition should be required:  λ2 = β S1* − γ − ρ − μ < 0  (11)  Let us define the basic reproduction number of the infection as R0: βμ N  (12) R0 = ( ρ + μ )(γ + ρ + μ ) Then we have the following lemma regarding the stability of the worm-free equilibrium. Lemma 1. The worm-free equilibrium EQ1 is locally asymptotically stable if R01. Proof: By the stability theory, the sufficient condition for the (5) to be asymptotically stable is that ȜL(i=0,1,2). In (10), it is easy to get Ȝ and Ȝ in TWPMCS. Using S1*

1

⎪ η2 ⎩ θ 2 = (1 − I 2 ( t ) / N )

In (4), ș(t) indicates the scale of cloud security participants at time t, ș(t) is the scale of worms at time t. ș(t) just considers I2(t) not R2(t), the reason is that the suspicious information had been reported in I state if R state is transferred from I state, in the other case no information need to be reported if R state is transferred from S state. ȕ(t) is a continuous variable, both Ș1 and Ș2 are sensitive coefficient. So we can get the continuous change of infected and removed individuals. The equations of TWPMCS can be written as: ⎧ dS ( t ) ⎪ dt = μ N − β ( t ) S ( t ) I ( t ) − ρ S ( t ) − μ S ( t ) ⎪ ⎪ dI ( t ) = β ( t ) S ( t ) I ( t ) − γ I ( t ) − ρ I ( t ) − μ I ( t ) ⎪ dt ⎪ ⎨ dR ( t ) = ρ S ( t ) + γ I ( t ) + ρ I ( t ) − μ R ( t ) ⎪ dt ⎪ ⎪ ⎪ N = S (t ) + I (t ) + R (t ) ⎪ ⎩ β ( t ) = β 0 ( t )θ 1 ( t )θ 2 ( t )

IV.

(5)

*

=μN/(μ+ȡ) in (7), and substituting S1 into the Ȝ, we will have ⎤ βμ N − 1⎥ = (γ + ρ + μ )( R0 − 1) < 0 ⎣ ( ρ + μ )(γ + ρ + μ ) ⎦ ⎡

λ2 = (γ + ρ + μ ) ⎢

So R0 0, S (t ) = (γ + μ + ρ ) / β (t ) , we can get the worm-endemic equilibrium. E Q 2 = ( S 2* , I 2* , R 2* ) =(

μ + ρ +γ μN μ + ρ (ρ + γ )N γ , − , − ) β (t ) μ + ρ +γ β (t ) μ + ρ + γ β (t )

μN ⎡ μN ⎤ + S (0) − exp [−( ρ + μ )t ] ρ + μ ⎢⎣ ρ + μ ⎥⎦ When t → ∞, we obtain S (t ) ≤ ( μ N ) / ( ρ + μ ) Let us consider the Lyapunov function V (t ) = I (t ) , βμN −r − ρ −μ) < 0. V(t)′ = I(t)′ = β(t)S(t)I(t) −γ I(t) − ρI(t) −μI(t) = I(t)( ρ +μ So the worm-free equilibrium EQ1 is globally stable. S (t ) ≤

B. Worm-endemic equilibrium and its stability For the case of the worm-endemic equilibrium EQ2 in (5), the Jacobian matrix at EQ2 is ⎡ −β (t )μ N ⎤ −ρ − μ − γ 0 ⎥ ⎢ ρ + μ +γ ⎢ ⎥ ⎢ β (t )μ N ⎥ −ρ −μ J (EQ2 ) = ⎢ 0 0⎥ ρ + μ +γ ⎢ ⎥ ρ ρ +γ −μ ⎥ ⎢

(8)

A. Worm-free equilibrium and its stability We can check the stability of the TWPMCS model at the equilibriums to study the worm-propagation behaviors. According to (7), the Jacobian matrix at the worm-free equilibrium (4is:

⎢ ⎣

⎥ ⎦

The eigenfunction of J(EQ2) is f(Ȝ)=a0Ȝ +a1Ȝ2+a2Ȝ+a3, where

387 388

3

⎧ a0 = 1 ⎪ ⎪ a1 = βμ N + μ ρ + μ +γ ⎪⎪ ⎨ 2 ⎪ a = βμ N − ( ρ + μ )( ρ + μ + γ ) + βμ N ⎪ 2 ρ + μ +γ ⎪ ⎪⎩ a3 = μ [ βμ N − ( ρ + μ )( ρ + μ + γ ) ] Lemma 2. As to R0>1 the worm-endemic equilibrium EQ2 is locally asymptotically stable. Proof. By the Routh-Hurwitz array for EQ2is as follows a0 a2 ⎤ ⎡ ⎢ a1 a3 ⎥⎥ ⎢ ⎢(a1a2 − a0 a3 ) a0 0 ⎥ ⎢ ⎥ a3 0⎦ ⎣

By (8)(12), we can also have I 2* =

μN 1 (1 − ) , that μ + ρ +γ R0

indicates for the case of R0 1,so a0>0, a1>0, a2>0, a3>0, and βμ N βμ 3 N (a1a2 − a0 a3 ) / a0 = a1a2 − a0 a3 = a2 + >0. γ +ρ+μ γ +ρ+μ So we prove that the worm-endemic equilibrium EQ2 is locally asymptotically stable Theorem 2. The worm-endemic equilibrium EQ2 is globally asymptotically stable if R0>1. Proof. Let us consider the following Lyapunov function define as V(t).

REFERENCES [1]

Romualdo Pastor-Satorras, and Alessandro Vespignani, “Propagation spreading in scale-free networks”, Phys.Rev.Lett, pp.3200-3203,2001. [2] Herbert W. Hethcote, “The mathematics of infectious diseases”, SIAM Review, vol 42, pp. 599-653,2000. [3] Bimal Kumar Mishra, and Dinesh Kumar Saini, “SEIRS propagation model with delay for transmission of malicious objects in computer network”, Applied Mathematics and Computation, vol 188 (2), pp. 1476-1482, 2007. [4] David J.D. Earn, Pejman Rohani, and Bryan T. Grenfell, “A simple model for complex dynamical transitions in propagations”. Science, vol 287, pp.667-670,2000. [5] Changchun Zou, Weibo Gong, and Don Towsley, “Code red worm propagation modeling and analysis”, Proc of the 9th ACM Conference on Computer and Communications Security. New York: ACM, pp.138147, November 2002. [6] Changchun Zou, Don Towsley, and Weibo Gong, “Modeling and simulation study of the propagation and defense of internet e-mail worms”, IEEE Transactions on dependable Secure Computer, vol 4(2),pp.105-118,2007. [7] Giuseppe Serazzi, and Stefano Zanero, “Computer virus propagation models”, MASCOTS Tutorials, pp. 26-50,2003. [8] Hua Yuan, and Guoqing Chen, “Network virus-propagation model with the point-to-group information propagation. Applied Mathematics and Computation”, vol 206(1),pp. 357-367,2008. [9] David Dagon, Cliff Zou, and Wenke Lee, “Modeling botnet propagation using time zones”, Proc of the 13th Annual Network and Distributed System Security Symp. (NDSS 2006), February 2006. [10] Xiaofeng Nie, Yuewu Wang, Jiwu Jing, and Qi Liu, “Understanding the impact of overlay topologies on peer-to-peer worm propagation”, Proceedings of the 2008 International Conference on Computer Science and Software Engineering, pp.863-867,2008 [11] Guidance for Critical Areas of Focus in Cloud Computing, http://www.cloudsecurityalliance.org/guidance/csaguide.pdf, 2009. [12] Kurt Rohloff, and Tamer Basar, “Deterministic and stochastic models for the detection of random constant scanning worms,” ACM Trans. Model. Computer Simulation, vol 18(2),pp. 108-126,2008.

* I x−I x − S2* 2 dx + ∫ * dx S2 I2 x x S − S 2* I − I 2* V ′(t ) = ( )S ′ + ( )I ′ S I μN =( + ρ + μ )( S 2* − S ) + (γ + μ + ρ )( I 2* − I ) − β SI 2* ≤ 0 S Thus we prove that the worm-endemic equilibrium EQ2is globally asymptotically stable. S

V (t ) = ∫ *

C. Worm endemic control Theorem 3. For S1* in EQ1 and S2* in EQ2, if S1* < S2*, there exists only worm-free equilibrium EQ1 which is asymptotically stable; whereas if S1* > S2*, only the wormendemic equilibrium EQ2 is asymptotically stable. Proof. It is easy to get that if S1* < S 2* .

μN μ + ρ +γ βμ N S* < ⇔ R0 = 1* = S 2* , S* μN μ + ρ +γ βμ N > ⇔ R0 = 1* = >1 S2 ( μ + ρ )( μ + ρ + γ ) μ+ρ β

388 389