Chapter 4. Simulation Results
4.3. Patching System
In this section, we discuss implementing patching strategy in the original system.
Based on the parameter values set in the previous section, parameter values for patching strategy can be deduced as follows. In the original system, the probability of being infected for susceptible hosts is 50%. For susceptible hosts that are patched, this probability should be much lower than the original system and is given as 1%.
41
Therefore, transmission rate, , for susceptible hosts that are patched is 0.01 (1 x 0.01).
, transmission rate for susceptible hosts that are not patched is the same as in original system and is given as 0.5. In the patching system, the strategy also has impact on infected hosts. Therefore, the probability of recovering for infected hosts is high and is given as 99%. Hence, transmission rate for infected hosts that are patched is given as 0.99. , transmission rate for infected hosts that are not patched is the same as in original system and is given as 0.1. The value of is the same as in original system. In the patching system, we assume patch is developed and implemented at the first day of propagation and we patch 15% of hosts for both the susceptible and infected.
Table 4-4 Summary of parameter values in patching system
Parameter Value
0.01 0.5 0.99
0.1
0.01
0.15 0.15
42
Figure 4-5 Patching system vs. Original system
In the figure above, it illustrates the patching strategy’s impact on original system.
We can see that the first outbreak volume in patching system is about 1/5 of the first outbreak volume in the original system. And the second outbreak volume in patching system is about 1/2 of the second outbreak volume in the original system. In other words, in compare with the original system, the patching strategy decreased huge volumes of the first and the second BotNet outbreak. This figure also illustrates that patching system delayed the occurrence time of the first outbreak for about one month after the first outbreak occurred in the original system. Also, the patching system
43
original system, the patching strategy successfully delayed the first and the second outbreak. Meanwhile, we found that at the end of the propagation, the patching system decreased large amount of the steady state volume in the original system. Therefore, in this scenario, we conclude that patching strategy has excellent performance on combating BotNet.
4.4. Barrier Precaution System vs. Patching System
In previous sections, we have demonstrated that our model successfully shows reasonable results for different strategies. With this confidence, in this section, we tried to discuss and to find which strategy is better than the other. Before any comparison, the comparison criteria are needed. As discussed in chapter 2, we all know both strategies have impacts on susceptible hosts. In the strategy of barrier precaution, we chose strong
barrier situation as representative to compare with patching strategy. Strong barrier situation’s impact on susceptible hosts is 0.375 ( ). In order
to compare two strategies, we make them have the same impacts on susceptible. In other
words, in patching strategy, the proportion of susceptible hosts that are patched is . By doing so, both of their impacts (average transmission rate) on
susceptible hosts will all be 0.375. The proportion that the infected hosts install patch
44
remains . In the first simulation, we assume that patch is released and
implemented at the first day of propagation.
Figure 4-6 Patching system vs. Strong barrier precaution system
In the above figure, it illustrates the impacts of patching strategy and the strong barrier precaution strategy on original system. We can see that the first outbreak volume in patching system is about 1/6 of the first outbreak volume in strong barrier precaution system. And the second outbreak volume in patching system is about 1/3 of the second outbreak volume in strong barrier precaution system. In other words, the patching system decreased more volume of both the first and the second outbreak in compare with the strong barrier precaution system. This figure also illustrates that patching system delayed the occurrence time of the first outbreak for about 1 month after the first
0 50 100 150 200 250 300 350 400
45
outbreak occurred in the strong barrier precaution system. Also, the patching system delayed the occurrence time of the second outbreak for about 1.5 month after the second outbreak occurred in the strong barrier precaution system. That is to say, in compare with the strong barrier precaution system, the patching strategy delayed the first and the second outbreak for a longer period. Meanwhile, the patching system decreased more volume of steady state than the strong barrier precaution system. In a nutshell, patching strategy performs better in any aspect (volume and occurrence time of outbreaks and volume of steady state) than strong barrier precaution system. By interpreting the simulation results, we inferred the reason that patching strategy performs better than strong barrier precaution strategy is because patching strategy has the power to affect infected hosts which strong barrier precaution strategy doesn’t have. Therefore, we suggest defender to use patching strategy rather than use strong barrier precaution strategy while defending BotNet.
4.5. Different Implementation Day in Patching System
In previous sections, we assume that patch is developed and implemented at the first day of the propagation. However, in reality, patches are developed usually after the
46
disasters occurred. Therefore, we set different days to implement patch strategy. These days are day 20, day 30, day 40 and day 50. They are respectively 15 days, 5 days before the first peak and 5 days, 15 days after the highest volume of the first outbreak occurred (day 35) in the original system.
Figure 4-7 Patching system (implement at day 20 and day 30)
Figure 4-8 Patching system (implement at day 40 and day 50)
0 50 100 150 200 250 300 350 400
47
Figure 4-7 displays the simulation results of strategy implement at different days before the highest volume of the first outbreak occurred (day 35) in the original system.
When the patching strategy is implemented at day 30, in compare with the original system, this strategy not only decreased the volumes of all outbreaks but also delayed the second outbreak. Further, this figure also displays that when the patching strategy is implemented at day 20; it decreases more volume of all outbreaks and delayed the second outbreak for a longer period than implement at day 30. However, the volume of its steady state (implement at day 30) has no significant difference in compare to implementation at day 20. In a nutshell, figure 4-7 shows that the earlier the implement day, 1) the better the performance of the patching strategy, 2) the earlier the number of infected hosts approaches to the steady state.
Figure 4-8 shows the simulation results of strategy implement at different days after the highest volume of the first outbreak occurred (day 35) in the original system. When the patching strategy is implemented at day 40 and day 50, their highest volume of the first outbreak has no difference in compare with the original system. However, when the number of the infected hosts reaches the highest volume, the strategy that was implemented at day 40 has a faster rate of decline in compare with strategy that was implemented at day 50. Meanwhile, despite their little impacts on the first outbreak,
48
both strategies still have impacts on other outbreaks and the volume of steady state during the propagation. As shown in the figure, in compare with the original system, both strategies not only decreased the volumes of second outbreak but also delayed the second outbreak. In a nutshell, figure 4-7 shows the latter the implement day, 1) the worse the performance of the patching strategy, 2) the latter the number of infected hosts approaches to the steady state. Despite the implementations after the first outbreak have impacts on the number of infected hosts; however, the overall impact is not as significant as implementation before day 35. Therefore, we suggest that defenders should implement patching strategy as soon as they can to get the maximum effectiveness of this strategy.
4.6. Different Proportions of Patch Implementation in Susceptible and Infected Hosts
In previous section, we know that the simulation results have shown us that patching strategy performs better than barrier precaution strategy. However, in reality, due to the limitation of resources, defenders may need to find an optimal way to implement patch. Therefore, in this section, we discuss that to patch susceptible hosts or infected hosts, which one gets better performance? Therefore, simple analyses are
49
conducted to investigate this question. Our analyses were conducted by change one parameter value (the input of the model) at one time while others remain the same so as to see how this change of value affect the output of the model and further, to identify the most influential parameter. In the first analysis, we reduce (proportion of patch susceptible hosts) and (proportion of patch infected hosts) respectively from 15% to 10% to see how this will impact on the number of infected hosts. Then we reduce from 15% to 13% and 10% respectively and compare the results with reduce from 15% to 13% and 10% respectively.
Figure 4-9 Reduce proportions of patch installed in susceptible and infected hosts
to 10%
50
Figure 4-10 Reduce proportion of patch installed in susceptible hosts to
13% and 10%
Figure 4-11 Reduce proportion of patch installed in infected hosts to 13% and 10%
In figure 4-9, we can see that when we reduce from 15% to 10%
51
highest volume of the first outbreak in the original system .
And the highest volume of the second outbreak is about 1.5 times than the one in the
original system. Further, when we reduce from 15% to 10%
the highest volume of the first outbreak is about 1.2 times than the highest
volume of the first outbreak in the original system. And the highest volume of the second outbreak is about 1.1 times than the one in the original system. In other words,
in compare with the original system, we found reducing proportion in increases more outbreak volume than reducing the same amount of proportion in . Meanwhile,
in compare with the original system, we also found reducing proportion in brings
the occurrence time of the outbreaks much earlier than reducing the same amount of proportion in . Further, in figures of 4-10 and 4-11, we can see that, when is
reduced to 13% and 10% , the value differences between the first outbreaks are more significant than the differences when reducing to 13% and 10% . In general, the simulation results show that an impact on (infected hosts) is more effective than an impact on (susceptible hosts). Therefore, we suggest the defenders that before implementing, the defenders should conduct researches to find the most infectious departments or unit under their jurisdiction. In that way, the defenders can combat more BotNet with fewer resources.
52
Chapter 5. Conclusion and Future Research
The rapid advance of Internet and host technology has brought this society a more convenient and efficient way for coordinating online resources. However, this also brought us a more server threat, the BotNet. Therefore, defenders need a more efficient and effective way to defend BotNets. With this in mind, in this research, based on SIR model and the analogies of defense strategies between biological diseases and BotNet, we proposed two models that take defense strategies into accounts. We conduct numerical analysis to understand the strengths and the weaknesses of these strategies so as to help defenders to choose and to deploy the strategies more efficiently and effectively.
With appropriate parameters inferences, we first simulate BotNet’s propagation in the original system. In this system, no any specific defense strategies are implemented.
The simulation results shows 1) in the latter period of the propagation, the number of recovered hosts is relatively larger than the number of the susceptible hosts and infected hosts. This reflects the same phenomenon as other Internet threats that in the latter period of the propagation; most of the users recovered their hosts from infected. 2) In the latter period of the propagation, there might be a period that both the number of the
53
susceptible and infected approaches to steady state and is relatively much smaller than the number of recovered hosts. 3) We found there is more than one outbreak during the propagation since we are likely to have events such as re-infection. And the result shows that the impact of the first BotNet outbreak plays a key role on the propagation of BotNet since in compare with others, the first one is the most severe. Despite the results might have some biases since the parameters are estimated, however, the simulation results of the original system show us reasonable explanations of the BotNet propagation. Therefore, we think the model’s forecast on the trends of BotNet propagation is worth referenced.
With this confidence, based on the simulation of the original system, we deduced the parameters in the simulation of barrier precaution strategies. The simulation results show that among three strategies (strong, good, weak) of barrier precaution, the strong barrier precaution strategy has better performances on impacting the volume of outbreaks and the volume of the steady state. Therefore, we suggest defenders to consider using strong barrier precaution strategy rather than good and weak barrier precaution strategy while combating BotNet.
54
We then simulate the propagation of BotNet with patching strategy implemented.
The simulation results show that, in compare with the original system, the patching strategy not only delays the occurrence time of outbreaks but also decreases volumes of the outbreaks. Moreover, when the number of infected hosts approaches to the steady state, this strategy successfully decreases the volume. Therefore, in this simulation, we found patching strategy has excellent performance on combating BotNet.
After knowing results of the simulation of both strategies (patching strategy and strong barrier precaution strategy), we discussed which strategy performs better than the other. Before any comparison, the comparison criteria are needed. Hence, we control both strategies’ impacts on susceptible hosts to be equal since theses two strategies all have impacts on susceptible hosts. The simulation results shows that the patching system decreases more volume of the outbreaks in compare with the strong barrier precaution system. The simulation also demonstrates that patching system has a latter occurrence time of outbreaks than the strong barrier precaution system. Further, we also found the patching system decreased more volume of steady state than the strong barrier precaution system. Therefore, we suggest defenders to use patching strategy rather than use strong barrier precaution strategy while defending BotNet.
55
With the understanding that patching strategy performs better than strong barrier precaution strategy. We perform simulations to see how different implement days affect the performance of patching strategy. We chose two days before and after the highest volume of first outbreak occurred (day 35) in the original system respectively to implement patching strategy. The simulation results shows that implementation before day 35, the earlier the implement day, 1) the better the performance of the patching strategy, 2) the earlier the number of infected hosts approaches to the steady state. The results also shows that implement after day 35, the number of the infected hosts reflect the same behaviors as implementations before day 35. Despite that implementation after day 35 can still impact the number of infected hosts; however, the impact is not as significant as implementation before day 35. Therefore, we suggest that defenders should implement patching strategy as soon as they can to get the maximum effectiveness of this strategy.
In reality, due to the limited resources, defenders may need to find an optimal way to implement patch. Thus, we discuss that to patch susceptible hosts or infected hosts which one gets better performance? Simple analyses were conducted to investigate this question. By reducing equal amount of proportion on patch susceptible hosts and infected hosts respectively, the results shows that the impact of patch infected host is
56
more effective than patch susceptible host. Moreover, the results also show that the value differences between the first outbreaks when the proportion of patch infected hosts is reduced to 13% and 10% are more significant than the differences when reducing the proportion of patch susceptible hosts to 13% and 10%. Therefore, we suggest defenders that before implementing, they should conduct researches to find the most infectious departments or unit under their jurisdiction so as to get the maximum effectiveness of this strategy.
We anticipate our research to be a starting point for more sophisticated in modeling and analyzing the effectiveness of defense strategies against BotNet. In the following, we provide directions for future research in this area: 1) Hybrid defense strategies. In our research, we study only the impact of implementing single strategy. However, in reality, multiple strategies could be implemented simultaneously. Therefore, a hybrid defense strategy is a possible direction for future researches. 2) Costs consideration in strategy implementation, in our research, we study only the performances of defense strategy. However, the implementation costs for each defense strategy should be considered in the model. This can help defender to find optimal solutions from economic perspective. 3) Real data collection, in our research, all parameters is estimated with reasonable consideration. However, we feel it is important to collect data
57
on BotNet spread rates and incorporate them into our models. 4) As shown in the previous sections, we understand that the earlier the implementation day, the better the performances of patching strategy. We also know that the larger proportion of patch on hosts, the better the performances of patching strategy. However, which one is more important to effectively lower the scale of BotNet? This is a question worthy of study.
58
Reference
[1] NISCC, “BotNets - the threat to the Critical National Infrastructure,” NISCC Monthly Bulletin, 2005.
[2] E. V. Buskirk, “Facebook Confirms Denial-of-Service Attack (Updated).”
[Online].Available:http://www.wired.com/epicenter/2009/08/facebook-apparentl y-attacked-in-addition-to-twitter/.
[3] Ryan, “FTC sites hacked and defaced by Anonymous,” 2012. [Online].
Available:http://www.fedcyber.com/2012/02/21/ftc-sites-hacked-and-defaced-by-anonymous/.
[4] A. Bensoussan, M. Kantarcioglu, and S. R. Hoe, “A game-theoretical approach for finding optimal strategies in a BotNet defense model,” Decision and Game Theory for Security, pp. 135–148, 2010.
[5] C. R. Davis, J. M. Fernandez, and S. Neville, “Optimising sybil attacks against P2P-based BotNets,” 2009 4th International Conference on Malicious and Unwanted Software MALWARE, pp. 78-87, 2009.
59
[6] Y. Wang, S. Wen, W. Zhou, W. Zhou, and Y. Xiang, “The Probability Model of Peer-to-Peer BotNet Propagation,” in Proceedings of the 11th international conference on Algorithms and architectures for parallel processing - Volume
Part I, 2011, pp. 470-480.
[7] D. T. Ha, G. Yan, S. Eidenbenz, and H. Q. Ngo, “On the Effectiveness of Structural Detection and Defense Against P2P-based,” 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, pp. 297-306, Jun.
2010.
[8] E. Cooke, F. Jahanian, and D. McPherson, “The Zombie roundup: understanding, detecting, and disrupting BotNets,” in Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the
Internet Workshop, 2005, p. 6.
[9] W. O. Kermack and A. G. McKendrick, “A Contribution to the Mathematical Theory of Epidemics,” Proceedings of the Royal Society of London. Series A, vol.
115, no. 772, pp. 700-721, 1927.
60
[10] W. O. Kermack and A. G. McKendrick, “Contributions to the mathematical theory of epidemics—II. The problem of endemicity,” Bulletin of Mathematical Biology, vol. 53, no. 1, pp. 57-87, 1991.
[11] W. O. Kermack and A. G. McKendrick, “Contributions to the Mathematical Theory of Epidemics. III. Further Studies of the Problem of Endemicity,”
Proceedings of the Royal Society of London. Series A, vol. 141, no. 843, pp.
94-122, 1933.
[12] C. T. Bauch, J. O. Lloyd-Smith, M. P. Coffee, and A. P. Galvani, “Dynamically
modeling SARS and other newly emerging respiratory illnesses: past, present, and future.,” Epidemiology Cambridge Mass, vol. 16, no. 6, pp. 791-801, 2005.
[13] P. J. Denning, Ed., Hosts under attack: intruders, worms, and viruses. New York,
[13] P. J. Denning, Ed., Hosts under attack: intruders, worms, and viruses. New York,