Is There a Role for Modeling and Simulation in this New

Battlespace?

Bernard P. ZeiglerProfessor of Electrical and Computer Engineering,

University of Arizona, Tucson

Director, Arizona Center for Integrative Modeling and Simulation

Consultant to NGIT and JITC

Information Security, Virus Propagation and Countermeasures:

Computer Viruses – how bad is the problem?

Fact: • The “I Love You” virus spread twice as fast

as Melissa in its first ten hours• affected 70% of US companies• cost between $100 million and $1billionConclusion: • computer viruses can do great harm to our

economic and military infrastructures• need countermeasures and conversely,

could be a way to attack an adversary

• A New Battlespace – information warfare

• Modeling and simulation has proven its worth in the conventional battlespace

• Is there a Role for Modeling and Simulation in the new battlespace?

• How do we start thinking about this issue?

Information Security, Virus Propagation and Countermeasures

M&S in the New Battlespace

Computer modeling and simulation has been used in the conventional battlespace for: – understanding combat in the battle field– weapons and systems design– test and evaluation – training– many other uses

How can we use M&S for modeling the new “battlefield” ?

– how do viruses spread?– how to detect them?– how to neutralize them?

Computer vs Natural Viruses

– Are computer viruses like bio viruses?– How far does this common analogy

stretch?– Does a computer get “sick” like a

person?– Did the “love” virus infect computers

and spread like Asian flu infects a population?

Recent Case In Point: MyDoom

Incident Report from ECE Network Administrator:

• There is a fast moving virus called MyDoom going around.

• Like many viruses this one will pick an e-mail address from the infected system and use it in the From: field of the virus infected message it sends out.

• If your e-mail address is found on an infected system you will likely get a message from the mail server that your mail wasn't delivered.

• This would indicate that someone you have an association with has the virus.

• Sophos now has the signature to catch this virus and we will be pushing out the updates tonight and tomorrow.

• There are likely to be a few infected systems in ECE and we will be conducting network scans tomorrow.

• The virus comes as an attachment; you will probably have a significant number of these messages by tomorrow.

• Just delete them and you are safe – needs to be opened to propagate

Mode of Viral Transmission

infectedcomputer

infectedcomputer

mailserver

addressbook

infectedcomputerinfected

computer

from a to xfrom b to x

from c to xuser opensattachment c

b a

Antiviral countermeasures: • spread word to recognize and not to open attachment• add signature to anti-viral software• scan LANs and disinfect• turn systems off and reboot

Spread of Infection Through Internet

Topology of spread – neigbors are addresses in client’s addressbook

Detecting Presence of Virus

Normal Email Behavior

-0.2

0

0.2

0.4

0.6

0.8

1

1.2

0 500 1000 1500 2000

Time (1.0s)

nu

mb

er

of

invo

cati

on

s

Abnormal Email Behavior

-2

0

2

4

6

8

10

12

14

16

0 500 1000 1500 2000

Time (1.0s)

Nu

mb

er o

f In

voca

tio

ns

Normal email behavior

Abnormal email behavior

Professor Salim Haririis developing capability to detect and neutralizeviruses using agent-basedsoftware technology over the Internet

-0.2

0

0.2

0.4

0.6

0.8

1

1.2

0 20 40 60 80 100 120 140 160

Node VI (Under Attack) Node VI (No Attackl)

“termp

erature”

Elevated Activity Level

control plane

data plane

Network Architectures of the Future, e.g. GigBEwill allow built-in virus detection and eradication

packet time marker wave

spreading virus

sentinel source (orange) and sink

(green)

slowing up of marker wave

trigger counter-measure

spreading anti-virus

restoration of infected cells

normal

infected

antiviral

packetwave behavior

infect

infectionspread

anti

revert

anti-viralpropagation

ping

infect

anti

ping

revert

infect

pingcell type/signal ping infect anti

normal normal infected anti-virus

infected no effect

no effect

anti-virus

anti-virus no effect

no effect

no effect

Viral and Antiviral Behavior

sentinel

periodicallygeneratepackets\ flood

source sink

detect travel timeexceeds threshold

pinganti

Sentinel Based Viral Detection

Virus Propagation Model

Demonstration

Virus Propagation and Countermeasures Design: A New Paradigm

• Develop models for information network protection applicable to new high speed infrastructure networks such as DoD’s GIG-BE. Currently, there are few theories and models of virus propagation in large scale networks and design of effective counter-measures – a notable exception: Prof. Hariri and DARPA

• A framework for virus and anti-virus propagation and interaction has been developed in the Discrete Event Systems Specification (DEVS) formalism and implemented in the DEVSJAVA modeling and simulation environment. A notional design for detecting virus propagation and launching countermeasures has been implemented.

• Continue with the development of the framework, research feasible mechanisms for implementation in network hardware and software and test and evaluate them through more refined simulation.

Summary

• Interesting analogies and dis-analogies between natural and artificial virus propagation

• Need formal simulation-based methodology to characterize viral behaviors and countermeasures

• Current popular network simulators are too unwieldy to support this research and development

• The new paradigm discussed here can!

More Information on M&S

www.acims.arizona.edu