Post on 19-Dec-2015
transcript
1November 2nd, 2007 WORM’07
Can You Infect Me Now?
Can You Infect Me Now?Malware Propagation in Mobile Phone Networks
Chris Fleizach1, Michael Liljenstam3, Per Johansson2, Geoffrey M. Voelker1 and András Méhes3
1 2 3
Introduction
2November 2nd, 2007 WORM’07
Can You Infect Me Now?
Motivation• Over 1.8 billion mobile subscriptions as of 2005• Phones are becoming general processing platforms.
• In Smartphones, the potential exists for malware developers to exploit the types of vulnerabilities that have long plagued Internet hosts– Mobile phone spam– Denial of service attacks– Mobile botnets (mobots)
• Ultimately, loss of service which leads to loss of revenue• Mobile phones will become a highly attractive target for
criminals.
Introduction
3November 2nd, 2007 WORM’07
Can You Infect Me Now?
How will it happen?
• Mobile phones have multiple communication vectors:– Bluetooth– SMS and MMS– Voice and VoIP– Internet
• However, these channels are constricted by network topologies, contact graphs and bandwidth limitations– We cannot blindly apply the lessons learned from Internet
worms.
Introduction
4November 2nd, 2007 WORM’07
Can You Infect Me Now?
Goals• Explore the range of malware propagation on
mobile phone networks– Characterize its speed and severity– Understand how network provisioning impacts
propagation– Understand how malware propagation impacts
the network– Highlight the implications of network-based
defenses against malware
Introduction
5November 2nd, 2007 WORM’07
Can You Infect Me Now?
Methodology• To accomplish these goals, we:–Created a realistic network topology generator
(RACoON)–Modeled address books of cell phone users–Created an event-driven simulator: • Model two attack vectors: Voice-over IP and MMS• Investigate ways to speed up the spread of
malware• Examine network-based defenses
Introduction
6November 2nd, 2007 WORM’07
Can You Infect Me Now?
Universal Mobile Telecommunications System
Modeling mobile phone networks
Network Elements• Node B• RNC• SGSN• GGSN • MMS server
We modeled a single carrier’s UMTS network
7November 2nd, 2007 WORM’07
Can You Infect Me Now?
Modeling mobile phone networks• Networks are planned and provisioned using:– Population data – Land use data– Previous cell phone deployments– Radio effects
• We used U.S. census data to create a square grid of population densities to inform our placement of UMTS elements– Used a 1x1 sq. mi. resolution– Averaged population for regions based on county land area
and total population
Modeling mobile phone networks
8November 2nd, 2007 WORM’07
Can You Infect Me Now?
Population Data
Areas of high population density are darker
Modeling mobile phone networks
9November 2nd, 2007 WORM’07
Can You Infect Me Now?
Generating the network topology
• The Radio Access and Core Operator Network topology Generator (RACoON)– Uses population data as input to capture regional
population differences– Divides the area into uniform grid cells– Uses a bottom-up placement strategy to place
radio cells and Node Bs.– Adds fixed network nodes that obey capacity
constraints
Modeling mobile phone networks
10November 2nd, 2007 WORM’07
Can You Infect Me Now?
A generated networkHighly populated regions correspond to regions that need more SGSNs
SGNSs connected with the Waxman model – distance based random topology
200x200 sq. mi grid of northwest US
Modeling mobile phone networks
11November 2nd, 2007 WORM’07
Can You Infect Me Now?
Topology Specifics
• The topology we used in our simulated was based on the Boston metropolitan area (northeast U.S.)– 100x100 sq. mi. grid– 7 million people (but scaled down based on 78%
cell phone penetration statistics)– 9,616 Radio Cells– 49 RNCs, 49 SGSNs– 1 MMS server
Modeling mobile phone networks
12November 2nd, 2007 WORM’07
Can You Infect Me Now?
Modeling social networks
• Existing viruses in cell phones (e.g. Commwarrior) use the entries in the address book to spread
• The implication is that there is an underlying social network topology– What is the degree distribution for address books?– How are nodes connected?
Modeling Social Topology Networks
13November 2nd, 2007 WORM’07
Can You Infect Me Now?
Degree distributions
• Many real-world phenomena are modeled by scale-free networks (Internet AS topology, links between movie actors, file sizes, … )
• Zou et al. said email lists were power-law1
• Newman et al. said email address books were scale-free2
• Liben-Nowell said connections in a social network community (LiveJournal.com) were log-normal3
1 Zou, Towsley, Gong. “Email worm modeling and defense”2 Newman, Forrest, Balthrop. “Email networks and the spread of computer viruses”3 Liben-Nowell. “An algorithmic approach to social networks”
Modeling Social Topology Networks
14November 2nd, 2007 WORM’07
Can You Infect Me Now?
Degree distributions• But these models imply
that most people have very few connections.
• Intuitively, this seems incorrect.
• We surveyed cell phone owners at UCSD CSE and Ericsson
• The distribution was more like a stretched Gaussian.
Modeling Social Topology Networks
15November 2nd, 2007 WORM’07
Can You Infect Me Now?
Erlang Distribution
• In fact we found that the data fit an Erlang distribution
• Erlang is a shifted Gaussian
Modeling Social Topology Networks
16November 2nd, 2007 WORM’07
Can You Infect Me Now?
How are the nodes connected?
• In power law distributions, some nodes act as “super-hubs”, while most have very few connections
• There is a preference for less popular nodes to attach to more popular nodes (creating more inbound connections)
• Intuitively, this seems unlikely in the cell phone domain
Modeling Social Topology Networks
17November 2nd, 2007 WORM’07
Can You Infect Me Now?
Node Attachment
• Attachment instead can be influenced by geography and population
• Liben-Nowell found the probability that one person was connected to another was inversely proportional to the number of people between them
),(
1),(
yxdyxp
P(x,y) = probability person x is a friend with person y
D(x,y) = number of people between person x and person y
Modeling Social Topology Networks
18November 2nd, 2007 WORM’07
Can You Infect Me Now?
Experiments
• We studied two scenarios with our modeling techniques:– Voice-over IP– MMS
• Measured the percentage of infected phones over a 12 hour period
• The malware contacts numbers from the address book until completed, and then randomly dials phone numbers
Experimental Results
19November 2nd, 2007 WORM’07
Can You Infect Me Now?
Voice-over IP Attack
• A Voice-over IP exploit would subvert one of the stacks handling packetized voice data.
• Infecting another phone implies that an end-to-end connection can be made.
• The bandwidth used to send the payload is the maximum available bandwidth for all the paths between the two phones
Voice over IP Results
20November 2nd, 2007 WORM’07
Can You Infect Me Now?
Voice over IPNot a standard S-curve infection
- Complete reaches 90% after 4 hours
- Erlang reaches 90% at 12 hours
But in log-scale, the “S” curve returns
Voice over IP Results
21November 2nd, 2007 WORM’07
Can You Infect Me Now?
Congestion in VoIP scenario
Major bottleneck is at the RNC -> SGSN link. - RNCs have to little outbound bandwidth
Congestion also decreases over time - Phones finish enumerating their contacts, start randomly dialing
Average congestion across all elements
Voice over IP Results
22November 2nd, 2007 WORM’07
Can You Infect Me Now?
MMS Scenario
• MMS-based malware infects a phone by being read by a victim
• The MMS server stores the message until the victim requests it
• The MMS server in our simulations had 100 message/s capacity for sending and receiving.
Wait time before a user retrieves the MMS message
Modeled as a mixture of Gaussians, centered at 20 seconds and 45 minutes
MMS Results
23November 2nd, 2007 WORM’07
Can You Infect Me Now?
MMS Scenario
Rate of infection significantly different from VoIP
Primary constraint is the 100mps limit of the MMS server
MMS Results
24November 2nd, 2007 WORM’07
Can You Infect Me Now?
Engineering malware for speed
• A clever attacker can use knowledge about the network to exacerbate the spread of malware
• We look at various ways that malware creators may try to speed up their worms:– Transferring contacts– Avoiding congestion– Using out of band channels
Speedy Malware
25November 2nd, 2007 WORM’07
Can You Infect Me Now?
Combining Strategies• Transferring
contacts and avoiding congestion can be very effective
• Infection reaches 90% rate 4x faster than the standard scenario
Speedy Malware
26November 2nd, 2007 WORM’07
Can You Infect Me Now?
Speeding up MMS
The infection rate using an Internet server reaches 48 infections/s (nearly optimal)
Standard malware only reaches 35 infections/s
Speedy Malware
Use an out-of-band channel (Internet) to coordinate. Malware can quickly build a global address book
27November 2nd, 2007 WORM’07
Can You Infect Me Now?
Defenses
• Network operators are in a better position than the Internet community
• Since the infrastructure is centrally managed and owned, defenses can be inserted at critical points to affect the spread
• However, the fact that the end nodes (phones) can be hard to disinfect introduces challenges
• We examined a few defensive scenarios:– Blacklisting– Rate limiting– Filtering
Defenses
Removing the infected reduces congestion!
Removing the infected reduces congestion!
Can be effective for MMS. Possible, but difficult, for VoIP
28November 2nd, 2007 WORM’07
Can You Infect Me Now?
Conclusion
• Communications based worms can severely disrupt service and spread quickly if engineered correctly.
• Defenses need to be applied early and with extreme prejudice to stop an outbreak
• Still much work to be done in the area.– Our model is very coarse. It could use other
sources of data to inform modeling.
Conclusion
29November 2nd, 2007 WORM’07
Can You Infect Me Now?
Questions and AnswersConclusion
30November 2nd, 2007 WORM’07
Can You Infect Me Now?
Voice over IP infections
Does the size of the address book affect when a phone is infected?
Voice over IP Results
31November 2nd, 2007 WORM’07
Can You Infect Me Now?
Transferring Contacts
• Advanced malware could divide address books between infected phones
• This strategy would approximate a “complete” address book, while dividing work
Speedy Malware
32November 2nd, 2007 WORM’07
Can You Infect Me Now?
Avoiding congestion
• The real bottleneck is bandwidth.
• If malware can recognize that their links are congested and back off, it will allow other phones to complete their connections
Speedy Malware
33November 2nd, 2007 WORM’07
Can You Infect Me Now?
MMS and Users • Almost all cell phone
malware to-date has relied on user intervention
• We model the spread when 25%, 50%, 75% and 100% of the population intervene to cause an infection to occur
MMS Results
34November 2nd, 2007 WORM’07
Can You Infect Me Now?
MMS and Capacity• As MMS usage increases,
operators will naturally increase capacity.
• We look at what happens when the MMS server can handle 2x and 5x the current capacity (with only one server)
• Bandwidth starts to affect spread more than capacity constraints
MMS Results
35November 2nd, 2007 WORM’07
Can You Infect Me Now?
BlacklistingBlacklisting would use some heuristic to identify infected phones and then block their connectivity.
Even aggressive blacklisting, done early, may still not be effective
Standard VoIP malware
Defenses
36November 2nd, 2007 WORM’07
Can You Infect Me Now?
Rate limiting
• A network operator could try to limit how many calls or messages could be sent within a time period
• This can have the adverse effect of reducing overall congestion
Standard malware is occluded by rate limiting scenario
Defenses