Evaluation Methods for Internet Security Technology (EMIST)
The objective of the
NSF/DHS-sponsored EMIST (Evaluation
Methods for Internet Security Technology) research initiative was
to develop scientifically rigorous testing frameworks and methodologies
for evaluating approaches to large-scale network defenses. Our
goal was to expand the rigor with which we model the
protection claims of malware defense algorithms, particularly as we
design the metrics that will be used to evaluate
and compare competing malware approaches. To this end, we
considered how to more rigorously express defense specifications,
formally validate or refute desired properties
of these systems, and employ simulation and emulation experiments to
fully stress algorithm performance.
- Dr. Linda Briesemeister
- Guofei Gu (Georgia Intitute of Technology)
- Raman Sharykin (University of Illinois at Urbana-Champaign)
- Mohamed Abdelfattah (Georgia Intitute of Technology)
- Vishwas Bhat (University of Texas at Austin)
In 2004, we began with a study of the
strengths, weaknesses, and potential synergies of competing worm
defense strategies, and proposed
a hybrid strategy that combined two complementary worm
defense algorithms into a stronger defense (see "A Hybrid Quarantine Defense").
Subsequently, we proposed a more refined and integrated combination
defense strategy, and presented an extensive analysis of this approach
using SSFnet-based microscopic simulation experiments that characterized various aspects
of algorithm performance (see "Microscopic Simulation of a Group Defense Strategy").
In 2005, we introduced the use of formal analyses to precisely define
the desirable properties of worm quarantine algorithms, and employed a
model-checking approach to property validation and counter example
production (see "Model Checking of Worm Quarantine and Counter-Quarantine under a Group Defense"). In 2006, we demonstrated this concept by employing our model checker to generate
counter example worm infection sequences that violate formally
stated quarantine properties of a modeled group-based worm defense,
and showed how these counter examples illustrate underlying attack
strategies that could defeat the fielded defense algorithm (see "Automatically Deducing Propagation Sequences that Circumvent a Collaborative Worm Defense").
Subsequently, we suggested a formal approach to defining design goals of worm defenses in order to allow deeper reasoning about success metrics that go beyond measuring the impact on the global infection rate (see "Formally Specifying Design Goals of Worm Defense Strategies").
We then extended our work in formal analysis to apply a
probabilistic model checking approach that allows us to validate critical properties in a distributed stochastic worm defense algorithm (see "Applying Formal Evaluation to Worm Defense Design").
Finally, we introduced the use of white hole networks to
dissuade, slow, and ultimately halt the propagation of an emerging
virulent worm propagation strategy (see "The Use of Whiteholes to Mislead and Defeat Importance Scanning Worms").
- ACM WORM '04 Presentation, George Mason University, Fairfax, VA, October 2004 [pdf]
- Project Poster at PI Meeting, Marina Del Rey, CA, 2005 [pdf]
- ACM/IEEE/SCS PADS '05 Presentation, Monterey, June 2005 [pdf]
- PI Meeting, Newport Beach, CA, September 2005 [pdf]
- Final PI Meeting, Arlington, VA, June 2006 [pdf]
We gratefully acknowledge that this project was sponsored
by a grant from the National Science
Foundation and Department of
Homeland Security, Science and Technology Directorate, under
Grant No. ANI-03335299, through a subcontract with the University of
California at Davis, Contract No. 01RA0052.