The objective of the NSF/DHS-sponsored EMIST (Evaluation Methods for Internet Security Technology) research initiative was to develop scientifically rigorous testing frameworks and methodologies for evaluating approaches to large-scale network defenses. Our goal was to expand the rigor with which we model the protection claims of malware defense algorithms, particularly as we design the metrics that will be used to evaluate and compare competing malware approaches. To this end, we considered how to more rigorously express defense specifications, formally validate or refute desired properties of these systems, and employ simulation and emulation experiments to fully stress algorithm performance.

• Phillip Porras

• Dr. Linda Briesemeister
• Guofei Gu (Georgia Intitute of Technology)
• Raman Sharykin (University of Illinois at Urbana-Champaign)
• Mohamed Abdelfattah (Georgia Intitute of Technology)
• Vishwas Bhat (University of Texas at Austin)

• The Use of White Holes to Mislead and Defeat Importance Scanning Worm  (2007)
• Applying Formal Evaluation to Worm Defense Design  (2007)
• Formally Specifying Design Goals of Worm Defense Strategies  (2006)
• Automatically Deducing Propagation Sequences that Circumvent a Collaborative Worm Defense  (2006)
• Model Checking of Worm Quarantine and Counter-Quarantine under a Group Defense  (2005)
• Microscopic Simulation of a Group Defense Strategy  (2005)
• A Hybrid Quarantine Defense  (2004)

In 2004, we began with a study of the strengths, weaknesses, and potential synergies of competing worm defense strategies, and proposed a hybrid strategy that combined two complementary worm defense algorithms into a stronger defense (see "A Hybrid Quarantine Defense"). Subsequently, we proposed a more refined and integrated combination defense strategy, and presented an extensive analysis of this approach using SSFnet-based microscopic simulation experiments that characterized various aspects of algorithm performance (see "Microscopic Simulation of a Group Defense Strategy"). In 2005, we introduced the use of formal analyses to precisely define the desirable properties of worm quarantine algorithms, and employed a model-checking approach to property validation and counter example production (see "Model Checking of Worm Quarantine and Counter-Quarantine under a Group Defense"). In 2006, we demonstrated this concept by employing our model checker to generate counter example worm infection sequences that violate formally stated quarantine properties of a modeled group-based worm defense, and showed how these counter examples illustrate underlying attack strategies that could defeat the fielded defense algorithm (see "Automatically Deducing Propagation Sequences that Circumvent a Collaborative Worm Defense"). Subsequently, we suggested a formal approach to defining design goals of worm defenses in order to allow deeper reasoning about success metrics that go beyond measuring the impact on the global infection rate (see "Formally Specifying Design Goals of Worm Defense Strategies"). We then extended our work in formal analysis to apply a probabilistic model checking approach that allows us to validate critical properties in a distributed stochastic worm defense algorithm (see "Applying Formal Evaluation to Worm Defense Design"). Finally, we introduced the use of white hole networks to dissuade, slow, and ultimately halt the propagation of an emerging virulent worm propagation strategy (see "The Use of Whiteholes to Mislead and Defeat Importance Scanning Worms").

Selected Presentations:

• ACM WORM '04 Presentation, George Mason University, Fairfax, VA, October 2004 [pdf]
• Project Poster at PI Meeting, Marina Del Rey, CA, 2005 [pdf]
• ACM/IEEE/SCS PADS '05 Presentation, Monterey, June 2005 [pdf]
• PI Meeting, Newport Beach, CA, September 2005 [pdf]
• Final PI Meeting, Arlington, VA, June 2006 [pdf]

We gratefully acknowledge that this project was sponsored by a grant from the National Science Foundation and Department of Homeland Security, Science and Technology Directorate, under Grant No. ANI-03335299, through a subcontract with the University of California at Davis, Contract No. 01RA0052.