MalwareDiffusion ModelsforModern ComplexNetworks TheoryandApplications
VasileiosKaryotis
M.H.R.Khouzani
MorganKaufmannPublishersisanImprintofElsevier
AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEWYORK • OXFORD • PARIS • SANDIEGO SANFRANCISCO • SINGAPORE • SYDNEY • TOKYO
AcquiringEditor: BrianRomer
EditorialProjectManager: AmyInvernizzi
ProjectManager: PriyaKumaraguruparan
Designer: MarkRogers
MorganKaufmann isanimprintofElsevier
50HampshireStreet,Cambridge,MA02139,USA
Copyright © 2016ElsevierInc.Allrightsreserved.
Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronicor mechanical,includingphotocopying,recording,oranyinformationstorageandretrievalsystem,without permissioninwritingfromthepublisher.Detailsonhowtoseekpermission,furtherinformationabout thePublisher’spermissionspoliciesandourarrangementswithorganizationssuchastheCopyright ClearanceCenterandtheCopyrightLicensingAgency,canbefoundatourwebsite: www.elsevier.com/permissions
ThisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythePublisher (otherthanasmaybenotedherein).
Notices
Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperience broadenourunderstanding,changesinresearchmethodsorprofessionalpractices,maybecome necessary.
Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgeinevaluatingand usinganyinformationormethodsdescribedherein.Inusingsuchinformationormethodstheyshouldbe mindfuloftheirownsafetyandthesafetyofothers,includingpartiesforwhomtheyhaveaprofessional responsibility.
Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assumeany liabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability,negligence orotherwise,orfromanyuseoroperationofanymethods,products,instructions,orideascontainedin thematerialherein.
LibraryofCongressCataloging-in-PublicationData
AcatalogrecordforthisbookisavailablefromtheLibraryofCongress
BritishLibraryCataloging-in-PublicationData
AcataloguerecordforthisbookisavailablefromtheBritishLibrary.
ISBN:978-0-12-802714-1
ForinformationonallMorganKaufmannpublications visitourwebsiteat www.mkp.com
Contents Preface.........................................................................................xi PART 1MALWAREDIFFUSIONMODELINGFRAMEWORK CHAPTER1FundamentalsofComplexCommunicationsNetworks 3 1.1 IntroductiontoCommunicationsNetworksand MaliciousSoftware..................................................... 3 1.2 ABriefHistoryofCommunicationsNetworksand MaliciousSoftware..................................................... 5 1.2.1FromComputertoCommunicationsNetworks ....... 5 1.2.2TheEmergenceandProliferationofWireless Networks ....................................................... 9 1.2.3MaliciousSoftwareandtheInternet .................. 12 1.3 ComplexNetworksandNetworkScience....................... 15 1.3.1ComplexNetworks ......................................... 16 1.3.2NetworkScience ........................................... 21 1.3.3NetworkGraphsPrimer................................... 23 CHAPTER2MalwareDiffusioninWiredandWirelessComplex Networks 27 2.1 DiffusionProcessesandMalwareDiffusion ................... 27 2.1.1GeneralDiffusionProcesses ............................ 27 2.1.2DiffusionofMalwareinCommunication Networks ..................................................... 28 2.2 TypesofMalwareOutbreaksinComplexNetworks .......... 30 2.3 NodeInfectionModels.............................................. 34 CHAPTER3EarlyMalwareDiffusionModelingMethodologies 39 3.1 Introduction 39 3.2 BasicEpidemicsModels 39 3.2.1Simple(Classical)EpidemicModel—SIModel .... 41 3.2.2GeneralEpidemicModel:Kermack-McKendrick Model ......................................................... 44 3.2.3Two-factorModel........................................... 46 3.2.4DynamicQuarantine ...................................... 49 3.3 OtherEpidemicsModels ........................................... 53 3.3.1EpidemicsModelinScale-freeNetworks ............ 53 3.3.2GeneralizedEpidemics-EndemicsModels ........... 55 3.4 MiscellaneousMalwareModelingModels ...................... 58 3.5 ScopeandAchievementsofEpidemics ........................ 59 v
vi Contents PART 2STATE-OF-THE-ARTMALWAREMODELING FRAMEWORKS CHAPTER4Queuing-basedMalwareDiffusionModeling 63 4.1 Introduction ........................................................... 63 4.2 MalwareDiffusionBehaviorandModelingviaQueuing Techniques............................................................. 64 4.2.1BasicAssumptions ........................................ 64 4.2.2MappingofMalwareDiffusiontoaQueuing Problem 66 4.3 MalwareDiffusionModelinginNondynamicNetworks ..... 67 4.3.1EvaluationMetrics......................................... 71 4.3.2Steady-stateBehaviorandAnalysis ................... 72 4.4 MalwareDiffusionModelinginDynamicNetworkswith Churn 91 4.4.1MalwareDiffusionModelsandNetworkChurn ..... 94 4.4.2OpenQueuingNetworkTheoryforModeling MalwareSpreadinginComplexNetworkswith Churn ......................................................... 94 4.4.3AnalysisofMalwarePropagationinNetworks withChurn................................................... 98 4.4.4DemonstrationofQueuingFrameworkfor MalwareSpreadinginComplexandWireless Networks 101 CHAPTER5Malware-PropagativeMarkovRandomFields 107 5.1 Introduction ......................................................... 107 5.2 MarkovRandomFieldsBackground 108 5.2.1MarkovRandomFields ................................. 108 5.2.2GibbsDistributionandRelationtoMRFs.......... 110 5.2.3GibbsSamplingandSimulatedAnnealing ........ 111 5.3 MalwareDiffusionModelingBasedonMRFs 115 5.4 RegularNetworks .................................................. 118 5.4.1ChainNetworks .......................................... 119 5.4.2RegularLattices:FiniteandInfiniteGrids 124 5.5 ComplexNetworkswithStochasticTopologies 127 5.5.1RandomNetworks ....................................... 129 5.5.2Small-worldNetworks .................................. 131 5.5.3Scale-freeNetworks 132 5.5.4RandomGeometricNetworks ......................... 133 5.5.5ComparisonofMalwareDiffusioninComplex Topologies ................................................. 134
Contents vii CHAPTER6OptimalControlBasedTechniques 139 6.1 Introduction ......................................................... 139 6.2 Example—anOptimalDynamicAttack: Seekand Destroy 142 6.2.1DynamicsofStateEvolution .......................... 143 6.2.2ObjectiveFunctional .................................... 145 6.3 Worm’sOptimalControl 146 6.3.1StructureoftheMaximumDamageAttack........ 148 6.3.2ProofofTheorem 6.1 ................................... 151 6.3.3ProofofTheorem 6.1:OptimalRateofKilling 152 Summary ............................................................. 154 CHAPTER7Game-TheoreticTechniques 155 7.1 Introduction ......................................................... 155 7.2 SystemModel ....................................................... 157 7.3 Network-MalwareDynamicGame 160 7.3.1Formulation ............................................... 160 7.3.2AFrameworkforComputationoftheSaddlepointStrategies .......................................... 161 7.3.3StructuralPropertiesofSaddle-pointDefense Strategy .................................................... 163 7.3.4StructureoftheSaddle-pointAttackStrategy 166 Summary .............................................................. 167 CHAPTER8QualitativeComparison 169 8.1 Introduction ......................................................... 169 8.2 ComputationalComplexityComparison 170 8.3 ImplementationEfficiencyComparison....................... 172 8.4 SensitivityComparison............................................ 173 8.5 PracticalValueComparison 174 8.6 ModelingDifferences 176 8.7 OverallComparison ................................................ 177
CHAPTER9ApplicationsofState-of-the-artMalwareModeling Frameworks 181 9.1 NetworkRobustness 181 9.1.1IntroductionandObjectives........................... 181 9.1.2QueuingModelfortheAggregatedNetworkBehaviorunderAttack ..................................... 181 9.1.3Steady-stateBehaviorandAnalysis 182 9.1.4OptimalAttackStrategies ............................. 185
PART 3APPLICATIONSANDTHEROADAHEAD
viii Contents 9.1.5RobustnessAnalysisforWirelessMultihop Networks ................................................... 187 9.1.6Conclusions ............................................... 191 9.2 DynamicsofInformationDissemination...................... 192 9.2.1IntroductiontoInformationDissemination ........ 192 9.2.2PreviousWorksonInformationDissemination.... 195 9.2.3Epidemic-basedModelingFrameworkforIDDin WirelessComplexCommunicationNetworks...... 196 9.2.4WirelessComplexNetworksAnalyzedand AssessmentMetrics ..................................... 198 9.2.5Useful-informationDisseminationEpidemic Modeling ................................................... 201 9.3 Malicious-informationPropagationModeling ............... 209 9.3.1SISClosedQueuingNetworkModel ................ 210 CHAPTER10TheRoadAhead 215 10.1 Introduction ......................................................... 215 10.2 OpenProblemsforQueuing-basedApproaches ............ 215 10.3 OpenProblemsforMRF-basedApproaches ................. 217 10.4 OptimalControlandDynamicGameFrameworks .......... 218 10.5 OpenProblemsforApplicationsofMalwareDiffusion ModelingFrameworks ............................................. 219 10.6 GeneralDirectionsforFutureWork ............................ 220 CHAPTER11Conclusions 223 11.1 LessonsLearned.................................................... 223 11.2 FinalConclusions .................................................. 226 PART 4APPENDICES APPENDIXASystemsofOrdinaryDifferentialEquations 229 A.1 InitialDefinitions 229 A.2 First-orderDifferentialEquations 230 A.3 ExistenceandUniquenessofaSolution 231 A.4 LinearOrdinaryDifferentialEquations 232 A.5 Stability 233 APPENDIXBElementsofQueuingTheoryandQueuingNetworks 235 B.1 Introduction ......................................................... 235 B.2 BasicQueuingSystems,Notation,andLittle’sLaw ....... 235 B.2.1ElementsofaQueuingSystem....................... 236 B.2.2FundamentalNotationandQuantitiesofInterest 237 B.2.3RelationBetweenArrival-DepartureProcesses andLittle’sLaw .......................................... 238
Contents ix B.3 MarkovianSystemsinEquilibrium............................. 240 B.3.1Discrete-timeMarkovChains ......................... 240 B.3.2Continuous-timeMarkovProcesses ................. 242 B.3.3Birth-and-DeathProcesses ............................ 242 B.3.4The M/M/1 QueuingSystem 244 B.3.5The M/M/m SystemandOtherMultiserver QueuingSystems 244 B.4 Reversibility 247 B.5 QueuesinTandem 248 B.6 QueuingNetworks 250 B.6.1AnalyticalSolutionofTwo-queueClosed QueuingNetwork 252 APPENDIXCOptimalControlTheoryandHamiltonians 255 C.1 BasicDefinitions,StateEquationRepresentations,and BasicTypesofOptimalControlProblems .................... 255 C.2 CalculusofVariations ............................................. 259 C.3 FindingTrajectoriesthatMinimizePerformance Measures ............................................................. 261 C.3.1FunctionalsofaSingleFunction .................... 261 C.3.2FunctionalsofSeveralIndependentFunctions... 262 C.3.3Piecewise-smoothExtremals.......................... 263 C.3.4ConstrainedExtrema .................................... 263 C.4 VariationalApproachforOptimalControlProblems ....... 266 C.4.1NecessaryConditionsforOptimalControl ......... 266 C.4.2Pontryagin’sMinimumPrinciple 267 C.4.3Minimum-timeProblems 268 C.4.4MinimumControl-effortProblems 269 C.4.5SingularIntervalsinOptimalControlProblems 271 C.5 NumericalDeterminationofOptimalTrajectories 272 C.5.1SteepestDescent 273 C.5.2VariationofExtremals 274 C.5.3Quasilinearization........................................ 275 C.5.4GradientProjection...................................... 276 C.6 RelationshipBetweenDynamicProgramming(DP)and MinimumPrinciple ................................................ 279 Bibliography .............................................................................. 283 AuthorIndex.............................................................................. 293 SubjectIndex ............................................................................ 299
Preface
Malicioussoftware(malware)hasbecomeaseriousconcernforalltypesofcommunicationsnetworksandtheirusers,fromthelaymentothemoreexperiencedadministrators.Theproliferationofsophisticatedportabledevices,especiallysmartphones andtablets,andtheirincreasedcapabilities,havepropelledtheintensityofmalware disseminationandincreaseditsconsequencesinsociallifeandtheglobaleconomy. Thisbookisconcernedwiththetheoreticalaspectsofsuchmalwaredissemination, genericallydenotedas malwarediffusion,andpresentsmodelingapproachesthat describethebehavioranddynamicsofmalwarediffusioninvarioustypesofcomplex communicationsnetworksandespeciallywirelessones.
Themainobjectiveofthisbookistoclassifyandpresentinadequatedetailand analysis,familiesofstate-of-the-artmathematicalmethodologiesthatcanbeusedfor modelinggenericallymalwarediffusion,especiallyinwirelesscomplexnetworks. However,withminorandstraightforwardadaptations,thesetechniquescanbefurther extendedandappliedinothertypesofcomplexnetworksaswell.
Inaddition,thebookcoversholisticallythemathematicalmodelingofmalware diffusion,startingfromtheearlyemergenceofsuchattempts,uptothelatest, advancedandcross-disciplinebasedframeworksthatcombinediverseanalytictools. Startingfromthebasicepidemicsmodelsthatarebasedonsystemsofordinary differentialequations,thecontentproceedstomoreexoticanalytictoolsfoundedon queuingsystemstheory,MarkovRandomFields,optimalcontrolandgametheoretic formulations,respectively.Numericalandsimulationresultsareprovided,inorderto validateeachframeworkanddemonstrateitspotentials,alongwithsystembehavior studies.Thebookalsoprovidesasummaryoftherequiredmathematicalbackground, whichcanbeusefulforthenovicereader.Furthermore,itprovidesguidelines anddirectionsforextendingthecorrespondingapproachesinotherapplication domains,demonstratingsuchpossibilitybyusingapplicationmodelsininformation disseminationscenarios.
Consequently,thisbookaspirestostimulateinter-disciplinaryresearchand analysisinthebroaderareaofmodelinginformationdiffusionincomplexnetworking environments.Itmainlyfocusesonthediffusionofmaliciousinformation(software) overwirelesscomplexnetworks,however,aswillbecomeevident,mostoftheresults canbeeasilyextendedandadaptedforothertypesofnetworksandapplication domains.
IntendedAudience
Thecontentofthisbookispresentedinafashionaimingmainlyatfirstyeargraduateaudiences,postdoctoralresearchers,professorsandthemoreexperienced/interestedprofessionalengineersthatareinvolvedincomputersecurity researchanddevelopment.Mostofthemareassumedalreadyfamiliarwiththe practicaltopicsincludedinthebroaderresearchareaandthebookprovidesforthem asolidquantitativebackgroundontheavailablemathematicalmalwaremodeling
xi
approachesinamoresystematicmannerthantheworksavailablenowadays(essentiallyscatteredjournal/conferencepapersandsurveys),i.e.withformaldefinitions, referencestothemathematicalmethodsandanalysisoftheadvancedtechniques. Thetextpresentsandanalyzesthelatestmathematicaltoolsthatcanbeofusein theresearchanddevelopmentactivitiesoftheaboveaudiences.However,despite itssemi-advancednature,studentsintheirlastundergraduateyearcanalsobenefit fromsuchaspecializedtreatmentandinvolvedmethodologies,byobtainingasolid backgroundofthecorrespondingarea.
Thebookfocusesonthemathematicalmodelingofmalwarediffusiondynamics, andassuch,somefamiliarityonbasicmathematicaltechniques,suchasprobability theory,queuingtheory,ordinarydifferentialequations,optimalcontrolandgame theoryisneeded.Therequiredquantitativelevelwillbenohigherthanthatofthefirst graduateyear.Consequently,thebookisidealforgraduatestudentsatthebeginning oftheirprograms,bothforcourseworklevel(graduatetextbook)andasacompanion intheirownresearchendeavors.Basicelementsoftherequiredmathematicaltools arepresentedinthethreeappendices,providingquickbackgroundreferenceforthose notfamiliarwiththecorrespondingfields.
Themaindisciplineforwhichthisbookwasdevelopedforiscomputerscience andsystemengineering.Ithasbeenspecificallywrittenforthoseinvolvedin computerandsystemsecurity.Academicsfromthesefieldscanusethebookintheir researchandgraduateclassrooms.Thematerialprovidedoffersacompletesetof existingstate-of-theartmethodologiesaccompaniedbyanextensivebibliography andapplicationexamples.Itprovidesacoherentperspectiveoftheareaofmalware diffusionandsecurity,andguidelinesfordevelopingandbroadeningone’sknowledgeandresearchskillsinthecorrespondingareas.
Regardingtheapplicationcontentofthebook,themainaudienceisexpectedto bescientistsandengineersactiveinthefieldofcommunications/computernetworks, namelythebroadercommunityofcomputerscientistsandelectricalengineers,and morespecifically,computerandsystemssecurityareexpectedtoformthemain audience.However,atthesametime,anumberofresearchersandprofessionals workinginotherdisciplinesthatstudyproblemssharingseveralcharacteristicswith theproblemsemerginginmalwarediffusioncanbealsoaccommodatedbythe contentsofthebook,atleastpartially.NetworkScienceisthemostprominent suchareathathasalreadybroughttogetherdisciplinesasdiverseassociology, biology,finance,computerscienceandelectricalengineering,inordertojointlystudy problemsandsharemethodsandresults.Malwarediffusionmaybeconsideredina moregenericfashionasinformationdiffusionandprofessionalsfromalltheaforementioneddisciplinesstudyinginformationdisseminationproblemsareexpected tohavepotentialinterest.Thegenericformofthepresentationandespeciallythe applicationsofthepresentedtechniquesintopracticalanddiverseproblems,such asinformationdisseminationdynamicsissuitablefordiverseprofessionalsassocial scientists,epidemiologistsandmarketingprofessionals,aswell.
Consequently,thelevelofthebookaccommodatespracticallyalllevelsof expertise,withmoreemphasisontheintermediatetoadvanced.Theapplicationsare
xii Preface
relevantmainlytoengineersandscientistsinthefieldofcommunicationsandcomputerscience,butalsorelevanttointer-disciplinaryscientistsandprofessionalsfrom theinformation-relateddisciplinesandNetworkScience.Thebookhasattemptedto balancebothdepth(technicallevel)andbreadth(applicationdomains)oftheincluded methodologies,originallypresentedformalwarediffusion.
ScopeandOutlineoftheBook
Scope
Thetopicsaddressedregardingmalwarediffusion,aretreatedinthisbookfrom aninter-disciplinaryNetworkScienceperspective,andarecurrentlyrapidlyevolving atratesthatotherresearchareashavebeenenjoyingformanyyearsnow.Within suchframework,somefieldsofNetworkSciencehavealreadybeenwell-shapedand advancedtoadesireddegree,e.g.socialnetworkanalysis(SNA)[125, 164],while othersstillconsistoffragmentedcontributionsandscatteredresults.
Malwarediffusionincomputernetworksingeneral,andwirelessonesinparticular,qualifiesasoneofthelatterfields.Untilrecently,mostoftheproposedapproaches formodelingthedynamicsofmalicioussoftwaredisseminationfollowedmoreorless thesamepracticesandtheywereessentiallybasedonsomerestrictiveassumptions. Mostofthemrequiredthediffusionprocesstotakeplacefirst,inordertolater develop/fitaccuratemodelsbasedontheobserveddataafterwards,lackingpredictive powerforgenericanticipatedattacks.Thus,itwasnotpossibletoholisticallycapture thebehaviorofdynamicsandpredicttheoutcomesofattacksbeforetheyactually takeplace.
However,inthelastdecade,severaladvancedmodelingmethodologieswere presented,whicharecapableofdescribingmoreaccuratelymalicioussoftware diffusionoverdiversetypesofnetworks,andmoreintelligentattackstrategies aswell.Genericmodelshavebeenpresented,andwhennecessarytheycanbe adaptedtodescribeaccuratelytheobservedbehaviorsinothertypesofnetworks. Suchapproachesutilizedifferentmathematicaltoolsfortheirpurposesandcapture properlythemostimportantaspectsofmalicioussoftwarediffusiondynamics.
Still,theliteratureismissingasystematicclassification,presentationandanalysis ofalltheseadvancedmethodologiesandobtainedresults,inamannercompatibleto thebroaderscopeofthedisciplineofNetworkScienceandwithreferencetokey legacyapproachesaswell.Thisbookaspirestofillthisgap,bymethodicallypresentingthetopicofmalwarediffusionincomplexcommunicationsnetworks.More specifically,thebookwillfocusonmalwarediffusionmodelingtechniquesespecially designedforwirelesscomplexnetworks.Howeverthepresentedmethodologiesare applicableforothertypesofcomplexcommunicationsandsocialnetworksandthe wirelessnetworkparadigmwillbeemployedmainlyfordemonstrationpurposes.The mathematicalmethodologiesthatwillbepresented,duetotheirgenericanalytical naturecanbeeasilyadaptedandusedinothertypesofcomplexnetworks,even non-technologicalones.Thus,thebookwillnotonlypresentandanalyzemalicious
Preface xiii
softwaremodelingmethodsforwirelesscomplexnetworks,butalsodemonstrate howthesemethodscanbeextendedandappliedinothersettingsaswell,e.g. genericinformationdisseminationovercomplexnetworksofanytypesuchashuman, financial,etc.
Inshort,thisbookaspirestobecomeacornerstoneforasystematicorganizationandmathematicalmodelingofmalicioussoftwareandinformationdiffusion modelingwithinthebroaderframeworkofNetworkScienceandcomplexnetworks. Furthermore,itaspirestoprovidelong-termreferencetotherequiredbackgroundfor studyingin-depthandextendingthecorrespondingfieldofresearch.
Outline
Thisbookisorganizedinthreemainpartsandasetofauxiliaryappendices withrespecttothecoremathematicalareasrequiredinordertounderstandthemain contentsofthebook.Theintroductory Part1 consistsof Chapters1–3,andconstitutes athoroughintroductiontothegeneralmalwarediffusionmodelingframeworkwe considerinthisbook. Part2,whichincludes Chapters4–8,presentsstate-of-theartmalwarediffusionmodelingmathematicalmethodologiesandcorrespondsto themainanduniquecontributionofthisbookintheliterature.Itpresents,while alsoexplainingindetail,malwarediffusionmodelingmathematicalmethodologies utilizingalternative,yetpowerfulanalyticaltools. Part3 summarizesthekeypoints ofthepresentedmethodologiesandpresentsdirectionsforpotentialfutureresearch. Italsosetsthepresentedtheoreticalknowledgeintoabroaderapplicationperspective, whichcanbeexploitedinotherdisciplinesaswell.Finally,theappendicescontain brief,butcompletereviewsofthebasicmathematicaltoolsemployedinthisbook, namelyelementsofordinarydifferentialequations,elementsofqueuingtheoryand elementsofoptimalcontroltheory,whichcanbeveryhelpfulforthenon-familiar reader,inordertoquicklyobtainasolidunderstandingofthemathematicaltools requiredtounderstandthepresentedmodelsandapproaches.
Inmoredetail, Chapter1 servesasaconciseintroductiontothetopicsaddressed inthebook,introducingcomplexcommunicationnetworks,malwarediffusion,as wellassomehistoricalelementsoftheevolutionofnetworksandmalware.
Chapter2 definesthemalwarediffusionproblem,alongwiththenodeinfection modelsthatemergeintheliterature.Italsocollectsandpresentscharacteristic examplesofcomputernetworkattackswhichareofinterestinthestudyofmalware diffusionintheframeworkofthebook.
Chapter3 providesaconcisepresentationandquickreferenceanalysisofthe malwaremodelingmethods,withrespecttotheemergingincidentsintheearly daysofmodelingmalicioussoftwarepropagationdynamicsandbyfocusingonthe wirelessscenarios.Thecontentofthischapterwillserveasbackgroundforsomeof thestate-of-the-artapproachespresentedlaterin Part2.
Thefollowingchaptersin Part2 presentadvancedmalwaremodelingtechniques, eachdedicatedtoafamilyofapproachesdistinguishedbytherestaccordingtothe employedmathematicaltools.Thus,thefirstchapterof Part2,namely Chapter4,
xiv Preface