Stealthy Epidemics: Modeling Worm Attacks against CPS
Aron Laszka

Citation
Aron Laszka. "Stealthy Epidemics: Modeling Worm Attacks against CPS". Talk or presentation, 28, May, 2015.

Abstract
Highly sensitive systems, such as CPS for critical infrastructure, are traditionally meant to be secured by the "air gap," that is, by not connecting them to publicly accessible networks. However, even these systems can be penetrated by attacks based on computer worms, which can propagate over local networks and removable drives. For example, the Stuxnet worm compromised the control systems of a nuclear facility, while the Shamoon worm infiltrated the computer systems of natural-gas companies. The key to preventing such attacks from causing significant damage is the early detection of malware, since this allows us to patch vulnerabilities and create signature-based malware-filters before a critical system is infected. Consequently, to devise optimal defenses, we must model how the set of infected nodes evolves over time and when the worm is detected or reaches its target. Yet, previous work on modeling worms is mostly based on epidemic and diffusion models, which do not consider detection events or target nodes; instead, they usually study an equilibrium or steady state, which may not be reached before the worm is detected. In this work, we introduce diffusion models that incorporate detection events and target nodes, and study the problem of mitigating attacks through optimal early detection. We formulate the mitigation problem as a game between a defender, who is capable of monitoring a limited set of nodes for potential infections, and an attacker, who releases a computer worm at some initial nodes. We study the computational complexity of finding the optimal selection of monitoring nodes, propose efficient heuristics, and use simulations to evaluate these heuristics on generated and real-world networks.

Electronic downloads

Internal. This publication has been marked by the author for FORCES-only distribution, so electronic downloads are not available without logging in.

Citation formats

• HTML

  Aron Laszka. <a
  href="http://www.cps-forces.org/pubs/63.html"
  ><i>Stealthy Epidemics: Modeling Worm Attacks
  against CPS</i></a>, Talk or presentation,  28,
  May, 2015.

• Plain text

  Aron Laszka. "Stealthy Epidemics: Modeling Worm Attacks
  against CPS". Talk or presentation,  28, May, 2015.

• BibTeX

  @presentation{Laszka15_StealthyEpidemicsModelingWormAttacksAgainstCPS,
      author = {Aron Laszka},
      title = {Stealthy Epidemics: Modeling Worm Attacks against
                CPS},
      day = {28},
      month = {May},
      year = {2015},
      abstract = {Highly sensitive systems, such as CPS for critical
                infrastructure, are traditionally meant to be
                secured by the "air gap," that is, by not
                connecting them to publicly accessible networks.
                However, even these systems can be penetrated by
                attacks based on computer worms, which can
                propagate over local networks and removable
                drives. For example, the Stuxnet worm compromised
                the control systems of a nuclear facility, while
                the Shamoon worm infiltrated the computer systems
                of natural-gas companies. The key to preventing
                such attacks from causing significant damage is
                the early detection of malware, since this allows
                us to patch vulnerabilities and create
                signature-based malware-filters before a critical
                system is infected. Consequently, to devise
                optimal defenses, we must model how the set of
                infected nodes evolves over time and when the worm
                is detected or reaches its target. Yet, previous
                work on modeling worms is mostly based on epidemic
                and diffusion models, which do not consider
                detection events or target nodes; instead, they
                usually study an equilibrium or steady state,
                which may not be reached before the worm is
                detected. In this work, we introduce diffusion
                models that incorporate detection events and
                target nodes, and study the problem of mitigating
                attacks through optimal early detection. We
                formulate the mitigation problem as a game between
                a defender, who is capable of monitoring a limited
                set of nodes for potential infections, and an
                attacker, who releases a computer worm at some
                initial nodes. We study the computational
                complexity of finding the optimal selection of
                monitoring nodes, propose efficient heuristics,
                and use simulations to evaluate these heuristics
                on generated and real-world networks.},
      URL = {http://cps-forces.org/pubs/63.html}
  }
  

Posted by Carolyn Winter on 10 Jun 2015.
Groups: forces
For additional information, see the Publications FAQ or contact webmaster at cps-forces org.