Spatial Firewalls: Quarantining Malware Epidemics in Large Scale Massive Wireless Networks
11 Spatial Firewalls: Quarantining Malware Epidemicsin Large Scale Massive Wireless Networks
Hesham ElSawy,
Senior Member, IEEE , Mustafa A. Kishk,
Member, IEEE ,and Mohamed-Slim Alouini,
Fellow, IEEE
Abstract
Billions of wireless devices are foreseen to participate in big data aggregation and smart automation in order tointerface the cyber and physical worlds. Such large-scale ultra-dense wireless connectivity is vulnerable to malicioussoftware (malware) epidemics. Malware worms can exploit multi-hop wireless connectivity to stealthily diffusethroughout the wireless network without being noticed to security servers at the core network. Compromised devicescan then be used by adversaries to remotely launch cyber attacks that cause large-scale critical physical damage andthreaten public safety. This article overviews the types, threats, and propagation models for malware epidemics inlarge-scale wireless networks (LSWN). Then, the article proposes a novel and cost efficient countermeasure againstmalware epidemics in LSWN, denoted as spatial firewalls. It is shown that equipping a strategically selected smallportion (i.e., less than ) of the devices with state-of-the-art security mechanisms is sufficient to create spatiallysecured zones that quarantine malware epidemics. Quarantined infected devices are then cured by on-demand localizedsoftware patching. To this end, several firewall deployment strategies are discussed and compared.
Index Terms
Cybersecurity, Malware epidemics, Massive wireless networks, Percolation theory.
I. I
NTRODUCTION
The imminent era of smart world relies on large-scale massive wireless connectivity that interfaces thephysical and cyber worlds. The surging Internet of Things (IoT) and cyber physical systems (CPS) withmassive numbers of heterogeneous wireless devices (e.g., sensors, actuators, smart phones, smart appliances,
H. ElSawy is with King Fahd University of Petroleum and Minerals (KFUPM), Dhahran, Eastern Province, Saudi Arabia. email:[email protected]. Kishk and M.-S. Alouini are with King Abdullah University of Science and Technology (KAUST), Thuwal, Makkah Province, SaudiArabia, email: { mustafa.kishk, slim.alouini } @kaust.edu.sa.This work is funded in part by the deanship of scientific research (DSR), at King Fahd University of Petroleum and Minerals (KFUPM), underresearch grant no. DF191052. a r X i v : . [ c s . CR ] J un autonomous vehicles, etc.) are examples of such massive large-scale wireless networks (LSWNs). IoT/CPSare foreseen to provide flexible platforms for big data aggregation and/or smart automation to almost everyaspect in our lives [1]. For instance, intelligent transportation systems with connected/autonomous vehiclesexploit wireless connectivity to improve road safety and reduce traffic congestion. Smart power grids utilizewireless connectivity for data communications and smart control (e.g., smart meters and field devices) inorder to enhance energy generation and distribution. Large scale massive connectivity is also a foundationalbuilding block for process automation in the next industrial revolution (i.e., industry 4.0). In addition tothe aforementioned examples, large-scale massive wireless connectivity can bring unlimited potentials tomany other verticals such as health care, public safety, agriculture, retail, etc.On the downside, massive LSWNs bring a multitude of new and challenging security threats [1].Particularly, many of the wireless devices in the IoT/CPS are installed and controlled via consumers withlimited security background. The high competition between IoT/CPS manufacturers overlooks cybersecurityaspects to reduce costs and keep-up with the rapid proliferation of IoT/CPS. Many IoT/CPS devices aretoo constrained, in terms of computational power, energy, and storage, to implement and continuouslyexecute sophisticated defense mechanisms [2], [3]. Such lack of security oriented network administrationand per-device defense mechanisms opens several loopholes for adversaries to infiltrate malicious software,or shortly malware, to the network.Conventionally, malware programs are designed for variety of criminal and hostile activities such asspying (spyware), threatening for monetary benefit (ransomware), and/or controlling large population ofdevices (botnets). In IoT/CPS networks, malware hostile activities naturally extend to physical threats.In smart vehicles, adversaries can control the vehicle through telematics unit, which introduce the riskof physical denial of service (DoS) (e.g., stop the engine and lock doors/windows) as well as deliberatecollisions. In power grids, adversaries can compromise field devices (e.g., switch gears and circuit breakers)to sabotage equipment, disrupt power distribution, and cause major blackouts. In medical care systems,adversaries can inject false prescriptions and manipulate wearable drug infusion devices. In industrialenvironments, adversaries can halt/manipulate ongoing production lines, delete customized machine setting,or even damage products and injure workers. There could be also generic attacks for LSWN such as networkjamming and colluded eavesdropping. Note that network-jamming attacks may disrupt the entire networkconnectivity via overwhelming interference and shorten the network lifetime by depleting compromiseddevices batteries. Using colluded eavesdropping, adversaries can reveal and misuse private data.Exploiting the massive spatial density in LSWN and multi-hop wireless connectivity (e.g., machine-to-machine communications), the malware can stealthily propagate from one device to another and form an epidemic outbreak without being noticed by the security administration at the core network [2], [4]. Evenworse, the emerging beyond 5G technologies (e.g., non-orthogonal multiple access (NOMA) and ultra- reliable low latency communications (URLLC)), that are meant to enhance information dissemination, willalso accelerate epidemic outbreak throughout the network. An epidemic outbreak of a malware enablesthe adversities to control a large population of devices and launch large-scale cyberphiscal attacks, whichmay lead to catastrophic consequences in IoT/CPS. From the propagation point of view, malware can beclassified into the following categories • Trojans:
Malware hiding in legitimate programs but intended to infect a target system and openbackdoors for future intrusion. • Virus:
Self-replicating malware designated to infect and corrupt the operation of a target system.Viruses propagates via host executable files. • Worm:
Self-replicating malware intended to spread and infect all the devices in a network. A wormis a stand-alone software that automatically propagate from one device to another.Human interventions, such as manual attacks by adversaries or infected file exchange/execution bylegitimate users, are required for Trojans and viruses to spread in a network. On the other hand, wormmalware automatically identifies network vulnerabilities to diffuse and compromise new targets. Exploitingthe dense network deployment, the broadcast nature of the wireless channel, the one-to-many communicationschemes (e.g, NOMA), and high-reliability-low-latency communications (e.g., URLLC), worm malware canquickly and covertly spread in the wireless network and form an epidemic outbreak. This makes wormepidemics the hardest to decelerate their diffusion and/or quarantine their infection. Hence, worm malwareis among the highest security threats for large-scale wireless networks [5].II. S ECURING LARGE - SCALE I O T/CPSThe aforementioned threatening physical consequences of malware intrusion in CPS/IoT call out forrobust security countermeasure and defense mechanisms. Securing the devices against manipulation andintrusion is the first line of defense for IoT/CPS networks. Such defense mechanisms could be embeddedin hardware (e.g., trusted platforms), software (e.g., anti-malware programs), communication protocols(e.g., encryption & authentication), and/or device operation (scheduled attestation/patching). However, thestrict cost, energy, and computational power constraints of devices in many IoT/CPS applications limit theimplementation of sophisticated defense mechanisms to all devices. In this regards, [3] proposes a Poissongame to distributively decide on which devices to adopt an anti-malware such that an epidemic outbreakis prevented. However, the proposed mechanism in [3] is based on a fully mixed epidemic model, whichoverlooks the spatial topology and limited wireless communication range in LSWN. Legitimate users can be incentivised to install free programs that contain malware. A fully mixed epidemic model assumes that an infection (e.g., malware) can be directly transmitted from any node in the network to anyother node in the network.
Another effective, yet simple, defense mechanism is to perform scheduled (i.e., periodic) softwareattestation/patching for IoT/CPS devices to ensure configurations integrity and wipeout potential malicioussoftware [6], [7]. However, to thwart epidemic diffusion, the treatment rate should be faster than the epidemicinfection rate. Being oblivious to the device status, unnecessary disruption for the IoT/CPS operation mayoccur due to attesting/patching healthy devices [6]. Furthermore, a device that is compromised shortly afterbeing patched/attested, may have enough time to be exploited to launch versatile malicious attacks. Suchproblems are more acute when employing wireless technologies such as NOMA and URLLC due to theaccelerated epidemic infection rate.To efficiently balance the tradeoff between cybersecurity, anti-malware license cost, and devices hardwarecomplexity, this paper proposes a novel ubiquitous security countermeasure, denoted as “ spatial firewalls ”,which is meant to detect, spatially quarantine, and report malware infections in LSWN. The proposed spatialfirewalls countermeasure is detailed in Section III. Section IV highlights the mathematical propagationmodels for malware in LSWN, which are necessary to design and assess cybersecurity countermeasures.Section V showcases and assesses the spatial firewalls solution before the paper is concluded in Section VI.III. T
HE SPATIAL FIREWALLS SOLUTION
To secure massive LSWN against malware epidemics, this paper proposes to implement “ spatial fire-walls ”, which are defined as follows:
Definition 1.
Spatial Firewalls are wireless devices, with sufficient computational capabilities, energyresources, and memory, to store, execute, and frequently update anti-malware and intrusion detectionprograms (e.g., edge computing devices, access points, junction nodes). These devices are deployed atcritical locations within a LSWN to enforce secured zones in order to quarantine any emerging malwareepidemic and thwart its outbreak.
Fig. 1 illustrates an edge-computing enabled spatial firewall operation in massive LSWNs, where firewallsare implemented at base stations. Devices that are adjacent to a firewall inquire about codes (e.g., softwareupdates, system configurations, or control commands) received from their wireless interface. For each valida-tion inquiry, the firewall ensures that the code is malware free (e.g., using signature-based or anomaly-baseddetection) and verifies its integrity (e.g., using operator digital signature and certificates) [7]. Only validatedcodes are approved for execution and/or dissemination to other devices. If a threat is detected, the firewalldisapproves the code execution/dissemination and reports the incident to the security administration. Hence,each firewall creates a secured zone , determined by its wireless range, for adjacent devices and thwartstheir infection (i.e., analogous to herd immunity effect). Thus, firewalls enable an exclusive dissemination of
Fig. 1: Illustration of an edge-computing enabled spatial firewalls operation in massive LSWN to quarantinemalware diffusion. The secured zones succeed to spatially quarantine the malware infection within a confinedarea with limited number of devices.legitimate codes through the network. In summary, spatial firewalls are meant to i) create spatially securedzones within the wireless network, ii) thwart the dissemination of malware (i.e., ensure that malware canonly infiltrate to limited number, by design, of devices regardless of the infection/treatment rates), and iii)initiate on-demand software attestation/patching for infected devices.It is worth noting that extending the firewall code validation scheme for non-adjacent devices throughmulti-hop wireless inquiries may impose overwhelming signaling overhead and large control latency dueto the massive and wide-scale deployment of devices. To balance the security, signaling overhead, and Different from legacy IT systems, IoT/CPS networks have no clear boundary between secured and unsecured (i.e., public) domains. Hence,the proposed spatial firewalls enforce the concept of secured zones within the wireless network. control latency of the network, the code-validation role of the firewall is limited to adjacent devices. Assuch, the design objective is to have sufficient numbers of efficiently located firewalls to satisfy the securityrequirements of the network, which may tolerate interim infection of some devices (i.e., until being detectedand patched).As compared to scheduled patching/software attestation [6], [7], spatial firewalls provide ubiquitoussecurity countermeasure that reacts to attacks by i) thwarting malware diffusion, ii) localizing infected(i.e., quarantined) regions, and iii) initiating localized software attestation/patching campaigns. Due tothe overwhelming overhead and time required for brute-force software attestation/patching of all devices,localizing infected regions is necessary in massive LSWN. A. Practical Implementation Challenges
To conceptualize and materialize the spatial firewalls cybersecurity countermeasure, several practicalchallenges should be taken into consideration, which include • Firewall deployment:
The main technical challenge is to determine the number of firewalls and theirspatial locations that guarantee spatially quarantined malware. • Techno-economic aspects:
The firewall deployment should account for the trade-off between net-work security, involved capital-expenditure (CAPEX) to deploy firewalls, and operational-expenditure(OPEX) to maintain their up-to-date anti-malware programs and licenses. In case of multiple IoT/CPSoperators/owners, an agreement for bearing such CAPEX and OPEX is required. • Operator privacy:
In case of multiple operators, code verification and software attestation schemesshould keep the specific information and configurations of the operators hidden from each other. • Devices heterogeneity:
For universal utilization of spatial firewalls, unified/standardized signalingprotocols for different IoT/CPS devices using different wireless interfaces are required. Such signalingprotocols should define the method for firewall discovery, association, and templates for code validationinquiries/responses. • Signaling overhead:
Efficient signaling schemes are required for code verification to impose minimumdisruption to the existing data traffic. For instance, encrypted digital signature for firewalls should bedeveloped to eliminate redundant validation of the same code across different firewalls. • Latency:
The code validation and execution should occur within the tolerable latency defined bydata communications and/or control applications. This may require developing security-aware trafficprioritization schemes that expedite firewalls related signaling. The location of quarantined regions can be inferred from the reporting firewalls identities and known locations. • Devices Mobility:
Malware may get through the secured-zones by means of physical mobility ofinfected devices. Hence, the spatial firewalls should be able to detect and cure infected mobile devicespassing through secured zones.This paper focuses on the spatial firewall deployment that ensures spatially quarantined malware. Otherchallenges are left for future extensions. In particular, we aim to provide guidelines to design and assess theimpact of implementing spatial firewalls. To minimize the associated CAPEX and OPEX, the objective isto find the minimum number of firewalls that enforce an epidemic free network operation. For this purpose,we first present the underlying mathematical models for malware propagation that are used to formulateand solve the spatial firewall design problem. Then, several spatial deployment strategies for firewalls arediscussed and compared.IV. P
ROPAGATION M ODELS FOR M ALWARE E PIDEMICS
Mathematical models that characterize propagation of infection in large populations are used to predictepidemic outcomes and design defense mechanisms. In IT systems, the population represents a network ofconnected devices. The network topology is mathematically described by a graph G = { V, E } , where V isthe set of vertices (i.e., devices) and E is the set of edges connecting the vertices (see Fig. 2). In the contextof wireless networks, an edge between two devices implies that they are within the communication rangeof each other. The communication range is usually defined by a minimum required signal-to-interference-plus-noise-ratio (SINR) [8]. Graphs that account for the random spatial locations of the devices and theirwireless communications ranges are denoted as random geometric graphs (RGGs).An epidemic is considered as a process on the graph, where each device (i.e., vertex) can transitionbetween different states such as susceptible (S) (i.e., healthy but can be infected), infected (I) (i.e., com-promised via a malware), and recovered (R) (i.e., malware is detected and removed). A malware worm canonly infiltrate from an infected device to a susceptible device if the two devices are directly connected viaan edge. Once a new device gets compromised by a malware, it becomes an infection threat to its directlyconnected neighbors and so on.The dynamics of epidemic infection/treatment are fully characterized via time domain models. Due toseveral factors (e.g., medium access control protocols and per-link transmission rate), the time taken formalware worm to infiltrate from an infected to susceptible device is random. Meanwhile, depending on themalware detection and treatment technique, the time a device stays infected is also random. On average,propagation and recovery rates (or probability per unit time) can be characterized, which are then usedto construct a system of differential equations that fully describes the temporal evolution of an epidemic.Resorting to the fact that the total number of devices in the network remain fixed (i.e., the total population),such system of equations can be solved to determine the percentiles of devices in each of the S, I, and R states, as function of time. However, in RRGs, such system of differential equations is not tractable andapproximations are always sought [9].Instead of full temporal characterization, the final outcome of an epidemic infection can be directlycharacterized. Such late-time characterization alleviates the mathematical complications (e.g., non-linearityof differential equations) introduced by temporal models. In particular, late-time models characterize theoverall epidemic infiltration through the network without any information about the infection/treatmentrates. As mentioned earlier, the time taken for a malware worm to propagate from a device to each of itsneighbors is random and the time each device remain infected is also random. Hence, even after sufficientlylong time, some devices will be cured before infecting some of their neighbors and the malware wormwould only infiltrate through a subset of the network. For a given malware worm, the late time modelwould show all devices that were infected at any point in time regardless if they got cured or not. Suchphenomenon of global and time oblivious worm diffusion, through a portion of the network, can be studiedvia percolation theory, which is defined as follows Definition 2.
Percolation Theory is a well-developed mathematical field that characterizes global connec-tivity in random graphs when vertices and their associated edges are removed. Connectivity is characterizedby the presence/absence of a giant component , which is the largest connected sub-graph that spans thehorizon.
Mapping to the aforementioned epidemic models, percolation theory can be used to characterize late-time epidemic outbreak as follows. Consider the complete network graph and remove all devices, withtheir associated edges, that are never infected (i.e., their neighbors are cured before malware infiltration).After such devices removal, the existence (absence) of a giant component implies an epidemic outbreak(quarantine). In the notation of percolation theory, we have the following definitions
Definition 3.
Supercritical Regime defines the set of network parameters such that a giant connectedcomponent exits.
Definition 4.
Subcritical Regime defines the set of network parameters such that a giant connectedcomponent does not exist.
Percolation theory is best suited to develop robust security countermeasures that are independent ofthe epidemic infection/treatment rates. That is, no matter how fast (slow) is the infection (treatment) rate,a defense mechanism that operates the susceptible devices in the subcritical regime ensures quarantinedepidemic. On the other hand, if the susceptible devices operate in the supercritical regime, then an epidemicoutbreak may occur if the treatment rate is not sufficiently faster than the infection rate. In the latter case, (a) Malware epidemic outbreak for Random selection offirewalls (b) Malware epidemic outbreak for degree-aware selectionof firewalls(c) Malware epidemic outbreak for random selection withminimum DC (d) Quarantined malware for degree-aware selection withminimum DC
Fig. 2: Epidemic potential diffusion in the same network realization under different firewalls selectionstrategies for firewalls percentage of of the total network devices. The figure follows the same colorcode for firewalls , secured zone , susceptible , and compromised IoT/CPS devices. The links between devicesdenote potential routes for malware epidemic diffusion, which are obstructed by secured zones . Only figure(d) eliminates the giant connected component, which implies quarantined epidemic. the giant component size relative to the network size represents the percentile of infected devices.It is worth noting that percolation theory is a well developed field that has been extensively used inthe literature to characterize ad hoc and cognitive network connectivity [8], [10], secure disseminationof information [11], network resilience/reliability [12], and Internet malware epidemics [13]. However,percolation models are barely used to characterize and develop defense mechanisms for epidemics inLSWN. Note that, in wireless networks, epidemic propagation is highly restricted by the network spatialtopology, medium access control, and physical layer properties [14]. Hence, it is important to considerRRG to account for the intrinsic properties of wireless networks [6], [8], [11]. In this regards, stochasticgeometry (see [15]–[19] for tutorials) can be utilized to model the spatial devices locations and constructSINR-aware edges that connect devices that can reliably communicate to each other. Then, exploiting therich literature on percolation theory, epidemic propagation can be characterized, and defense mechanismcan be developed for a variety of IoT/CPS systems and use cases.V. S PATIAL F IREWALLS D ESIGN AND A SSESSMENT
A. Network Model and Proposed Approach
As discussed earlier, due to cost, energy, and computational power constraints, not all IoT/CPS devices canadopt sufficient security mechanisms. Furthermore, state oblivious scheduled software attestation/patchingmay deteriorate the IoT/CPS functionality due to unnecessary (delayed) patching of healthy (infected)devices. Hence, we propose to strategically select some devices, denoted as spatial firewalls, and equipthem with state-of-the-art security mechanisms such as anti-malware and anomaly/intrusion detection pro-grams. As shown in Fig. 1, each firewall enforces a security zone of radius R f meters, where R f is thecommunication/detection range of firewalls. Then, all IoT/CPS devices within a secured zone, denoted as protected devices , should validate codes (e.g., software, configuration, or control commands) with firewallsbefore executing or relaying them. Hence, neither the firewalls nor the protected devices participate inmalware diffusion. Consequently, the secured zones enforced by the firewalls will split the network intoprotected (i.e., green) and susceptible (gray) IoT/CPS devices. The design objective for spatial firewallsis to enforce sufficient secured zones, denoted as critical percentage , that ensures quarantined epidemics.Regardless of the infection/treatment rates, the firewalls provides a ubiquitous defense mechanism to thwartwide-spread diffusion of malware and initiate informed (i.e., status-aware) software patching for infecteddevices.Interpreting the firewall design objective to the notion of percolation theory, it is required to remove theminimum number of vertices from the IoT/CPS network graph such that the largest connected subgraph doesnot percolate. In other words, it is required to place sufficient number of firewalls at effective locations suchthat the network formed by devices outside the secured zones operate in the subcritical regime. Otherwise, the epidemic spatial diffusion may get out of control and span the horizon. It is worth noting that the wirelessnetwork topology is dynamic due to devices mobility. Furthermore, the security defense mechanism shouldbe general in case there is no prior knowledge about the underlying devices locations. Hence, the spatialfirewalls should be selected among the set of vertices V in a RRG G , which accounts for devices wirelesscommunication range as well as the random spatial locations of devices.A well established result in the literature for random graphs is that network percolation exhibit a phasetransition phenomenon between the supercritical and subcritical regimes. This means that it is feasible toquarantine epidemics in LSWN if the correct percentage of devices are protected. Such critical percentagecould be mathematically quantified via percolation models. However, different from conventional percolationproblems, where individual vertices are randomly removed, in the spatial firewall problem a chunk ofproximate vertices (i.e., all devices in the spatial secured zones including the firewalls, as well as all oftheir associated edges) are removed (c.f. Fig. 2). Hence, advanced percolation models, such as percolationon networks with holes [20], are required for the design, implementation, and assessment of spatial firewalls.Inspired by results from percolation theory, the firewalls design objective is decomposed to 1) find minimum percentage of spatial firewalls that guarantees quarantined malware,
2) select the spatial locationsof firewalls that minimizes the average sizes of connected clusters of susceptible devices. This articleexamines four heuristic firewall selection schemes, namely, i) random , ii) degree-aware , iii) random withminimum distance constraint (DC) , and iv) degree-aware with minimum DC . Degree awareness is crucialbecause devices with high degree would participate more to an epidemic diffusion. Intuitively, devices withhigher degrees are expected to have a significant impact on epidemic diffusion if selected as firewalls dueto the high number of protected neighbors within the secured zone. The minimum DC among the firewallsguarantees good spatial distribution of secured zones across the network to thwart emerging epidemics indifferent locations.A pictorial illustration of the firewalls is shown in Fig. 2 for different selection strategies. While thesame number of firewalls is selected in all cases, Figs. 2a, 2b, and 2c, show poor spatial distributions ofsecured zones that fails to eliminate the giant connected component. Thus, a wide spread of the malwareepidemic is viable. However, the degree-aware with minimum DC firewalls in Fig. 2d ensures a good spatialdistribution of the secured zones and succeeds to split the network into disjoint clusters. Hence, regardlessof the infection/treatment rates, a malware injected to any susceptible device within a cluster is preventedto diffuse to other clusters in the network. Upon the detection of the malware, firewalls inform the securityadministration to initiate localized software attestation/patching to all devices in the infected cluster. Due to the involved CAPEX and OPEX of the spatial firewalls (e.g, hardware upgrade and software license), a cost efficient selectionstrategy should quarantine an epidemic with less critical intensity of firewalls. Percentage of Firewalls M a l w a r e O u t b r ea k P r obab ili t y RandomRandom with DCDegree-awareDegree-aware with DC
Fig. 3: Probability of epidemic outbreak versus the percentage of firewalls.
B. Proof of Concept
While the proof-of-concept can be done analytically using tools from stochastic geometry and percolationtheory, we resort to comprehensive Monte Carlo simulations to alleviate unnecessary mathematical details.Each simulation run realizes × km random network with wrap around boundaries. The devices aredistributed in the simulation area according to a Poisson point process with intensity λ = 80 device/km (i.e., an average of 1280 device per simulation run). Each device is assumed to have a communication rangeof 200 m, where a connection is realized between two devices that lie within the communication range ofeach other. The firewalls are chosen among the network devices according to the implemented selectionscheme, where each firewall enforces a circular secured zone with a radius of 200 m. The devices that fallwithin the secured zone are excluded and the global network connectivity is realized. Percolation is declaredif a giant component of susceptible devices that spans the simulation area vertically and horizontally exists.Percolation means that the selected spatial firewalls fail to quarantine the malware infection. This is becausea malware infiltrated to any of the devices within the giant component can create an epidemic outbreakwithin that component of susceptible devices without being obstructed by the selected spatial firewalls.Furthermore, the number of disjoint clusters and the number of devices per each cluster are recorded. Apictorial illustration of a single simulation run is depicted in Fig. 2, where percolation is declared for thescenarios in Figs. 2a, 2b, 2c. Percentage of Firewalls M a x i m u m C l u s t e r S i z e N u m be r o f C l u s t e r s RandomRandom with DCDegree-awareDegree-aware with DC
Number of ClustersMaximum Cluster Size
Fig. 4: Number of disjoint clusters and size of the maximum cluster versus the percentage of firewalls.Fig. 3 shows the malware outbreak probability versus the percentage of devices that are selected as fire-walls. Surprisingly, random firewall selection significantly outperforms the degree-aware selection scheme.Such counter-intuitive behavior is due to the spatially correlated degree of devices. Hence, stand-alonedegree awareness fails to quarantine the epidemic due to the spatial concentration of firewalls within smallgeographical regions, which leads to overlapped secured zones (see Fig. 2b). The random selection offirewalls provides a better spatial coverage of secured zones, and hence, succeeds to quarantine epidemicswhen the firewalls are sufficiently dense (i.e, critical percentage ). Incorporating minimum DC improvesthe spatial distribution of firewalls and reduces the required density of firewalls. The superior performanceof degree-awareness with minimum DC (critical percentage ) is due to the strategic selection of firewallsin terms of both spatial distribution of secured zones and number of devices covered by each secured zone.Fig. 4 shows the number of susceptible clusters along with the number of devices in the largest cluster.As the intensity of firewalls increases, large network components break into smaller susceptible clusterswith less devices in each cluster. Hence, the number of clusters increases and the number of devices withineach cluster decreases. Fig. 4 confirms the insights of Fig. 3 regarding the firewalls selection schemes.Degree and location awareness ensure that malware can only infect less number of devices within smallergeographical regions when compared to other sections schemes. It is worth noting that the number ofclusters decreases in Fig. 4 when secured zones start to span and cover the entire simulation area, whichleaves small spatial gaps to form clusters. VI. A
CKNOWLEDGMENT
Fig. 1 was created by Heno Hwang, scientific illustrator at King Abdullah University of Science andTechnology (KAUST). VII. C
ONCLUSIONS
This article overviews the vulnerabilities and cybersecurity threats in large-scale wireless IoT and CPS.The article then proposes a novel technique, denoted as spatial firewalls, to quarantine and cure malwareepidemics in such IoT and CPS. In particular, we show that strategically selecting less than 10 % of devicesand equipping them with up-to-date anti-malware programs is sufficient to thwart malware epidemics. Tothis end, guidelines to design and characterize the impact of spatial firewalls is presented. Proof-of-conceptnumerical results are presented and several firewalls selection schemes are evaluated, namely, random anddegree-aware with and without minimum distance constraints. Surprisingly, the random firewall selectionoutperforms degree-aware firewall selection, which is due to the spatially correlated degree of devicesthat lead to poor spatial distribution of firewalls. Adding a minimum distance constraint to degree-awareselection scheme significantly enhances its impact in terms of percentile of firewalls required to spatiallyquarantine malware epidemics and the size of infected clusters.R EFERENCES [1] A. Humayed, et al., “Cyber-physical systems securityA survey,”
IEEE IoT Journal , vol. 4, no. 6, pp. 1802–1831, Dec 2017.[2] I. Agadakos, et al., “Jumping the air gap: Modeling cyber-physical attack paths in the Internet-of-things,” in
Proceedings of the 2017Workshop on Cyber-Physical Systems Security and Privacy . ACM, 2017, pp. 37–48.[3] Y. Hayel and Q. Zhu, “Epidemic protection over heterogeneous networks using evolutionary Poisson games,”
IEEE Transactions onInformation Forensics and Security , vol. 12, no. 8, pp. 1786–1800, Aug 2017.[4] M. Nekovee, “Modeling the spread of worm epidemics in vehicular ad hoc networks,” in ,vol. 2, May 2006, pp. 841–845.[5] J. Kleinberg, “Computing: The wireless epidemic,”
Nature , vol. 449, no. 7160, p. 287, 2007.[6] M. J. Farooq and Q. Zhu, “Modeling, analysis, and mitigation of dynamic botnet formation in wireless IoT networks,”
IEEE Transactionson Information Forensics and Security , vol. 14, no. 9, pp. 2412–2426, Sep. 2019.[7] N. Asokan, et al., “SEDA: Scalable embedded device attestation,” in
Proceedings of the 22nd ACM SIGSAC Conference on Computerand Communications Security , 2015, pp. 964–975.[8] O. Dousse, et al., “Percolation in the signal to interference ratio graph,”
Journal of Applied Probability , vol. 43, no. 2, pp. 552–562,2006.[9] M. Newman,
Networks . Oxford university press, 2018.[10] W. Ren, Q. Zhao, and A. Swami, “Connectivity of heterogeneous wireless networks,”
IEEE Transactions on Information Theory , vol. 57,no. 7, pp. 4315–4332, July 2011.[11] P. C. Pinto and M. Z. Win, “Percolation and connectivity in the intrinsically secure communications graph,”
IEEE Transactions onInformation Theory , vol. 58, no. 3, pp. 1716–1730, March 2012.[12] Z. Huang, C. Wang, M. Stojmenovic, and A. Nayak, “Characterization of cascading failures in interdependent cyber-physical systems,”
IEEE Transactions on Computers , vol. 64, no. 8, pp. 2158–2168, Aug 2015. [13] M. Garetto, W. Gong, and D. Towsley, “Modeling malware spreading dynamics,” in IEEE INFOCOM 2003 , vol. 3, March 2003, pp.1869–1879 vol.3.[14] M. Nekovee, “Worm epidemics in wireless ad hoc networks,”
New Journal of Physics , vol. 9, no. 6, p. 189, 2007.[15] H. ElSawy, E. Hossain, and M. Haenggi, “Stochastic geometry for modeling, analysis, and design of multi-tier and cognitive cellularwireless networks: A survey,”
IEEE Commun. Surveys Tuts. , vol. 15, no. 3, pp. 996–1019, 2013.[16] M. Z. Win, P. C. Pinto, and L. A. Shepp, “A mathematical theory of network interference and its applications,”
Proc. IEEE , vol. 97,no. 2, pp. 205–230, Feb. 2009.[17] H. ElSawy, A. Sultan-Salem, M. S. Alouini, and M. Z. Win, “Modeling and analysis of cellular networks using stochastic geometry: Atutorial,”
IEEE Commun. Surveys Tuts. , vol. 19, no. 1, pp. 167–203, Firstquarter 2017.[18] M. Haenggi, J. G. Andrews, F. Baccelli, O. Dousse, and M. Franceschetti, “Stochastic geometry and random graphs for the analysis anddesign of wireless networks,”
IEEE J. Sel. Areas Commun. , vol. 27, no. 7, pp. 1029–1046, Sep. 2009.[19] M. Haenggi,
Stochastic Geometry for Wireless Networks . Cambridge University Press, 2012.[20] A. Sarkar and M. Haenggi, “Continuum percolation with holes,”
Statistics & Probability Letters , vol. 126, pp. 212–218, 2017. B IOGRAPHIES
Hesham Elsawy [S’10, M’14, SM’17] received the Ph.D. degree in electrical engineering from theUniversity of Manitoba, Canada, in 2014. He was a Post-Doctoral Fellow at the King Abdullah University ofScience and Technology (KAUST), Saudi Arabia, a Research Assistant at TRTech, Winnipeg, MB, Canada,and a Telecommunication Engineer at the National Telecommunication Institute, Egypt. He is currently anAssistant Professor with the King Fahd University of Petroleum and Minerals (KFUPM), Saudi Arabia.His research interests include statistical modeling of wireless networks, stochastic geometry, and queueinganalysis for wireless communication networks. He received several academic awards at the University ofManitoba, including the NSERC Industrial Postgraduate Scholarship (20102013), and the TRTech GraduateStudents Fellowship (20102014). He has coauthored four award-winning papers that are recognized by theIEEE COMSOC Best Tutorial Paper Award, IEEE COMSOC Best Survey Paper Award, the Best ScientificContribution Award to the IEEE International Symposium on Wireless Systems 2017, and the Best PaperAward in Small Cell and 5G Networks (SmallNets) Workshop of the 2015 IEEE International Conferenceon Communications (ICC). He is a recipient of the IEEE ComSoc Outstanding Young Researcher Awardfor Europe, Middle East, & Africa Region in 2018. He is recognized as an exemplary reviewer by theIEEE Transactions on Communications (20142016), the IEEE Transactions on Wireless Communicationsin 2017 and 2018, and the IEEE Wireless Communications Letters in 2018.