Duc T. Ha

On the effectiveness of structural detection and defense against P2P-based botnets

Recently, peer-to-peer (P2P) networks have emerged as a covert communication platform for malicious programs known as bots. As popular distributed systems, they allow bots to communicate easily while protecting the botmaster from being discovered. Existing work on P2P-based botnets mainly focuses on measurement-based studies of botnet behaviors. In this work, through simulation, we study extensively the structure of P2P networks running Kademlia, one of a few widely used P2P protocols in practice. Our simulation testbed not only incorporates the actual code of a real Kademlia client software to achieve high realism, but also applies distributed event-driven simulation techniques to achieve high scalability. Using this testbed, we analyze the scaling, clustering, reachability, and various centrality properties of P2P-based botnets from a graph-theoretical perspective. We further demonstrate experimentally and theoretically that monitoring bot activities in a P2P network is difficult, suggesting that the P2P mechanism indeed helps botnets hide their communication effectively. Finally, we evaluate the effectiveness of some potential mitigation techniques, such as content poisoning, sybil-based and eclipse-based mitigation. Conclusions drawn from this work shed light on the structure of P2P botnets, how to monitor bot activities in P2P networks, and how to mitigate botnet operations effectively.

Insider Threat Analysis Using Information-Centric Modeling

Capability acquisition graphs (CAGs) provide a powerful framework for modeling insider threats, network attacks and system vulnerabilities. However, CAG-based security modeling systems have yet to be deployed in practice. This paper demonstrates the feasibility of applying CAGs to insider threat analysis. In particular, it describes the design and operation of an information-centric, graphics-oriented tool called ICMAP. ICMAP enables an analyst without any theoretical background to apply CAGs to answer security questions about vulnerabilities and likely attack scenarios, as well as to monitor network nodes. This functionality makes the tool very useful for attack attribution and forensics.

Insider Threat Assessment: Model, Analysis and Tool

Insider threat is typically attributed to legitimate users who maliciously leverage their system privileges, and familiarity and proximity to their computational environment to compromise valuable information or inflict damage. According to the annual CSI/FBI surveys conducted since 1996, internal attacks and insider abuse form a significant portion of reported incidents. The strongest indication yet that insider threat is very real is given by the recent study [2] jointly conducted by CERT and the US Secret Service; the first of its kind, which provides an in-depth insight into the problem in a real-world setting. However, there is no known body of work which addresses this problem effectively. There are several challenges, beginning with understanding the threat.

On the trade-off between speed and resiliency of Flash worms and similar malcodes

We formulate and investigate the problem of finding a fast and resilient propagation topology and propagation schedule for Flash worms and similar malcodes. Resiliency means a very large proportion of infectable targets are still infected no matter which fraction of targets are not infectable. There is an intrinsic tradeoff between speed and resiliency, since resiliency requires transmission redundancy which slows down the malcode. To investigate this problem formally, we need an analytical model. We first show that, under a moderately general analytical model, the problem of optimizing propagation time is NP-hard. This fact justifies the need for a simpler model, which we present next. In this simplified model, we present an optimal propagation topology and schedule, which is then shown by simulation to be even faster than the Flash worm. Moreover, our worm is faster even when the source has much less bandwidth capacity. We also show that for every preemptive schedule there exists a non-preemptive schedule which is just as effective. This fact greatly simplifies the optimization problem. In terms of the aforementioned tradeoff, we give a propagation topology based on extractor graphs which can reduce the infection time linearly while keeping the expected number of infected nodes exponentially close to optimal.

On The Hardness of Approximating the Min-Hack Problem

We show several hardness results for the Minimum Hacking problem, which roughly can be described as the problem of finding the best way to compromise a target node given a few initial compromised nodes in a network. We give several reductions to show that Minimum Hacking is not approximable to within

MoPADS: A Mobility Profile Aided File Downloading Service in Vehicular Networks

2^{(\log n)^{1-\delta}}

ANALYZING NONBLOCKING MULTILOG NETWORKS WITH THE KÖNIG–EGEVARÝ THEOREM

where δ = 1−