Stochastic Model for System Component Dynamics

We model system state as a discrete-time stochastic process in which the state transitions of system components – hosts and proxies – are stochastic events. As such, we can quantify how attacks, defenses, correlated host vulnerabilities, and proxy network topology affect the system. Our stochastic model has two parts: host state transitions and proxy state transitions; Table 5-1 shows the parameters of the model. We first describe the model and then interpret the model in practical settings.

Table 5-1 Parameters of the Stochastic Model Notation Meaning

λ0 Rate of host compromises based on new vulnerabilities λv Rate of host compromises based on known vulnerabilities µs Rate of proactive resets

µd Speed of reactive recovery µr Rate of proxy migration

A) H State Tr

Attacks, resource recovery (both proactive and reactive), and correlated host main factors that affect the transitions of host states. We first

ost ansitions

vulnerabilities are the three

vulnerabilities are uncorrelated; we then describe how our model captures correlated host vulnerabilities.

Figure 5-1 Host State Transitions intact

Host compromise Reactive Recovery

The shaded area in Fi n the host

vuln

s. We use “domains” to desc

gure 5-1 shows the host state transitions whe

erabilities are uncorrelated. Our model uses three parameters λ0, µd, and µs to describe the speed of attacks, reactive resource recovery, and proactive resets, respectively. Within a discrete time step, attackers have a probability λ0 to compromise an intact host by exploiting a vulnerability of the host. Meanwhile, reactive resource recovery has a probability µd to recover a compromised host by detecting and removing the infection, while proactive resets have a probability µs to recover a compromised host by proactively reloading the host with a clean system image.

Our model also captures correlated host vulnerabilitie

ribe the correlated vulnerabilities among hosts (see Figure 5-2). Hosts are grouped into domains. Within a domain, hosts use similar software with similar configurations, thereby sharing similar vulnerabilities. Across domains, hosts differ in software, configurations, and other attributes, thereby providing a model for uncorrelated vulnerabilities. A system with uncorrelated host vulnerabilities (see Figure 5-2.A) is an

Proactive Reset λv λ0 µs µs intactv compromised µd

extreme case where each host is in its own domain. Another extreme case is one where all hosts are in the same domain (see Figure 5-2.B). In general, hosts in a system are grouped into multiple domains (see Figure 5-2.C), and the number of domains is a measure of host diversity in the system.

Uncorrelated Host V (∞ Domains) ulnerabilities Correlated Host Vulnerabilities (1 Domain) Correlated Host Vulnerabilities (k Domains) host domain A B C

Figure 5-2 Domain-Based Correlated Host Vulnerability Model To model the im

host

host to the intact state respectively.

pact of correlated host vulnerabilities, we introduce an intermediate state “intactv” (an intact host with a known vulnerability) and one more parameter λv (see Figure 5-1). Here is the revised model. Within a discrete time step, with probability λ0 attackers can compromise an intact host by exploiting a new vulnerability, changing the other intact hosts in the same domain to the “intactv” state. With probability λv attackers can compromise an “intactv” host by exploiting a known vulnerability. Meanwhile, with probability µs proactive resets can return a host from the “íntactv” state to the intact state, by removing the known vulnerabilities. With probability µd and µs, reactive recovery and proactive resets can return a compromised

B) Proxy State Transition

Figure 5-3 Proxy State Transition intact exposed Host compromise Resource Recovery Proxy Migration compromised

A proxy’s pends on three factors: the state of the host where the proxy runs,

the state of the neighbor an edge proxy.

Based on the

omised.

the e µr to describe the proxy migration proc

ctors of the system, including speed of attack, speed of defense, proxy network structure, and correlated host vulnerabilities.

state de

ing proxies, and whether or not the proxy is

host state transition model described above, we can use the following rules to determine the state of a proxy under host compromise attacks.

• A proxy is compromised if and only if its host is.

• The neighbors of a compromised proxy are exposed, or compr • All edge proxies are exposed or compromised.

Furthermore, proxy migration moves a proxy to a different host and changes proxy’s state accordingly. We use a migration rat

ess, where proxies choose migration targets randomly and the migration overhead is small compared to the interval between migrations. More precisely, a proxy has probability µr to move to a different host within a discrete time step. After migration, the proxy’s state is determined by the rules above.

C) Discussion of the Model and Real World Data Our model, while simple, captures all the key fa

These factors together determine how the system state changes over time, and allow us to study the system dynamics under penetration attacks. To interpret our model (see Table 5-1) in practical settings, we present numbers from real systems.

Table 5-2 Windows Vulnerability Statistics

Year 2001 2002 2003 2004

WinXp Pro 5 20 19 18

Win2K Server 28 24 19 18

Parameter λ0 is the rate of discovery and exploit of new host vulnerabilities, an ch is th ploitable vuln ilities of the operating system ware. The Microsoft security bulletin [110] catalogues critical and remotely exploitable vuln

v

of e

example of whi e ex erab soft

erabilities of Windows XP Professional and Windows 2K Server. Table 5-2 shows the number of new vulnerabilities discovered for each period. On average, there are about 20 new vulnerabilities discovered each year, one new vulnerability every two to three weeks. These numbers provide a realistic approximation of λ0 in practice.

Parameter λ is the rate of host compromises using known vulnerabilities. Studies on computer vulnerabilities and attack incidents [111, 112] show that discovery and exploitation of new vulnerabilities is time-consuming and requires a significant amount xpertise in the victim system. In contrast, compromising a host using a known bug is fairly easy, because techniques and tools used in previous attacks can be leveraged. Therefore, λv is typically significantly larger than λ0 (λ0<<λv). An example of correlated host compromises is worms [11-13, 113] which use the same bug to compromise hundreds of hosts in minutes, or even less.

Parameter µd is the speed of reactive recovery which depends on intrusion detection. Previous research on Intrusion Detection Systems (IDS) [17, 18] indicates that modern IDS can achieve real time detection. Therefore µd is primarily determined by h

oxy migration rates, i.e. 10x~

a snapshot of a proxy network’s state (the e 5-4, an attacker pene

in, and penetrate one step furth

ow fast a detected intrusion can be removed.

Parameter µr is the proxy migration rate. Our prototype implementation of a proxy network has a sub-second migration overhead in a large network. This suggests that current technology can support daily, or even hourly, pr

100x higher than λ0.