GGrantIndex
← Search

ITR: Defending Against Virus Propagation on the Internet

$1,499,999FY2003CSENSF

Carnegie Mellon University, Pittsburgh PA

Investigators

Abstract

Since the Morris worm hit the Internet, the evolution of viruses and worms has kept anti-virus analysts busy developing new scanning and detection capabilities. New viruses continue to outsmart current technologies and wreak havoc. It is clear that existing strategies do not suffice but rather only contribute to the ongoing arms race between virus writers and the anti-virus industry. This proposal addresses the question: "What is the next big break, the next revolution in anti-virus technology?" The PIs propose a joint effort between CMU, Symantec and CERT to research global defense mechanisms and deployment strategies. Instead of approaching the problem from the perspective of individual nodes, this research will take on a network-wide point of view. In addition to the immediate impact, the problem presents research challenges that are extremely appealing to theorists and practitioners alike. The preliminary study suggests that there appears to be an analogy between the principles of self-organized criticality and virus propagation-once the dynamic state of propagation crosses a critical level of distribution, the virus flourishes and attains eventual prevalence. This is in contrast to the traditional epidemic threshold that is characterized using only static birth and death rate of the virus. Understanding this critical level of distribution is an interesting problem, and it is likely to point to new methods to thwart the spread of computer viruses. Studying the analogy between mathematical models such as dynamic-state models and virus propagation is a central theme of this proposal. The PIs propose three major thrusts in this work. 1) Determine the topology underlying modern viruses and worms. It has been suggested that virus propagation obeys a power-law structure much like the physical Internet topology. However, there is no reason to believe that viral propagations would mirror the physical topology of the network. Rather, evidence suggests that they follow some sort of a social network, or a random network in the case of some worms. Our work will be the first to develop a definitive model of virus propagation topology using real attack data and user data. 2) Develop a new model that captures propagation behavior on the virtual topology. Specifically, the PIs are interested in modeling a) topology-aware propagation behavior, b) the effect of environmental factors, and c) the dynamics between infections (dissipation) and defenses (feedback force). 3) Use the mathematical models to develop and reason about network-centric defense strategies. The PI team is part of the Center for Computer and Communications Security (C3S) at CMU. One of the center's goals is to promote security education. We are in the process of engineering a new degree program-Master in Information Security. We expect this collaborative research effort to stimulate student interests and foster further research in information security. Symantec will be an industry partner throughout this effort. Specifically, they will supply us with their proprietary database containing an extensive dataset with respect to virus incidents. In addition, two of the PIs hold joint appointments with CERT (part of the Software Engineering Institute, an FFRDC operated by CMU) and have access to a large and growing body of data associated with real virus episodes.

View original record on NSF Award Search →