Novel Analytical Modelling-based Simulation of Worm Propagation in Unstructured Peer-to-Peer Networks

Millions of users world-wide are sharing content using Peer-to-Peer (P2P) networks, such as Skype and Bit Torrent. While such new innovations undoubtedly bring benefits, there are nevertheless some associated threats. One of the main hazards is that P2P worms can penetrate the network, even from a single node and then spread rapidly. Understanding the propagation process of such worms has always been a challenge for researchers. Different techniques, such as simulations and analytical models, have been adopted in the literature. While simulations provide results for specific input parameter values, analytical models are rather more general and potentially cover the whole spectrum of given parameter values. Many attempts have been made to model the worm propagation process in P2P networks. However, the reported analytical models to-date have failed to cover the whole spectrum of all relevant parameters and have therefore resulted in high false-positives. This consequently affects the immunization and mitigation strategies that are adopted to cope with an outbreak of worms. The first key contribution of this thesis is the development of a susceptible, exposed, infectious, and Recovered (SEIR) analytical model for the worm propagation process in a P2P network, taking into account different factors such as the configuration diversity of nodes, user behaviour and the infection time-lag. These factors have not been considered in an integrated form previously and have been either ignored or partially addressed in state-of-the-art analytical models. Our proposed SEIR analytical model holistically integrates, for the first time, these key factors in order to capture a more realistic representation of the whole worm propagation process. The second key contribution is the extension of the proposed SEIR model to the mobile M-SEIR model by investigating and incorporating the role of node mobility, the size of the worm and the bandwidth of wireless links in the worm propagation process in mobile P2P networks. The model was designed to be flexible and applicable to both wired and wireless nodes. The third contribution is the exploitation of a promising modelling paradigm, Agent-based Modelling (ABM), in the P2P worm modelling context. Specifically, to exploit the synergies between ABM and P2P, an integrated ABM-Based worm propagation model has been built and trialled in this research for the first time. The introduced model combines the implementation of common, complex P2P protocols, such as Gnutella and GIA, along with the aforementioned analytical models. Moreover, a comparative evaluation between ABM and conventional modelling tools has been carried out, to demonstrate the key benefits of ease of real-time analysis and visualisation. As a fourth contribution, the research was further extended by utilizing the proposed SEIR model to examine and evaluate a real-world data set on one of the most recent worms, namely, the Conficker worm. Verification of the model was achieved using ABM and conventional tools and by then comparing the results on the same data set with those derived from developed benchmark models. Finally, the research concludes that the worm propagation process is to a great extent affected by different factors such as configuration diversity, user-behaviour, the infection time lag and the mobility of nodes. It was found that the infection propagation values derived from state-of-the-art mathematical models are hypothetical and do not actually reflect real-world values. In summary, our comparative research study has shown that infection propagation can be reduced due to the natural immunity against worms that can be provided by a holistic exploitation of the range of factors proposed in this work

Epidemic models for research ideas spreading in the scientific community

We apply the basic SIR model and some of its extended versions to the propagation of scientific ideas in the community of researchers, in order to investigate the spread of those ideas. To this end, we collected quantitative records of articles published in scientific conferences for some selected topics over a 5 year period. The values of the basic reproductive ratio are discussed to compile classification based on the contagion level and the description given by the models are investigated

From the edge to the core : towards informed vantage point selection for internet measurement studies

Since the early days of the Internet, measurement scientists are trying to keep up with the fast-paced development of the Internet. As the Internet grew organically over time and without build-in measurability, this process requires many workarounds and due diligence. As a result, every measurement study is only as good as the data it relies on. Moreover, data quality is relative to the research question—a data set suitable to analyze one problem may be insufficient for another. This is entirely expected as the Internet is decentralized, i.e., there is no single observation point from which we can assess the complete state of the Internet. Because of that, every measurement study needs specifically selected vantage points, which fit the research question. In this thesis, we present three different vantage points across the Internet topology— from the edge to the Internet core. We discuss their specific features, suitability for different kinds of research questions, and how to work with the corresponding data. The data sets obtained at the presented vantage points allow us to conduct three different measurement studies and shed light on the following aspects: (a) The prevalence of IP source address spoofing at a large European Internet Exchange Point (IXP), (b) the propagation distance of BGP communities, an optional transitive BGP attribute used for traffic engineering, and (c) the impact of the global COVID-19 pandemic on Internet usage behavior at a large Internet Service Provider (ISP) and three IXPs.Seit den frühen Tagen des Internets versuchen Forscher im Bereich Internet Measu- rement, mit der rasanten Entwicklung des des Internets Schritt zu halten. Da das Internet im Laufe der Zeit organisch gewachsen ist und nicht mit Blick auf Messbar- keit entwickelt wurde, erfordert dieser Prozess eine Meg Workarounds und Sorgfalt. Jede Measurement Studie ist nur so gut wie die Daten, auf die sie sich stützt. Und Datenqualität ist relativ zur Forschungsfrage - ein Datensatz, der für die Analyse eines Problems geeiget ist, kann für ein anderes unzureichend sein. Dies ist durchaus zu erwarten, da das Internet dezentralisiert ist, d. h. es gibt keinen einzigen Be- obachtungspunkt, von dem aus wir den gesamten Zustand des Internets beurteilen können. Aus diesem Grund benötigt jede Measurement Studie gezielt ausgewählte Beobachtungspunkte, die zur Forschungsfrage passen. In dieser Arbeit stellen wir drei verschiedene Beobachtungspunkte vor, die sich über die gsamte Internet-Topologie erstrecken— vom Rand bis zum Kern des Internets. Wir diskutieren ihre spezifischen Eigenschaften, ihre Eignung für verschiedene Klas- sen von Forschungsfragen und den Umgang mit den entsprechenden Daten. Die an den vorgestellten Beobachtungspunkten gewonnenen Datensätze ermöglichen uns die Durchführung von drei verschiedenen Measurement Studien und damit die folgenden Aspekte zu beleuchten: (a) Die Prävalenz von IP Source Address Spoofing bei einem großen europäischen Internet Exchange Point (IXP), (b) die Ausbreitungsdistanz von BGP-Communities, ein optionales transitives BGP-Attribut, das Anwendung im Bereich Traffic-Enigneering findet sowie (c) die Auswirkungen der globalen COVID- 19-Pandemie auf das Internet-Nutzungsverhalten an einem großen Internet Service Provider (ISP) und drei IXPs

Trust management schemes for peer-to-peer networks

Peer-to-peer (P2P) networking enables users with similar interests to exchange, or obtain files. This network model has been proven popular to exchange music, pictures, or software applications. These files are saved, and most likely executed, at the downloading host. At the expense of this mechanism, worms, viruses, and malware find an open front door to the downloading host and gives them a convenient environment for successful proliferation throughout the network. Although virus detection software is currently available, this countermeasure works in a reactive fashion, and in most times, in an isolated manner. A trust management scheme is considered to contain the proliferation of viruses in P2P networks. Specifically, a cooperative and distributed trust management scheme based on a two-layer approach to bound the proliferation of viruses is proposed. The new scheme is called double-layer dynamic trust (DDT) management scheme. The results show that the proposed scheme bounds the proliferation of malware. With the proposed scheme, the number of infected hosts and the proliferation rate are limited to small values. In addition, it is shown that network activity is not discouraged by using the proposed scheme. Moreover, to improve the efficiency on the calculation of trust values of ratio based normalization models, a model is proposed for trust value calculation using a three-dimensional normalization to represent peer activity with more accuracy than that of a conventional ratio based normalization. Distributed network security is also considered, especially in P2P network security. For many P2P systems, including ad hoc networks and online markets, reputation systems have been considered as a solution for mitigating the affects of malicious peers. However, a sybil attack, wherein forging identities is performed to unfairly and arbitrarily influence the reputation of peers in a network or community. To defend against sybil attack, each reported transaction, which is used to calculate trust values, is verified. In this thesis, it is shown that peer reputation alone cannot bound network subversion of a sybil attack. Therefore, a new trust management framework, called Sybildefense, is introduced. This framework combines a trust management scheme with a cryptography mechanism to verify different transaction claims issue by peers, including those bogus claims of sybil peers. To improve the efficiency on the identification of honest peers from sybil peers, a k-means clustering mechanism is adopted. Moreover, to include a list of peer’s trustees in a warning messages is proposed to generate a local table for a peer that it is used to identify possible clusters of sybil peers. The defensive performance of these algorithms are compared under sybil attacks. The performance results show that the proposed framework (Sybildefense) can thwart sybil attacks efficiently

Securing Enterprise Networks with Statistical Node Behavior Profiling

The substantial proliferation of the Internet has made it the most critical infrastructure in today\u27s world. However, it is still vulnerable to various kinds of attacks/malwares and poses a number of great security challenges. Furthermore, we have also witnessed in the past decade that there is always a fast self-evolution of attacks/malwares (e.g. from worms to botnets) against every success in network security. Network security thereby remains a hot topic in both research and industry and requires both continuous and great attention. In this research, we consider two fundamental areas in network security, malware detection and background traffic modeling, from a new view point of node behavior profiling under enterprise network environments. Our main objectives are to extend and enhance the current research in these two areas. In particular, central to our research is the node behavior profiling approach that groups the behaviors of different nodes by jointly considering time and spatial correlations. We also present an extensive study on botnets, which are believed to be the largest threat to the Internet. To better understand the botnet, we propose a botnet framework and predict a new P2P botnet that is much stronger and stealthier than the current ones. We then propose anomaly malware detection approaches based directly on the insights (statistical characteristics) from the node behavior study and apply them on P2P botnet detection. Further, by considering the worst case attack model where the botmaster knows all the parameter values used in detection, we propose a fast and optimized anomaly detection approach by formulating the detection problem as an optimization problem. In addition, we propose a novel traffic modeling structure using behavior profiles for NIDS evaluations. It is efficient and takes into account the node heterogeneity in traffic modeling. It is also compatible with most current modeling schemes and helpful in generating better realistic background traffic. Last but not least, we evaluate the proposed approaches using real user trace from enterprise networks and achieve encouraging results. Our contributions in this research include: 1) a new node behavior profiling approach to study the normal node behavior; 2) a framework for botnets; 3) a new P2P botnet and performance comparisons with other P2P botnets; 4) two anomaly detection approaches based on node behavior profiles; 4) a fast and optimized anomaly detection approach under the worst case attack model; 5) a new traffic modeling structure and 6) simulations and evaluations of the above approaches under real user data from enterprise networks. To the best of our knowledge, we are the first to propose the botnet framework, consider the worst case attack model and propose corresponding fast and optimized solution in botnet related research. We are also the first to propose efficient solutions in traffic modeling without the assumption of node homogeneity

Malware Propagation in Online Social Networks: Modeling, Analysis and Real-world Implementations

The popularity and wide spread usage of online social networks (OSNs) have attracted hackers and cyber criminals to use OSNs as an attack platform to spread malware. Over the last few years, Facebook users have experienced hundreds of malware attacks. A successful attack can lead to tens of millions of OSN accounts being compromised and computers being infected. Cyber criminals can mount massive denial of service attacks against Internet infrastructures or systems using compromised accounts and computers. Malware infecting a user's computer have the ability to steal login credentials and other confidential information stored on the computer, install ransomware and infect other computers on the same network. Therefore, it is important to understand propagation dynamics of malware in OSNs in order to detect, contain and remove them as early as possible. The objective of this dissertation is thus to model and study propagation dynamics of various types of malware in social networks such as Facebook, LinkedIn and Orkut. In particular, - we propose analytical models that characterize propagation dynamics of cross-site scripting and Trojan malware, the two major types of malware propagating in OSNs. Our models assume the topological characteristics of real-world social networks, namely, low average shortest distance, power-law distribution of node degrees and high clustering coefficient. The proposed models were validated using a real-world social network graph. - we present the design and implementation of a cellular botnet named SoCellBot that uses the OSN platform as a means to recruit and control cellular bots on smartphones. SoCellBot utilizes OSN messaging systems as communication channels between bots. We then present a simulation-based analysis of the botnet's strategies to maximize the number of infected victims within a short amount of time and, at the same time, minimize the risk of being detected. - we describe and analyze emerging malware threats in OSNs, namely, clickjacking, extension-based and Magnet malware. We discuss their implementations and working mechanics, and analyze their propagation dynamics via simulations. - we evaluate the performance of several selective monitoring schemes used for malware detection in OSNs. With selective monitoring, we select a set of important users in the network and monitor their and their friends activities and posts for malware threats. These schemes differ in how the set of important users is selected. We evaluate and compare the effectiveness of several selective monitoring schemes in terms of malware detection in OSNs

Three Essays on Individuals’ Vulnerability to Security Attacks in Online Social Networks: Factors and Behaviors

With increasing reliance on the Internet, the use of online social networks (OSNs) for communication has grown rapidly. OSN platforms are used to share information and communicate with friends and family. However, these platforms can pose serious security threats to users. In spite of the extent of such security threats and resulting damages, little is known about factors associated with individuals’ vulnerability to online security attacks. We address this gap in the following three essays. Essay 1 draws on a synthesis of the epidemic theory in infectious disease epidemiology with the social capital theory to conceptualize factors that contribute to an individual’s role in security threat propagation in OSN. To test the model, we collected data and created a network of hacked individuals over three months from Twitter. The final hacked network consists of over 8000 individual users. Using this data set, we derived individual’s factors measuring threat propagation efficacy and threat vulnerability. The dependent variables were defined based on the concept of epidemic theory in disease propagation. The independent variables are measured based on the social capital theory. We use the regression method for data analysis. The results of this study uncover factors that have significant impact on threat propagation efficacy and threat vulnerability. We discuss the novel theoretical and managerial contributions of this work. Essay 2 explores the role of individuals’ interests in their threat vulnerability in OSNs. In OSNs, individuals follow social pages and post contents that can easily reveal their topics of interest. Prior studies show high exposure of individuals to topics of interest can decrease individuals’ ability to evaluate the risks associated with their interests. This gives attackers a chance to target people based on what they are interested in. However, interest-based vulnerability is not just a risk factor for individuals themselves. Research has reported that similar interests lead to friendship and individuals share similar interests with their friends. This similarity can increase trust among friends and makes individuals more vulnerable to security threat coming from their friends’ behaviors. Despite the potential importance of interest in the propagation of online security attacks online, the literature on this topic is scarce. To address this gap, we capture individuals’ interests in OSN and identify the association between individuals’ interests and their vulnerability to online security threats. The theoretical foundation of this work is a synthesis of dual-system theory and the theory of homophily. Communities of interest in OSN were detected using a known algorithm. We test our model using the data set and social network of hacked individuals from Essay 1. We used this network to collect additional data about individuals’ interests in OSN. The results determine communities of interests which were associated with individuals’ online threat vulnerability. Moreover, our findings reveal that similarities of interest among individuals and their friends play a role in individuals’ threat vulnerability in OSN. We discuss the novel theoretical and empirical contributions of this work. Essay 3 examines the role addiction to OSNs plays in individuals’ security perceptions and behaviors. Despite the prevalence of problematic use of OSNs and the possibility of addiction to these platforms, little is known about the functionalities of brain systems of users who suffer from OSN addiction and their online security perception and behaviors. In addressing these gaps, we have developed the Online addiction & security behaviors (OASB) theory by synthesizing dual-system theory and extended protection motivation theory (PMT). We collected data through an online survey. The results indicate that OSN addiction is rooted in the individual’s brain systems. For the OSN addicted, there is a strong cognitive-emotional preoccupation with using OSN. Our findings also reveal the positive and significant impact of OSN addiction on perceived susceptibility to and severity of online security threats. Moreover, our results show the negative association between OSN addiction and perceived self-efficacy. We discuss the theoretical and practical implications of this work

On-demand security and QoS optimization in mobile ad hoc networks

Scope and Method of Study: Security often comes with overhead that will impact link Quality of Service (QoS) performance. In this dissertation, we propose an on-demand security and QoS optimization architecture in mobile ad hoc networks that automatically adapts network security level to changes in network topology, traffic condition, and link QoS requirements, so as to keep the security and QoS at optimum conditions. In order to achieve the overall objective, we introduce three basic frameworks: a policy based plug-in security framework, a multi-layer QoS guided routing algorithm, and a Proportional Integral Derivative (PID) feedback control based security and QoS optimization framework. The research has been evaluated with the network simulator ns-2. Finally, we propose an attack tree and state machine based security evaluation mechanism for ad hoc networks: a new security measurement metric.Findings and Conclusions: Simulations have been done for small and large network sizes, low and high communication ratios, as well as low and high mobility scenarios. The simulations show that the proposed on-demand security and QoS optimization architecture can produce similar performance to non-secure QoS routing protocol under various traffic loads. It provides more secure ad hoc networks without compromising the QoS performance, especially under light and medium traffic conditions

Models, services and security in modern online social networks

Modern online social networks have revolutionized the world the same way the radio and the plane did, crossing geographical and time boundaries, not without problems, more can be learned, they can still change our world and that their true worth is still a question for the future