Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 10

The road ahead

Abstract

Several different frameworks and methodologies for modeling malware diffusion in wireless and, in general, complex communications networks were presented in the previous chapters. However, even though some of them model malware diffusion holistically and generically, employing radical mathematical tools for their purposes, several open problems regarding already explored facets of malware diffusion, and many unexplored aspects of the corresponding research area remain to be addressed. Especially in light of the emergence of the Network Science perspective presented in the first chapter, several of the traditional malware diffusion problems can be tracked in alternative forms. At the same time, as technology evolves, new problems of their own merit emerge, in various types of networks and application domains. This chapter will cover these aspects, providing a brief overview of the most notable open problems, explaining how the presented techniques can be employed toward solving them. Additional directions for future research on more general problems areas of malware diffusion modeling and network security are provided, linking them with the methodologies presented in this book and explaining the potentials for fruitful results.

Open problems; Future work; Applications; Malware modeling

10.1. Introduction

The malware modeling approaches presented in this book, legacy and state-of-the-art, cover a very broad spectrum of mathematical tools they employ and of applications. The frameworks presented in Part 2 describe malware diffusion dynamics accurately and holistically, both for SIS and SIRD infection models. Furthermore, one can capitalize on their analytic power and study more sophisticated aspects of malware diffusion, such as analysis of attack strategies, network robustness, and design of smart countermeasures.

The most important contribution of all the approaches presented in the previous parts of the book is that through the established results, they have paved the way for more advanced analysis of malware diffusion processes, stimulating multi- and cross-disciplinary research. This in turn has opened up new directions for research and practical considerations, as well as reconsidering several traditional problems from new perspectives. All these new problems present significant interest for both the academic and industrial communities.

However, at the same time, various less or more important open problems of already examined aspects of malware diffusion remain open. Even the presented state-of-the-art approaches were incapable of tackling the whole spectrum of emerging problems. Several mathematical limitations prevent state-of-the-art methodologies from providing piecemeal solutions, making the decision to use the more suitable approach in each network and application scenario an important one.

In this chapter, we focus on these aspects of malware diffusion research. We initially present some of the currently open minor or major problems for each state-of-the-art approach presented. Then we summarize some more general open problems of interest and suggestions on which approach would be more applicable or promising for tackling them in the future.

10.2. Open Problems for Queuing-based Approaches

The proposed framework presented in Chapter 4, exploiting concepts of queuing theory, was demonstrated for wireless multihop networks (RGGs). Additionally, results were provided for static and dynamic networks, where for the case of networks with churn, the results involved other types of complex networks as well. However, a significant number of minor or major open problems remain open. In this section, we review the most noteworthy of these problems, accompanied with a small outline of the steps one might initially take in order to tackle them, or at least attempt a first approach.

• Analytic solutions for nondynamic complex networks. For the case of fixed (nondynamic) networks, the framework was demonstrated analytically for malware propagative and spreading random geometric (multihop) topologies. Similar results can be obtained for other complex networks, e.g. regular and scale-free. Obtaining analytic solutions for these topologies pends on the availability of closed-form expressions for the degree distribution of each network. Within Network Science some of these expressions are available, e.g. regular and scale-free, but for others, especially small-world, the characterization is based on rule-of-thumb definitions. Thus, for networks that the analytic expression of their connectivity is available, the methodology of Chapter 4 can be employed. On a per network type basis, the involved algebra might be cumbersome, but it seems viable to obtain at least sufficient analytic approximations in closed-form, depending on the special features of each topology.

• Analytic solutions for complex networks with churn. Malware diffusion models for dynamic networks with churn were explained in Chapter 4, and the results provided were obtained via simulations. An interesting extension would be to obtain analytic solutions for those types of complex networks, similarly to the nondynamic networks. The methodology will be similar, since due to the closed three-queue network model (Fig. 4.22a), an intermediate step is required to suppress the three-queue network into a two-queue Norton network before proceeding in its analysis as demonstrated in Chapter 4.

• Malware-propagative networks with churn. An equally interesting, and seemingly fairly straightforward, direction to extend the model presented for networks with churn is the malware propagation case. In Chapter 4, only the case of malware spreading was considered. Following the same lines as for malware-propagative nondynamic networks, similar results for malware-propagative networks with churn can be obtained.

• Taking into account energy constraints. In Chapter 4, the models presented for nondynamic networks do not take into account energy considerations. Incorporating directly such type of constraints on the model is a very challenging task. The main complication arises from the nodes depleting their energy reserves and being removed from the network. This impacts the ergodicity of the system. An alternative way to tackle this has been presented in the second half of Chapter 4, in Section 4.4. In the latter, modifying appropriately the churn processes to accurately describe the effect of energy depletion (node removal) and the addition of new recharged nodes allows to utilize the methodology of Section 4.4 to solve for the steady-state of the system. It allows also to obtain solutions for specific types of networks and their parameters, e.g. multihop or mobile (as currently this has not been achieved).

• Heterogeneous infection/recovery rates. In all of the models in Chapter 4, uniform infection/recovery rates were considered, i.e.

λ_{m} = λ, μ_{k} = μ

$λ_{m} = λ, μ_{k} = μ$

for all links

m

$m$

, nodes

k

$k$

. Considering heterogeneous values is a straightforward but complicated task, with considerable practical merit, nevertheless, since in real scenarios such rates are expected to be heterogeneous. The analytic expressions are expected to be much more complicated.

• Impact of mobility. Currently, no mobility considerations have been taken into account, for the same purposes as with energy constraints. A possible way to tackle this is as with energy, via the model developed for dynamics networks with churn, where a node may be considered as disappearing in its original position and reappearing in the final predicted by the mobility model. However, this is a rather complicated approach. Searching for a seamless technique to address this within the queuing framework is currently an important open problem.

• Comparison with traditional epidemics. Comparing the results of the approaches in Chapter 4 with traditional epidemics problems presented in Chapter 3 will be a valuable task, revealing the degree to which generic malware assessing techniques based on queuing systems can accommodate the more specific epidemics-based results.

10.3. Open Problems for MRF-based Approaches

The framework presented in Chapter 5 exploited elements of the theory of MRFs and was applied to various types of complex networks, random, random geometric, scale-free, and small-world. However, for random, scale-free, and small-world no explicit solutions with respect to topological parameters were provided. In this section, we review noteworthy open problems, accompanied with a brief outline of the steps one might take to tackle them.

• Analytic solutions for complex networks. As already mentioned, the results presented in Chapter 5 for complex networks were not detailed for all networks explicitly. Taking Eq. (5.28) one step ahead to express it in terms of the topological parameters of each type of complex network is a very important and challenging extension of the framework that will enable many more results to be obtained further.

• The case of dynamic complex networks. Furthermore, all MRF-based models presented in Chapter 5 assumed a fixed topology. Considering the case of dynamic networks with churn is of critical importance for the practical realization of such framework. With respect to churn type, edge churn seems to be straightforward, since only the definition of neighborhoods will change. The results are not expected to be drastically modified. However, incorporating node churn is a very challenging task, since addition/deletion of nodes affects convergence of the Gibbs sampler employed, with very important outcomes if successful nevertheless.

• Taking into account energy constraints and mobility. As in Chapter 4, incorporating energy constraints and mobility in the presented MRF-based model is a very challenging task with many practical applications and interest. It is also related to the churn consideration problem explained above, and considering these directions jointly seems a viable possibility.

• Multiple infection model states. In Chapter 5, only two states were considered, modeling SIS malware dynamics. However, extension to multiple states, modeling other malware types, such as SIR and SIRD, is straightforward, by simply adding more values to the phase space.

• Parallel/hybrid implementations of Gibbs sampler.Chapter 5 presented results for the case of a sequential Gibbs sampler combined with simualted annealing. Developing parallel and hybrid samplers and studying their convergence behavior compared to the sequential would be a valuable extension with considerable interest for the practical adoption of the framework.

• Attack strategy study.Chapter 5 was devoted to the introduction and analysis of the MRF framework for modeling malware diffusion. However, this could be extended to study more intelligent attack strategies, e.g. topology control based, and study the long-term robustness of the network. This will be possible especially if analytic expressions with respect to each network’s topology are obtained as explained in the first bullet above. Thus, these two extension directions can be jointly attained.

10.4. Optimal Control and Dynamic Game Frameworks

• Relaxing the technical assumptions. In the model presented in Chapters 6 and 7, we formally showed that optimal controls have a simple bang-bang structure with single or two jumps, which makes them conducive for computation and implementation purposes. However, we obtained these structures in the presence of some technical assumptions on the system dynamics and the cost functions. It will be interesting to investigate how far these assumptions can be relaxed. Moreover, even if these simple structures do not hold in the absence of these technical assumptions in general, it is useful to investigate the performance of such threshold-based strategies in such cases to quantify the loss in optimality, when they are adopted in practice.

• Sensitivity to parameter estimation. One of the assumptions in the optimal control problem is that the system is “identified” sufficiently accurately. For instance, the worm has a good estimate of the patching rate of the network, and the contact rate of the nodes. Accurate measurement of these parameters is not easy in practice; hence, sensitivity analysis of the optimal controls and saddle-point strategies to erroneous parameter estimations is another area of interest for future research. Modern techniques such as “

H_{\infty}

$H_{\infty}$

control” will be useful in this regard to guarantee a level of performance in the face of such measurement uncertainties.

• Stochastic and nonhomogeneous systems. Dynamic spreading models that take into account the underlying topological and spatial properties of the network have been developed, but largely not investigated how either defender or attacker on a network can take advantage of these spatiotemporal information in their favor. Specifically, developing defense mechanisms that are both stochastically and strategically robust and take optimal use of the local albeit noisy state information is an important subject of future research. Going from open-loop setting to other information structures in the differential game models of malware epidemics is another untouched area of research.

• Exploiting cross-layer controls. Another interesting direction of research is incorporating more detailed characteristics of the underlying network. Specifically, knowledge of specific states and available control at multiple layers of the network can be exploited by either the defender or attacker to their advantage, specially in dense and/or high traffic networks. Such knowledge can be at the physical/MAC layer such as the channel state and channel modulation and scheduling, and network layer such as routing and retransmission. For instance, a worm may avoid aggressive media access during its spreading period, in order not to “self-throttle” its propagation, only to then initiate a more effective jamming attack once a considerable number of nodes are compromised.

• Mixture of attacks. Considering dynamic defense and attack scenarios where different kinds of malwares are seeking to simultaneously infect the nodes, and where patching against one kind of malware does not provide immunity against others constitute another interesting problem.

• Selfish defense. Another promising line of research is designing optimal control and dynamic game strategies in the presence of the selfish response of the individual nodes. Specifically, nodes may not be oblivious to the state of their neighbors, and for instance, they may obtain potentially inaccurate estimates of the aggregate infection and recovery levels in their neighborhood by monitoring the media scanning activities, or through a globally announced message. The nodes then may selfishly choose their reaction potentially with bounded rationality. Both defender and attacker may be able to strategically affect and direct these reactions.

• IoT and cloud computing. The models developed for communication networks can be generalized to capture emerging application such as Internet of Things and Cloud Computing, where for instance in the latter, a large computational task is to be disseminated across many virtual machines and/or CPUs.

10.5. Open Problems for Applications of Malware Diffusion Modeling Frameworks

In Chapter 9, some applications of the presented malware modeling methodologies were presented, most notably for network robustness analysis and IDD. Directions for further extensions are summarized in the following nonexhaustive list.

• Information spreading control and exploitation. The proposed methodology for modeling IDD can be further exploited for defining more complex and application-oriented problems that arise in information diffusion processes in arbitrary complex networks. For instance, these could be used in order to optimize the spreading of useful information and designing more robust networks capable of sustaining large-scale attacks of malicious spreading information. Depending on the context of each application more effective dissemination campaigns can be designed and more robust infrastructures can be developed.

• MRFs for IDD. The MRF-based framework is also suitable for modeling IDD. Thus, applying this framework in place of the queuing-based one also allows for more general considerations of IDD. The corresponding extension requires identifying suitable potential functions and studying/showing the convergence of the corresponding MRF. Also, extending the MRF phase space can aid in studying more complex types of IDD.

• Optimal control of spreading models for networks with churn. Obtaining optimal controls for malware nonpropagative and propagative networks both from the attackers’ and network’s perspectives can be a challenging but fruitful exercise, with considerable practical merit. If different objective functions are employed, different settings and network operations can be modeled and studied.

• Channel effects on IDD. In all IDD study models contained in this book, no channel effects [214] have been considered. However, in practical scenarios, this could have an impact on the outcome of malware. Incorporating such considerations in the presented models is a challenging task, where prior experience from communications can be exploited.

• New types of information models. As technology evolves, new types of information and information dissemination means emerge. Modeling these new instances of information dissemination with the existing models, even state-of-the-art, can be a challenging task with considerable research interest.

10.6. General Directions for Future Work

In this section, we focus on problems of broader interest. We briefly outline some of these more general considerations for possible future research directions in the broader field of malware diffusion modeling, as well as the role that the approaches presented in this book might have in addressing them.

• Inhomogeneous mixing of populations. In all the presented models, an explicit assumption was that the involved populations mix homogeneously. This is especially the case for epidemics-based models, but also for others. Exploring the case of inhomogeneous mixing is a very important research topic, as it will allow a direct comparison with previous results and reveal how realistic the homogeneous mixing assumption actually is. Such attempt requires radical, and potentially out-of-the-box thinking.

• How mobility affects malware diffusion. As already explained, mobility has not been considered explicitly in the presented models and only implicit ways to deal with it have been identified. However, developing solid methodologies addressing its impact on malware diffusion and for various types of wireless complex networks is a very important aspect with significant practical merit.

• Generalized infection models. Section 3.4 explained a more general epidemics model with generic states. Extending this model to an arbitrary number of states would allow capturing even more generic and complex malware in the future. This seems fairly viable for the queuing and MRF-based frameworks, especially the second, where extension of the phase space is straightforward.

• Co-evolving malware. The queuing and MRF-based approaches assume SIS malware, where potentially multiple attacks diffuse, paying attention only to whether infection happened, not the type of it. Extending these models in addition to the other two, to take into account multiple co-evolving attacks is a challenging effort with great research and industrial interest. Among others, this means studying hybrid propagative-spreading networks, where some nodes propagate malware, while others not.

• Bulk infections. An integral assumption of all approaches was that a single-event takes place, namely, at infinitesimal time no concurrent infections take place. A more pragmatic consideration would allow both bulk infections-recoveries and this needs again radical thinking in terms of mathematical tools employed.

• Adaptive epidemics. Until now, few works have addressed the possibility of feedback in malware dynamics. The optimal control and game-theoretic frameworks, as well as the optimal attack strategies application have done so. However, more complex epidemics, where, e.g. network links are adapted based on malware strategies reactively or proactively, are needed. Research toward this direction is still immature, but the outcomes are expected rather fascinating.

• Cloud and IoT systems security. Cloud systems have proliferated vastly the past five years and more users trust them for their daily operations, e.g. storage, computing, and web services. However, they are essentially complex cyber-physical systems [153,157], namely, multitier topologies where each layer has a different type of topology, and as such they can also suffer from various types of malware attacks. Until now, not many works have addressed the corresponding topics from a theoretic perspective. Thus, developing mathematical frameworks for studying malware diffusion for cyber-physical systems in general and cloud systems in particular seems a fruitful path, and similarly for IoT systems, which also exhibit various degrees of topological complexity. However, their market penetration and anticipated proliferation call for more research. The presented frameworks can have many applications in various problems emerging in the cloud-IoT worlds and can potentially simplify solutions obtained. The cloud-IoT world is expected to be one of the prominent fields of applications of the state-of-the-art methodologies presented in this book.

• Centrality considerations. In Network Science, the notion of centrality has been identified as very important for discovering key nodes that control various operations. For this reason, multiple and diverse definitions of centrality exist as well. This feature can be exploited in the presented frameworks for identifying important nodes that govern malware diffusion dynamics. Centrality features can be used in the analysis of malware diffusion from both attack and defense perspectives. It can be used for correlating nodes with propagation dynamics and then exploit results for improving attacks/countermeasures in any of the frameworks presented.

• Malware-dependent recovery. The above point motivates the need for studying malware-dependent recoveries. In many cases of malware, the recovery depends on the specific type of malware, in the sense that a more sophisticated and harmful malware is expected to take more time to dispose of on average. Under this regime, the overall system of recoveries loses the lack of memory property assumed in Chapter 4 and more general queues have to be eventually analyzed in order to obtain the results provided already. This could be very tough and involve rather advanced elements from the theory of queues and stochastic processes, but useful results nevertheless.

• Bigdata and malware. The field of bigdata analytics has exploded in the last decade, with numerous and diverse applications. Analytics is about identifying correct patterns within vast amounts of data. Security concerns have been raised from the conception of this field, and various types of malware are expected to emerge in the future. The proposed approaches can be applied in various aspects of bigdata analytics, where information diffusion is involved and aid in the more efficient and accurate operation of the corresponding systems. Looking for applications of the malware modeling frameworks in the bigdata world is expected to be a fruitful endeavor.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 10. The road ahead

Create new playlist

Sign In

Sign Up