ABSTRACT

Two years ago we presented here at Carleton University some seminal work on "Optimising Malware" whose objective was to provoke discussion and suggest a more comprehensive framework for reasoning and describing results about malware performance and counter-measure performance. In particular, we postulated that statements about performance in this context need to much more precise in specifying the specific performance criteria selected (amongs the many possible), the design and deployment characteristics of malware and counter-measures, and finally the environmental conditions under which they will both operate. When all of these variables are thus specificied it is then possible to formulate sound questions about relative performance ("better") and even optimisation ("best") of malware or counter-measures. In the ensuing discussion during that talk, it was suggested by one illustrious attendee that since the "good guys" (mostly) control the operating environment, one could potentially think that what could or should be optimised for worst malware performance are the operating parameters of the network itself (topology, protocols, configuration, etc.), rather than the counter-measures.

In this presentation, we will present follow-up research exploring precisely this idea. In particular, we study how changes in network connectivity can affect the propagation speed criterion of malware performance. The obvious intuition is that a network that is less interconnected will provide less opportunities for malware propagation, and reduce rate of infections. On the one side, we will present both theoretical results obtained by using Markov Chains models. On the other we will present the experimental work we did by running a malware emulation experiment on a virtual network. Not surprisingly, both the modelling and emulation results confirm the above-state intuition for the (limited) network types and parameters explored. While, the practical applicability of these results is probably quite limited, we will discuss the lessons learned on how the modelling techniques and experimental methodology used could be applied (or not) to more complex and real-world security performance questions.

(This is joint work with Pierre-Marc Bureau, now at ESET LLC, an San Diego-based anti-virus company.)

BIOGRAPHY

Dr. Fernandez is an assistant professor in the Department of Computer Engineering at the École Polytechnique de Montréal since 2004. His main area of research is computer networks security and Web applications security. He teaches the introductory 4th-year computer-security, a class that is now mandatory for all students in the computer and software engineering programmes at Polytechnique. He has several years of professional experience as a practitioner of Information Security in both industry and government. He is a member of the board of the Association de la sécurité de l'information du Montréal Métropolitain (ASIMM), a not-for-profit organisation of more than 250 IS security professionals in the Montreal region, where he is responsible for conferences and professional development events. He is also an Engineer and member of the Ordre des ingénieurs du Québec. He holds two Bachelor's degrees in Mathematics and Computer Engineering from MIT, a Master's in Cryptology from the University of Toronto and a Ph.D. in Quantum Computing from the Université de Montréal.