ABSTRACT
Two years ago we presented here at Carleton University some seminal work on
"Optimising Malware" whose objective was to provoke discussion and suggest a
more comprehensive framework for reasoning and describing results about malware
performance and counter-measure performance. In particular, we postulated that
statements about performance in this context need to much more precise in
specifying the specific performance criteria selected (amongs the many
possible), the design and deployment characteristics of malware and
counter-measures, and finally the environmental conditions under which they
will both operate. When all of these variables are thus specificied it is then
possible to formulate sound questions about relative performance ("better") and
even optimisation ("best") of malware or counter-measures. In the ensuing
discussion during that talk, it was suggested by one illustrious attendee that
since the "good guys" (mostly) control the operating environment, one could
potentially think that what could or should be optimised for worst malware
performance are the operating parameters of the network itself (topology,
protocols, configuration, etc.), rather than the counter-measures.
In this presentation, we will present follow-up research exploring precisely
this idea. In particular, we study how changes in network connectivity can
affect the propagation speed criterion of malware performance. The obvious
intuition is that a network that is less interconnected will provide less
opportunities for malware propagation, and reduce rate of infections. On the
one side, we will present both theoretical results obtained by using Markov
Chains models. On the other we will present the experimental work we did by
running a malware emulation experiment on a virtual network. Not surprisingly,
both the modelling and emulation results confirm the above-state intuition for
the (limited) network types and parameters explored. While, the practical
applicability of these results is probably quite limited, we will discuss the
lessons learned on how the modelling techniques and experimental methodology
used could be applied (or not) to more complex and real-world security
performance questions.
(This is joint work with Pierre-Marc Bureau, now at ESET LLC, an San
Diego-based anti-virus company.)
BIOGRAPHY
Dr. Fernandez is an assistant professor in the Department of Computer
Engineering at the École Polytechnique de Montréal since 2004.
His main area of research is computer networks security and Web applications
security. He teaches the introductory 4th-year computer-security, a class that
is now mandatory for all students in the computer and software engineering
programmes at Polytechnique. He has several years of professional experience
as a practitioner of Information Security in both industry and government. He
is a member of the board of the Association de la sécurité de
l'information du Montréal Métropolitain (ASIMM), a not-for-profit
organisation of more than 250 IS security professionals in the Montreal region,
where he is responsible for conferences and professional development events.
He is also an Engineer and member of the Ordre des ingénieurs du
Québec. He holds two Bachelor's degrees in Mathematics and Computer
Engineering from MIT, a Master's in Cryptology from the University of Toronto
and a Ph.D. in Quantum Computing from the Université de Montréal.