Optimising Networks Against Malware

Abstract

Rapidly-spreading malicious software is an important threat on today's computer networks. Most solutions that have been proposed to counter this threat are based on our ability to quickly detect the malware-generated traffic or the malware instances themselves, something that in many cases can be beyond our ability. Nonetheless, it seems intuitive that certain defensive postures adopted in configuring networks or machines can have a positive impact on countering malware, regardless of our ability to detect it. It is thus important to quantitatively understand how changes in design and deployment strategies can affect malware performance; only then does it become possible to make optimal decisions. To that purpose, we study in this paper the impact of network interconnection topologies on the propagation of malware. We first use a theoretical model based on Markov processes to try to predict the progression of an infection under varying interconnection scenarios. We then compare these predictions with experimental results obtained by launching a malware emulation agent on three differently configured networks. Both theoretical and experimental results provide quantitative confirmation of the intuition that networks with higher degrees of interconnection allow faster spread of malware. In addition to this, we believe that the models, experimental methodology and tools described here can be safely and fruitfully used to study other aspects of malware performance, and hence of the relative effectiveness of defensive counter-measures.