Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

CIAG Research Projects

Malware Impact on Network Devices

Principal Investigator: Pothamsetty, V.

Project Description: Analysis and modeling of the collateral damage on network devices caused by malware attacks

Project Details: Over the past few years, we have consistently observed worms affecting the normal behavior of network devices and protocols. We have also observed the network product makers consistently getting hit off-guard and the routine has been to play catch-up issuing advisories for the corresponding patches and/or mitigation techniques.

The impact of the worms has been unpredictable, because the cascading effect on other protocols (and on the whole system) is unknown. The countermeasures have been after-the-fact, because the next worm behavior is also unknown. The workarounds have been not been elegant, and past workarounds such as disabling the application and running the application on a nonstandard port often broke the actual application. The above points are applicable to all types of attacks, and the worm example and the corresponding scenarios make the problem more visible. Why does it take a real attack to identify a flaw in our protocol design? Why does it take a worm to expose the vulnerabilities arising due to interprotocol relationships and the corresponding consequences? We own the software running on the device and we know the architecture of the device, and therefore, logically, we should not even need to run the actual attack to answer a question such as 'what will be the complete consequences of a hundred packets per second having a multicast address as the destination address?'

Questions such as the above are the motivation for this research project. The following are the questions that the research hopes to answer:

  1. Is there an underlying framework in worm network behavior that is responsible for the impact? If there is one, can we use the framework to develop a comprehensive worm/attack behavior causal model?
  2. Is there an underlying framework in the protocol implementation and interprotocol relationships that can be attributed to the impact? If there is one, can we use the framework to develop a comprehensive simulation-response model for protocols?
  3. Is there an underlying framework in the network device's architecture that escalates the impact? If there is one, can we use the framework to develop a comprehensive device impact model?
  4. Can we use the three different models described above to analyze, predict and possibly develop proactive countermeasures for the impact of future worms on network devices and protocols?

Project Deliverables: Research Papers, Tools.

Status: In Progress