An Information-Theoretical View of Network-Aware Malware Attacks

TL;DR

This paper uses information theory to analyze how non-uniform vulnerable-host distributions influence malware spread and explores the challenges in defending against network-aware malware exploiting these vulnerabilities.

Contribution

It introduces a non-uniformity factor based on Renyi entropy to quantify vulnerability distribution and links it to malware propagation speed and defense challenges.

Findings

Non-uniform vulnerable-host distributions are consistently observed.

The non-uniformity factor correlates with malware spreading speed.

Defending against network-aware malware is significantly more challenging.

Abstract

This work investigates three aspects: (a) a network vulnerability as the non-uniform vulnerable-host distribution, (b) threats, i.e., intelligent malwares that exploit such a vulnerability, and (c) defense, i.e., challenges for fighting the threats. We first study five large data sets and observe consistent clustered vulnerable-host distributions. We then present a new metric, referred to as the non-uniformity factor, which quantifies the unevenness of a vulnerable-host distribution. This metric is essentially the Renyi information entropy and better characterizes the non-uniformity of a distribution than the Shannon entropy. Next, we analyze the propagation speed of network-aware malwares in view of information theory. In particular, we draw a relationship between Renyi entropies and randomized epidemic malware-scanning algorithms. We find that the infection rates of malware-scanning methods are characterized by the Renyi entropies that relate to the information bits in a non-unform vulnerable-host distribution extracted by a randomized scanning algorithm. Meanwhile, we show that a representative network-aware malware can increase the spreading speed by exactly or nearly a non-uniformity factor when compared to a random-scanning malware at an early stage of malware propagation. This quantifies that how much more rapidly the Internet can be infected at the early stage when a malware exploits an uneven vulnerable-host distribution as a network-wide vulnerability. Furthermore, we analyze the effectiveness of defense strategies on the spread of network-aware malwares. Our results demonstrate that counteracting network-aware malwares is a significant challenge for the strategies that include host-based defense and IPv6.