Modeling and automated containment of worms

Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormous adverse impact on the Internet. There is a great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of worms beyond its early stages. Specifically, using the branching process model, we are able to (1) provide a precise condition that determines whether the worm will eventually die out and (2) provide the probability that the total number of hosts that the worm infects will be below a certain level. We use these insights to develop a simple automatic worm containment scheme, which is demonstrated, through simulations and real trace data, to be both effective and non-intrusive.

[1]  A. W. Kemp,et al.  Generalized Poisson Distributions: Properties and Applications. , 1992 .

[2]  J. Kingman A FIRST COURSE IN STOCHASTIC PROCESSES , 1967 .

[3]  Min Yinghua Dependable Systems and Networks , 2001 .

[4]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[5]  Laurent Massoulié,et al.  Efficient Quarantining of Scanning Worms: Optimal Detection and Coordination , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[6]  Edward Skoudis Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses , 2001 .

[7]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[8]  Sheldon M. Ross,et al.  Stochastic Processes , 2018, Gauge Integral Structures for Stochastic Calculus and Quantum Electrodynamics.

[9]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[10]  Jeffrey O. Kephart,et al.  Measuring and modeling computer virus prevalence , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[12]  Andreas Terzis,et al.  On the impact of dynamic addressing on malware propagation , 2006, WORM '06.

[13]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[14]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[15]  Steve R. White,et al.  Computers and epidemiology , 1993, IEEE Spectrum.

[16]  H. Andersson,et al.  Stochastic Epidemic Models and Their Statistical Analysis , 2000 .

[17]  Jim Freeman,et al.  Stochastic Processes (Second Edition) , 1996 .

[18]  Robert S. Gray,et al.  Using sensor networks and data fusion for early detection of active worms , 2003, SPIE Defense + Commercial Sensing.

[19]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[20]  Daryl J. Daley,et al.  Epidemic Modelling: An Introduction , 1999 .

[21]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[22]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[23]  Samuel Karlin,et al.  A First Course on Stochastic Processes , 1968 .

[24]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[25]  Tamer Basar,et al.  The detection of RCS worm epidemics , 2005, WORM '05.

[26]  Andreas Terzis,et al.  On the Effectiveness of Distributed Worm Monitoring , 2005, USENIX Security Symposium.

[27]  Donald F. Towsley,et al.  The effect of network topology on the spread of epidemics , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[28]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[29]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[30]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[31]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[32]  Dawn Xiaodong Song,et al.  Dynamic quarantine of Internet worms , 2004, International Conference on Dependable Systems and Networks, 2004.

[33]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[34]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[35]  Tamer Basar,et al.  Stochastic behavior of random constant scanning worms , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[36]  Herbert W. Hethcote,et al.  The Mathematics of Infectious Diseases , 2000, SIAM Rev..

[37]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.