On the trade-off between speed and resiliency of flashworms and similar malcodes

Inspired by the Flash worm paper [1], we formulate and investigate the problem of finding a fast and resilient propagation topology and propagation schedule for Flash worms and similar malcodes. Resiliency means a very large proportion of infectable targets are still infected no matter which fraction of targets are not infectable. There is an intrinsic tradeoff between speed and resiliency, since resiliency requires transmission redundancy which slows down themalcode. To investigate this problem formally, we need an analytical model. We first show that, under a moderately general analytical model, the problem of optimizing propagation time isNP-hard. This fact justifies the need for a simpler model, which we present next. In this simplified model, we present an optimal propagation topology and schedule, which is then shown by simulationto be even faster than the Flash worm. Moreover, our worm is faster even when the source has much less bandwidth capability. We also show that for every preemptive schedule there exists a nonpreemptive schedule which is just as effective. This fact greatly simplifies the optimization proble In terms of the aforementioned tradeoff, we give a propagation topology based on extractor graphs which can reduce the infection time linearly while keeping the expected number of infected nodes exponentially close to optimal.

[1]  Ayalvadi J. Ganesh,et al.  On the effectiveness of automatic patching , 2005, WORM '05.

[2]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[3]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[4]  Iván Arce,et al.  An Analysis of the Slapper Worm , 2003, IEEE Secur. Priv..

[5]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[6]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[7]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[8]  Avi Wigderson,et al.  Extractors: optimal up to constant factors , 2003, STOC '03.

[9]  Odlyzko Andrew Data Networks are Lightly Utilized, and Will Stay That Way , 1999 .

[10]  Karl N. Levitt,et al.  Cooperative response strategies for large scale attack mitigation , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[11]  Mark Handley,et al.  A scalable content-addressable network , 2001, SIGCOMM 2001.

[12]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[13]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[14]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[15]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[16]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[17]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[18]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[19]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[20]  Eric Filiol,et al.  Combinatorial Optimisation of Worm Propagation on an Unknown Network , 2007 .

[21]  Jia Wang,et al.  Towards an accurate AS-level traceroute tool , 2003, SIGCOMM '03.

[22]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[23]  Bobby Bhattacharjee,et al.  Scalable application layer multicast , 2002, SIGCOMM 2002.

[24]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[25]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[26]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, TNET.

[27]  N. Linial,et al.  Expander Graphs and their Applications , 2006 .

[28]  Bill McCarty,et al.  Botnets: Big and Bigger , 2003, IEEE Secur. Priv..