Empirical Analysis of Rate Limiting + Leap Ahead (RL+LA) Countermeasure against Witty Worm

Wormable system vulnerabilities continue to be identified and so fast spreading network worms continue to pose a threat to the Internet infrastructure due to their increased virulence, speed and sophistication in successive Internet-wide outbreaks. The cost of a single worm outbreak has been estimated to be as high as US $2.6 billion. In this paper, we report the empirical analysis of distributed worm detection and prevention countermeasure Rate Limiting + Leap Ahead (RL+LA) by using Pseudo-Witty worm with real outbreak characteristics of Witty worm. RL+LA, is a distributed automated worm detection and containment scheme that is based on the correlation of Domain Name System (DNS) queries and the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary, while it also utilizes cooperation between different communicating scheme members using a custom protocol, which we term Friends. The results show a significant increase in time of infection of Witty worm, when the countermeasure scheme is invoked, although it cannot completely stops the propagation of worm.

[1]  Hiroshi Toyoizumi,et al.  Predators: good will mobile codes combat against computer viruses , 2002, NSPW '02.

[2]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[3]  Evangelos Kranakis,et al.  Detecting intra-enterprise scanning worms based on address resolution , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[4]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[5]  Karl N. Levitt,et al.  A hybrid quarantine defense , 2004, WORM '04.

[6]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[7]  Steve Woodhead,et al.  Towards automated distributed containment of zero-day network worms , 2014, Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT).

[8]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[9]  Steve Woodhead,et al.  A Pseudo-Worm Daemon (PWD) for empirical analysis of zero-day network worms and countermeasure testing , 2014, Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT).

[10]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[11]  A. J. Lotka,et al.  Elements of Physical Biology. , 1925, Nature.

[12]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[13]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[14]  David M. Nicol,et al.  Models of Active Worm Defenses , 2004 .

[15]  Gregory R. Ganger,et al.  Self-Securing Network Interfaces: What, Why and How (CMU-CS-02-144) , 2002 .

[16]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.

[17]  Khurram Shahzad,et al.  A Virtualized Network Testbed for Zero-Day Worm Analysis and Countermeasure Testing , 2013, SecNet.

[18]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2005, WORM '05.

[19]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[20]  Patrick Lincoln,et al.  Epidemic profiles and defense of scale-free networks , 2003, WORM '03.

[21]  S. Gorman,et al.  Least Effort Strategies for Cybersecurity , 2003, cond-mat/0306002.

[22]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[23]  Ahren Studer,et al.  Empirical Analysis of Rate Limiting Mechanisms , 2005, RAID.

[24]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[25]  A. J. Lotka Elements of Physical Biology. , 1925, Nature.

[26]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[27]  J. Riordan,et al.  Building and deploying Billy Goat , a Worm-Detection System , 2006 .

[28]  Karl N. Levitt,et al.  Cooperative response strategies for large scale attack mitigation , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[29]  Charles C. Elton Animal Ecology , 1927, Nature.

[30]  Ziyad S. Al-Salloum Topology-aware vulnerability mitigation worms , 2011 .

[31]  Angelos D. Keromytis,et al.  A cooperative immunization system for an untrusting Internet , 2003, The 11th IEEE International Conference on Networks, 2003. ICON2003..

[32]  Yong Tang,et al.  Slowing down Internet worms , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[33]  Khurram Shahzad,et al.  An assessment of the contemporary threat posed by network worm malware , 2014 .

[34]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.