Importance-scanning worm using vulnerable-host distribution

Most Internet worms use random scanning. The distribution of vulnerable hosts on the Internet, however, is highly non-uniform over the IP-address space. This implies that random scanning wastes many scans on invulnerable addresses, and more virulent scanning schemes may take advantage of the non-uniformity of a vulnerable-host distribution. Questions then arise how attackers may make use of such information, and how virulent the resulting worm may be. These issues provide "worst-case scenarios" for defenders and "best-case scenarios" for attackers if the vulnerable-host distribution is available. This work develops such a scenario as the so-called importance scanning. Importance scanning results from importance sampling in statistics that scans IP-address space according to an empirical distribution of vulnerable hosts. An analytical model is developed to relate the infection rate of worms with the importance-scanning strategies. Experimental results based on parameters chosen from code red and slammer worms show that an importance-scanning worm can spread much faster than both a random-scanning worm and a routing worm. Furthermore, a game-theory approach suggests that the best strategy for defenders is to scatter applications uniformly in the entire IP-address space.

[1]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[2]  Andreas Terzis,et al.  On the Effectiveness of Distributed Worm Monitoring , 2005, USENIX Security Symposium.

[3]  Philip Heidelberger,et al.  Fast simulation of rare events in queueing and reliability models , 1993, TOMC.

[4]  Bernd-Peter Paris,et al.  Measuring the size of the Internet via importance sampling , 2003, IEEE J. Sel. Areas Commun..

[5]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[6]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[7]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[8]  Daryl J. Daley,et al.  Epidemic Modelling: An Introduction , 1999 .

[9]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[10]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[11]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[12]  Mansoor Shafi,et al.  Quick Simulation: A Review of Importance Sampling Techniques in Communications Systems , 1997, IEEE J. Sel. Areas Commun..

[13]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[14]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[15]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[16]  Angelos D. Keromytis,et al.  The effect of DNS delays on worm propagation in an IPv6 Internet , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..