Measuring Network-Aware Worm Spreading Ability

This work investigates three aspects: (a) a network vulnerability as the non-uniform vulnerable-host distribution, (b) threats, i.e., intelligent worms that exploit such a vulnerability, and (c) defense, i.e., challenges for fighting the threats. We first study five data sets and observe consistent clustered vulnerable-host distributions. We then present a new metric, referred to as the non-uniformity factor, which quantifies the unevenness of a vulnerable-host distribution. This metric is essentially the Renyi information entropy and better characterizes the non-uniformity of a distribution than the Shannon entropy. We then analytically and empirically measure the infection rate and the propagation speed of network-aware worms. We show that a representative network-aware worm can increase the spreading speed by exactly or nearly a non-uniformity factor when compared to a random-scanning worm at the early stage of worm propagation. This implies that when a worm exploits an uneven vulnerable-host distribution as a network-wide vulnerability, the Internet can be infected much more rapidly. Furthermore, we analyze the effectiveness of defense strategies on the spread of network-aware worms. Our results demonstrate that counteracting network-aware worms is a significant challenge for the strategies that include host-based defense and IPv6.

[1]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[2]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[3]  Alfréd Rényi,et al.  Probability Theory , 1970 .

[4]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[5]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[6]  Matthew M. Williamson,et al.  Implementing and Testing a Virus Throttle , 2003, USENIX Security Symposium.

[7]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[8]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[9]  David Brumley,et al.  Design space and analysis of worm defense strategies , 2006, ASIACCS '06.

[10]  Peter E. Hart,et al.  Nearest neighbor pattern classification , 1967, IEEE Trans. Inf. Theory.

[11]  Eddie Kohler,et al.  Observed structure of addresses in IP traffic , 2006, TNET.

[12]  Bill Cheswick,et al.  Worm Propagation Strategies in an IPv6 Internet , 2006, login Usenix Mag..

[13]  Angelos D. Keromytis,et al.  The effect of DNS delays on worm propagation in an IPv6 Internet , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[14]  Andreas Terzis,et al.  Fast and Evasive Attacks: Highlighting the Challenges Ahead , 2006, RAID.

[15]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[16]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[17]  Chuanyi Ji,et al.  A self-learning worm using importance scanning , 2005, WORM '05.

[18]  Donald F. Towsley,et al.  On the performance of Internet worm scanning strategies , 2006, Perform. Evaluation.

[19]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[20]  Andreas Terzis,et al.  On the Effectiveness of Distributed Worm Monitoring , 2005, USENIX Security Symposium.

[21]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[22]  Chuanyi Ji,et al.  Optimal worm-scanning method using vulnerable-host distributions , 2007, Int. J. Secur. Networks.

[23]  R. Nowak,et al.  Toward a Model for Source Addresses of Internet Background Radiation , 2006 .

[24]  Vishal Malik,et al.  Distributed intrusion detection system , 2002 .

[25]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[26]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.