Modeling and analysis of a self-learning worm based on good point set scanning

Internet worms can self-propagate over the Internet, and have caused significant damages to the Internet infrastructure. To speed up the propagating process, the worms need to scan many Internet Protocol (IP) addresses to target vulnerable hosts. However, the distribution of IP addresses is highly non-uniform, which results in many scans wasted on invulnerable addresses. Inspired by the theory of good point set, this paper proposes a new scanning strategy, referred to as good point set scanning (GPSS), for worms. Experimental results show that GPSS can generate more distinct IP addresses and less unused IP addresses than the permutation scanning. Combined with group distribution, a static optimal GPSS is derived. Since the information cannot be easily collected before a worm is released, a self-learning worm with GPSS is designed. Such worm can accurately estimate the underlying vulnerable-host distribution when a sufficient number of IP addresses of infected hosts are collected. We use a modified Analytical Active Worm Propagation (AAWP) to simulate data of Code Red and the performance of different scanning strategies. Experimental results show that once the distribution of vulnerable hosts is accurately estimated, a self-learning worm can propagate much faster than other worms. Finally, some possible countermeasures are given. Copyright © 2008 John Wiley & Sons, Ltd.

[1]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[2]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[3]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[4]  David Brumley,et al.  Design space and analysis of worm defense strategies , 2006, ASIACCS '06.

[5]  Yi Tang,et al.  Anting: An Adaptive Scanning Method for Computer Worms , 2006, 2006 IEEE/WIC/ACM International Conference on Web Intelligence (WI 2006 Main Conference Proceedings)(WI'06).

[6]  Chuanyi Ji,et al.  A self-learning worm using importance scanning , 2005, WORM '05.

[7]  Chuanyi Ji,et al.  Optimal worm-scanning method using vulnerable-host distributions , 2007, Int. J. Secur. Networks.

[8]  Francesco Palmieri,et al.  Containing large-scale worm spreading in the Internet by cooperative distribution of traffic filtering policies , 2008, Comput. Secur..

[9]  Abhishek Kumar,et al.  Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event , 2005, Internet Measurement Conference.

[10]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[11]  Chuanyi Ji,et al.  Importance-scanning worm using vulnerable-host distribution , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[12]  Dan Wu,et al.  Modeling and Analysis of Worm and Killer-Worm Propagation Using the Divide-and-Conquer Strategy , 2005, ICA3PP.

[13]  Zhang Ling,et al.  Good Point Set Based Genetic Algorithm , 2001 .

[14]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[15]  J. Liao,et al.  Variance Reduction in Gibbs Sampler Using Quasi Random Numbers , 1998 .

[16]  Andrew Smith,et al.  Digging for worms, fishing for answers , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[17]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[18]  David A. Maltz,et al.  Worm origin identification using random moonwalks , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[19]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[20]  Jing Hu,et al.  Defending against Internet worms using a phase space method from chaos theory , 2007, SPIE Defense + Commercial Sensing.

[21]  Angelos D. Keromytis,et al.  The effect of DNS delays on worm propagation in an IPv6 Internet , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[22]  Bernd-Peter Paris,et al.  Measuring the size of the Internet via importance sampling , 2003, IEEE J. Sel. Areas Commun..

[23]  Yong Tang,et al.  Defending against Internet worms: a signature-based approach , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[24]  Taeshik Shon,et al.  A hybrid machine learning approach to network anomaly detection , 2007, Inf. Sci..

[25]  Spyros Antonatos,et al.  TAO: Protecting Against Hitlist Worms Using Transparent Address Obfuscation , 2006, Communications and Multimedia Security.

[26]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[27]  Emmanouil Magkos,et al.  A spatial stochastic model for worm propagation: scale effects , 2007, Journal in Computer Virology.