Investigating the Impact of Real-World Factors on Internet Worm Propagation

This paper reports the results of our experimentation with modeling worm behavior on a large scale, fully adaptable network simulator. Our experiments focused on areas of worm scanning methods, IP address structure, and wireless links that, to the best of our knowledge, have been mostly neglected or abstracted away in prior worm simulations. Namely, our intent was to first study by direct observation of our simulations the effects of various IP scanning techniques on the effectiveness of worm spread. Second, our intent was to research the effects that having a larger IP address space (specifically a sparsely populated IP address space like that provided by Internet Protocol Version 6) would have on the effectiveness of several worms. Third, we study how the wireless media may affect the propagation of worms. In order to perform these simulations we have made use of the Georgia Institute of Technology's network simulator, GTNetS, extending the worm classes packaged with the simulator.

[1]  Wenke Lee,et al.  Comparative study between analytical models and packet-level worm simulations , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[2]  Sugih Jamin,et al.  Inet-3.0: Internet Topology Generator , 2002 .

[3]  Andreas Terzis,et al.  On the Effectiveness of Distributed Worm Monitoring , 2005, USENIX Security Symposium.

[4]  Wenke Lee,et al.  Simulating Internet worms , 2004, The IEEE Computer Society's 12th Annual International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, 2004. (MASCOTS 2004). Proceedings..

[5]  E. J. Aronne The Nimda worm: An overview , 2001 .

[6]  Donald F. Towsley,et al.  Modeling malware spreading dynamics , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[7]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[8]  Chuanyi Ji,et al.  A self-learning worm using importance scanning , 2005, WORM '05.

[9]  Vern Paxson Proceedings of the 2004 ACM Workshop on Rapid Malcode, WORM 2004, Washington, DC, USA, October 29, 2004 , 2004, WORM.

[10]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[11]  Eugene H. Spafford,et al.  The internet worm: crisis and aftermath , 1989 .

[12]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[13]  Jelena Mirkovic,et al.  Distributed worm simulation with a realistic Internet model , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[14]  G. F. Riley Large-scale network simulations with GTNetS , 2003, Proceedings of the 2003 Winter Simulation Conference, 2003..

[15]  George F. Riley Simulation of large scale networks II: large-scale network simulations with GTNetS , 2003, WSC '03.

[16]  Mostafa H. Ammar,et al.  A generic framework for parallelization of network simulations , 1999, MASCOTS '99. Proceedings of the Seventh International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[17]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[18]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[19]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[20]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[21]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[22]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[23]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[24]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .