Defending against the propagation of active worms

Active worms propagate across networks by employing the various target discovery techniques. The significance of target discovery techniques in shaping a worm’s propagation characteristics is derived from the life cycle of a worm. The various target discovery techniques that could be employed by active worms are discussed. It is anticipated that future active worms would employ multiple target discovery techniques simultaneously to greatly accelerate their propagation. To accelerate a worm’s propagation, the slow start phase in the worm’s propagation must be shortened by letting the worm infect the first certain percentage of susceptible hosts as soon as possible. Strategies that future active worms might employ to shorten the slow start phase in their propagation are studied. Their respective cost-effectiveness is assessed. A novel active defense mechanism is proposed, which could be an emerging solution to the active worm problem. Our major contributions in this article are first, we found the combination of target discovery techniques that can best accelerate the propagation of active worms; second, we proposed several strategies to shorten a worm’s slow start phase in its propagation and found the cost-effective hit-list size and average size of internally generated target lists; third, we proposed a novel active defense mechanism and evaluated its effectiveness; and fourth, we proposed three novel discrete time deterministic propagation models of active worms.

[1]  Samuel Karlin,et al.  A First Course on Stochastic Processes , 1968 .

[2]  Hal Berghel Digital: The Y2K e-commerce tumble , 2001, Commun. ACM.

[3]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[4]  Dawn Xiaodong Song,et al.  Dynamic quarantine of Internet worms , 2004, International Conference on Dependable Systems and Networks, 2004.

[5]  Paul G. Hoel,et al.  Introduction to Probability Theory , 1972 .

[6]  Yang Xiang,et al.  Accelerating the Propagation of Active Worms by Employing Multiple Target Discovery Techniques , 2008, NPC.

[7]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[8]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[9]  Daniel P. W. Ellis,et al.  Worm anatomy and model , 2003, WORM '03.

[10]  Wanlei Zhou,et al.  Protecting web applications from DDoS attacks by an active distributed defense system , 2006, Int. J. Web Inf. Syst..

[11]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[12]  Chuanyi Ji,et al.  A self-learning worm using importance scanning , 2005, WORM '05.

[13]  Stefan Savage,et al.  Self-stopping worms , 2005, WORM '05.

[14]  Paul C. van Oorschot,et al.  On instant messaging worms, analysis and countermeasures , 2005, WORM '05.

[15]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[16]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[17]  Saurabh Bagchi,et al.  Modeling and automated containment of worms , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[18]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[19]  R. May,et al.  Infectious Diseases of Humans: Dynamics and Control , 1991, Annals of Internal Medicine.

[20]  Jonathan M. McCune,et al.  A study of mass-mailing worms , 2004, WORM '04.

[21]  Daryl J. Daley,et al.  Epidemic Modelling: An Introduction , 1999 .

[22]  Matthew C. Elder,et al.  Recent worms: a survey and trends , 2003, WORM '03.

[23]  Sheldon M. Ross,et al.  Stochastic Processes , 2018, Gauge Integral Structures for Stochastic Calculus and Quantum Electrodynamics.

[24]  Michael D. Smith,et al.  Access for sale: a new class of worm , 2003, WORM '03.

[25]  J. Frauenthal Mathematical Modeling in Epidemiology , 1980 .

[26]  N. Ling The Mathematical Theory of Infectious Diseases and its applications , 1978 .

[27]  Wei Yu Analyze the worm-based attack in large scale P2P networks , 2004, Eighth IEEE International Symposium on High Assurance Systems Engineering, 2004. Proceedings..

[28]  Alexander Grey,et al.  The Mathematical Theory of Infectious Diseases and Its Applications , 1977 .

[29]  Hal Berghel,et al.  The Code Red Worm , 2001, CACM.

[30]  Bernhard Plattner,et al.  Experiences with worm propagation simulations , 2003, WORM '03.

[31]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[32]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[33]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2005, WORM '05.

[34]  Yang Xiang,et al.  Propagation of active worms: A survey , 2009, Comput. Syst. Sci. Eng..

[35]  Xiang Fan,et al.  Shortening the Slow Start Phase in the Propagation of Active Worms , 2008, International Symposium on Computer Science and its Applications.

[36]  Donald F. Towsley,et al.  On the performance of Internet worm scanning strategies , 2006, Perform. Evaluation.

[37]  H. Andersson,et al.  Stochastic Epidemic Models and Their Statistical Analysis , 2000 .

[38]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[39]  J. Kingman A FIRST COURSE IN STOCHASTIC PROCESSES , 1967 .

[40]  Iván Arce,et al.  An Analysis of the Slapper Worm , 2003, IEEE Secur. Priv..

[41]  Yang Xiang,et al.  Defending against the Propagation of Active Worms , 2008, EUC.

[42]  Tamer Basar,et al.  Stochastic behavior of random constant scanning worms , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[43]  Andreas Terzis,et al.  On the impact of dynamic addressing on malware propagation , 2006, WORM '06.

[44]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[45]  Chuanyi Ji,et al.  Importance-scanning worm using vulnerable-host distribution , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[46]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[47]  Yang Wang,et al.  Modeling the effects of timing parameters on virus propagation , 2003, WORM '03.

[48]  George Kesidis,et al.  Preliminary results using scale-down to explore worm dynamics , 2004, WORM '04.

[49]  Yong Tang,et al.  DAW: A Distributed Antiworm System , 2007, IEEE Transactions on Parallel and Distributed Systems.

[50]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.