Anting: An Adaptive Scanning Method for Computer Worms

Computer worms can self-propagate over a network and are becoming a critical risk to the network based applications. To propagate over the network, the worms need to scan many IP addresses to find vulnerable hosts. This paper addresses the worm scanning strategies with subsidiary information. Inspired by the natural ants, we propose an adaptive scanning method, named Anting, for worms. To perform focused scanning on the parts of most clustered vulnerable systems, each worm record some scanning results to help deciding its next scanning direction. The new born worms can also inherit those results from its parent worms. Each worm decides its scanning direction on its local estimation to the densities of reachable addresses or vulnerable hosts in different parts of subspaces. The simple individual behaviors of worms are aggregated as a collective behavior in global to perform efficient scanning. We argue that this scanning method is more efficient when the vulnerable hosts are not uniformly distributed. We also conduct some simulated experiments to validate this method

[1]  Bill Cheswick,et al.  Worm Propagation Strategies in an IPv6 Internet , 2006, login Usenix Mag..

[2]  Angelos D. Keromytis,et al.  The effect of DNS delays on worm propagation in an IPv6 Internet , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[3]  Stefan Savage,et al.  Self-stopping worms , 2005, WORM '05.

[4]  Zhuoqing Morley Mao,et al.  Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[5]  Donald F. Towsley,et al.  On the performance of Internet worm scanning strategies , 2006, Perform. Evaluation.

[6]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[7]  Chuanyi Ji,et al.  A self-learning worm using importance scanning , 2005, WORM '05.

[8]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[9]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[10]  Richard Mortier,et al.  The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery , 2006, NSDI.

[11]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[12]  Fernando C. Colón Osorio,et al.  An initial analysis and presentation of malware exhibiting swarm-like behavior , 2006, SAC '06.

[13]  Chuanyi Ji,et al.  Importance-scanning worm using vulnerable-host distribution , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[14]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[15]  Marco Dorigo,et al.  Ant system: optimization by a colony of cooperating agents , 1996, IEEE Trans. Syst. Man Cybern. Part B.