Propagation of active worms: A survey

This paper serves worm defenders’ objective to improve their immunity to future active worms by giving them a deep insight into propagation characteristics of active worms from a worm authors’ perspective. Active worms self-propagate across networks by employing scanning, pre-generated target list, or internally generated target lists as their target discovery technique. We find target acquisition and network reconnaissance actions during the network propagation phase in a worm’s life cycle basically embody its target discovery technique. We derive the significance of target discovery techniques in shaping a worm’s propagation characteristics from the life cycles of worms. A variety of target discovery techniques employed by active worms are discussed and compared. We find hitting probability (the probability of hitting a vulnerable or infected host) is the most frequently improved factor by attackers to increase a worm’s propagation speed. We anticipate future active worms would employ a combination of target discovery techniques to greatly accelerate their propagation. Various deterministic and stochastic models of active worms are presented and compared. Their accuracy of and applicability to modelling the propagation of active worms under different conditions are discussed. A discussion of opportunities, challenges and solutions from a worm defenders’ perspective is presented in this survey paper. We also propose a new defence system called Distributed Active Defence System (DADS) to effectively defend against worms. This new system follows an active surveillance-trace-control cycle, which could be the emerging solution to the active worm problem.

[1]  Jonathan M. McCune,et al.  A study of mass-mailing worms , 2004, WORM '04.

[2]  Matthew C. Elder,et al.  Recent worms: a survey and trends , 2003, WORM '03.

[3]  Wanlei Zhou,et al.  An Active Distributed Defense System to Protect Web Applications from DDOS Attacks , 2004, iiWAS.

[4]  Stefan Savage,et al.  Self-stopping worms , 2005, WORM '05.

[5]  Daryl J. Daley,et al.  Epidemic Modelling: An Introduction , 1999 .

[6]  Andreas Terzis,et al.  On the impact of dynamic addressing on malware propagation , 2006, WORM '06.

[7]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[8]  Nirwan Ansari,et al.  On IP traceback , 2003, IEEE Commun. Mag..

[9]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[10]  Samuel Karlin,et al.  A First Course on Stochastic Processes , 1968 .

[11]  Saurabh Bagchi,et al.  Modeling and Automated Containment of Worms , 2008, IEEE Trans. Dependable Secur. Comput..

[12]  Chuanyi Ji,et al.  Importance-scanning worm using vulnerable-host distribution , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[13]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[14]  Yang Wang,et al.  Modeling the effects of timing parameters on virus propagation , 2003, WORM '03.

[15]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[16]  Yong Tang,et al.  DAW: A Distributed Antiworm System , 2007, IEEE Transactions on Parallel and Distributed Systems.

[17]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[18]  Paul C. van Oorschot,et al.  On instant messaging worms, analysis and countermeasures , 2005, WORM '05.

[19]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[20]  Paul G. Hoel,et al.  Introduction to Probability Theory , 1972 .

[21]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[22]  Daniel P. W. Ellis,et al.  Worm anatomy and model , 2003, WORM '03.

[23]  Dawn Xiaodong Song,et al.  Dynamic quarantine of Internet worms , 2004, International Conference on Dependable Systems and Networks, 2004.

[24]  H. Andersson,et al.  Stochastic Epidemic Models and Their Statistical Analysis , 2000 .

[25]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[26]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[27]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[28]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2005, WORM '05.

[29]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[30]  Donald F. Towsley,et al.  On the performance of Internet worm scanning strategies , 2006, Perform. Evaluation.

[31]  J. Kingman A FIRST COURSE IN STOCHASTIC PROCESSES , 1967 .

[32]  Michael D. Smith,et al.  Access for sale: a new class of worm , 2003, WORM '03.

[33]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[34]  Chuanyi Ji,et al.  A self-learning worm using importance scanning , 2005, WORM '05.

[35]  Keqiu Li,et al.  Multimedia Object Placement for Transparent Data Replication , 2007, IEEE Transactions on Parallel and Distributed Systems.

[36]  Tamer Basar,et al.  Stochastic behavior of random constant scanning worms , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..