Simulating non-scanning worms on peer-to-peer networks

Millions of Internet users are using large-scale peer-to-peer (P2P) networks to share content files today. Many other mission-critical applications, such as Internet telephony and Domain Name System (DNS), have also found P2P networks appealing due to their scalability and reliability properties. These P2P networks, however, could be leveraged by automatic-propagating Internet worms to quickly infect a large vulnerable population and inflict tremendous damages to information infrastructure and end systems.While much work has been done to study random-scanning worms, such as CodeRed and Slammer, we have less understanding of non-scanning worms that are potentially stealthy. In this paper, we identify three strategies a non-scanning worm could use to propagate through P2P systems. To understand their behaviors, we provide a workload-driven simulation framework to characterize these worms and identify the parameters influencing their propagations. The non-scanning nature allows P2P worms to evade many of today's detection methods aimed at random-scanning worms. We propose and evaluate an online detection algorithm against these P2P worms using statistical detection of change-points in streaming sensor data.

[1]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[2]  Steve Chien,et al.  A First Look at Peer-to-Peer Worms: Threats and Defenses , 2005, IPTPS.

[3]  Wei Yu,et al.  Analyzing Impacts of Peer-to-Peer Systems on Propagation of Active Worm Attacks , 2004 .

[4]  Alessandro Vespignani,et al.  Epidemic spreading in scale-free networks. , 2000, Physical review letters.

[5]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[6]  Dawn Xiaodong Song,et al.  Dynamic quarantine of Internet worms , 2004, International Conference on Dependable Systems and Networks, 2004.

[7]  Krishna P. Gummadi,et al.  Measurement, modeling, and analysis of a peer-to-peer file-sharing workload , 2003, SOSP '03.

[8]  Jia Wang,et al.  Analyzing peer-to-peer traffic across large networks , 2004, IEEE/ACM Trans. Netw..

[9]  Qi He,et al.  Mapping peer behavior to packet-level details: a framework for packet-level simulation of peer-to-peer systems , 2003, 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems, 2003. MASCOTS 2003..

[10]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[11]  Paul C. van Oorschot,et al.  On instant messaging worms, analysis and countermeasures , 2005, WORM '05.

[12]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[13]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[14]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[15]  A. Barabasi,et al.  Halting viruses in scale-free networks. , 2001, Physical review. E, Statistical, nonlinear, and soft matter physics.

[16]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[17]  Vincent H. Berk,et al.  Rapid detection of worms using ICMP-T3 analysis , 2004, SPIE Defense + Commercial Sensing.

[18]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[19]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[20]  Lada A. Adamic Zipf, Power-laws, and Pareto-a ranking tutorial , 2000 .

[21]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[22]  Krishna P. Gummadi,et al.  Measuring and analyzing the characteristics of Napster and Gnutella hosts , 2003, Multimedia Systems.

[23]  Herbert W. Hethcote,et al.  The Mathematics of Infectious Diseases , 2000, SIAM Rev..

[24]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[25]  Robert Tappan Morris,et al.  Serving DNS Using a Peer-to-Peer Lookup Service , 2002, IPTPS.

[26]  Eugene H. Spafford,et al.  The internet worm: crisis and aftermath , 1989 .

[27]  Patrick Lincoln,et al.  Epidemic profiles and defense of scale-free networks , 2003, WORM '03.

[28]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[29]  Jaideep Srivastava,et al.  Event detection from time series data , 1999, KDD '99.

[30]  George Kesidis,et al.  Preliminary results using scale-down to explore worm dynamics , 2004, WORM '04.

[31]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[32]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[33]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[34]  Matei Ripeanu,et al.  Peer-to-peer architecture case study: Gnutella network , 2001, Proceedings First International Conference on Peer-to-Peer Computing.

[35]  Donald F. Towsley,et al.  Email worm modeling and defense , 2004, Proceedings. 13th International Conference on Computer Communications and Networks (IEEE Cat. No.04EX969).

[36]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[37]  Stuart E. Schechter,et al.  Inoculating SSH Against Address Harvesting , 2006, NDSS.

[38]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[39]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[40]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[41]  Dawn Xiaodong Song,et al.  New Streaming Algorithms for Fast Detection of Superspreaders , 2005, NDSS.

[42]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[43]  Hari Balakrishnan,et al.  Resilient overlay networks , 2001, SOSP.

[44]  Daniel Stutzbach,et al.  Characterizing unstructured overlay topologies in modern P2P file-sharing systems , 2008, TNET.

[45]  Stuart E. Schechter,et al.  Inoculating SSH Against Address-Harvesting Worms , 2005 .

[46]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[47]  Márk Jelasity,et al.  Robust aggregation protocols for large-scale overlay networks , 2004, International Conference on Dependable Systems and Networks, 2004.

[48]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[49]  Srikanth Sundaragopalan,et al.  High-fidelity modeling of computer network worms , 2004, 20th Annual Computer Security Applications Conference.

[50]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[51]  Know Your Enemy : Honeynets What a Honeynet , 2002 .

[52]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[53]  Miguel Castro,et al.  Can we contain Internet worms , 2004 .

[54]  Antony I. T. Rowstron,et al.  Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-to-Peer Systems , 2001, Middleware.

[55]  Henning Schulzrinne,et al.  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , 2004, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.