Distributed Detection and Optimal Tra-c-blocking of Network Worms

Despite the recent surge of research in control of worm propagation, currently, there is no effective defense system against such cyber attacks. We first design a distributed detection architecture called Detection via Distributed Blackholes (DDBH ). Our novel detection mechanism could be implemented via virtual honeypots or honeynets. Simulation results show that a worm can be detected with virtual honeypots on only 3% of the nodes. Moreover, the worm is detected when less than 1.5% of the nodes are infected. We then develop two control strategies: (1) optimal dynamic traffic-blocking, for which we determine the condition that guarantees minimum number of removed nodes when the worm is contained and (2) predictive dynamic traffic-blocking—a realistic deployment of the optimal strategy on scale-free graphs. The predictive dynamic traffic-blocking, coupled with the DDBH, ensures that more than 40% of the network is unaffected by the propagation at the time when the worm is contained.

[1]  Marco de Vivo,et al.  A review of port scanning techniques , 1999, CCRV.

[2]  Herbert W. Hethcote,et al.  The Mathematics of Infectious Diseases , 2000, SIAM Rev..

[3]  Robert K. Cunningham,et al.  Large Scale Malicious Code: A Research Agenda , 2003 .

[4]  Yougu Yuan,et al.  Global Routing Instabilities Triggered by Code Red II and Nimda Worm Attacks , 2001 .

[5]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[6]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[7]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[8]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[9]  Marco de Vivo,et al.  Internet vulnerabilities related to TCP/IP and T/TCP , 1999, CCRV.

[10]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[11]  David M. Nicol,et al.  Comparing passive and active worm defenses , 2004, First International Conference on the Quantitative Evaluation of Systems, 2004. QEST 2004. Proceedings..

[12]  David M. Nicol,et al.  Models of Active Worm Defenses , 2004 .

[13]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[14]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[15]  Alefiya Hussain,et al.  Effect of Malicious Traffic on the Network , 2003 .

[16]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[17]  Nicholas Weaver,et al.  Potential Strategies for High Speed Active Worms : A Worst Case Analysis , 2002 .