Self-Disciplinary Worms and Countermeasures: Modeling and Analysis

Wei Yu; Wei Zhao; Nan Zhang; Xinwen Fu

doi:10.1109/TPDS.2009.161

Publication
2010
Issue No. 10 - October
Abstract - Self-Disciplinary Worms and Countermeasures: Modeling and Analysis

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Wei Yu Articles by Nan Zhang Articles by Xinwen Fu Articles by Wei Zhao

Self-Disciplinary Worms and Countermeasures: Modeling and Analysis

October 2010 (vol. 21 no. 10)

pp. 1501-1514

	ASCII Text	x
	Wei Yu, Nan Zhang, Xinwen Fu, Wei Zhao, "Self-Disciplinary Worms and Countermeasures: Modeling and Analysis," IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 10, pp. 1501-1514, October, 2010.

	BibTex	x
	@article{ 10.1109/TPDS.2009.161, author = {Wei Yu and Nan Zhang and Xinwen Fu and Wei Zhao}, title = {Self-Disciplinary Worms and Countermeasures: Modeling and Analysis}, journal ={IEEE Transactions on Parallel and Distributed Systems}, volume = {21}, number = {10}, issn = {1045-9219}, year = {2010}, pages = {1501-1514}, doi = {http://doi.ieeecomputersociety.org/10.1109/TPDS.2009.161}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Parallel and Distributed Systems TI - Self-Disciplinary Worms and Countermeasures: Modeling and Analysis IS - 10 SN - 1045-9219 SP1501 EP1514 EPD - 1501-1514 A1 - Wei Yu, A1 - Nan Zhang, A1 - Xinwen Fu, A1 - Wei Zhao, PY - 2010 KW - Worm KW - game theory KW - anomaly detection. VL - 21 JA - IEEE Transactions on Parallel and Distributed Systems ER -

Wei Yu, Towson University, Towson

Nan Zhang, George Washington University, Washington DC

Xinwen Fu, University of Massachusetts Lowell, Lowell

Wei Zhao, University of Macau, Taipa Macau

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TPDS.2009.161

In this paper, we address issues related to the modeling, analysis, and countermeasures of worm attacks on the Internet. Most previous work assumed that a worm always propagates itself at the highest possible speed. Some newly developed worms (e.g., “Atak” worm) contradict this assumption by deliberately reducing the propagation speed in order to avoid detection. As such, we study a new class of worms, referred to as self-disciplinary worms. These worms adapt their propagation patterns in order to reduce the probability of detection, and eventually, to infect more computers. We demonstrate that existing worm detection schemes based on traffic volume and variance cannot effectively defend against these self-disciplinary worms. To develop proper countermeasures, we introduce a game-theoretic formulation to model the interaction between the worm propagator and the defender. We show that an effective integration of multiple countermeasure schemes (e.g., worm detection and forensics analysis) is critical for defending against self-disciplinary worms. We propose different integrated schemes for fighting different self-disciplinary worms, and evaluate their performance via real-world traffic data.

[1] D. Moore, C. Shannon, and J. Brown, "Code Red: A Case Study on the Spread and Victims of an Internet Worm," Proc. Second Internet Measurement Workshop (IMW), Nov. 2002.
[2] D. Moore, V. Paxson, and S. Savage, "Inside the Slammer Worm," IEEE Magazine of Security and Privacy, vol. 4, no. 1, pp. 33-39, July 2003.
[3] M. Casado, T. Garfinkel, W. Cui, V. Paxson, and S. Savage, "Opportunistic Measurement: Extracting Insight from Spurious Traffic," Proc. Fourth ACM SIGCOMM HotNets Workshop (HotNets), Nov. 2005.
[4] J. Mirkovic, G. Prier, and P. Reiher, "Attacking ddos at Source," Proc. 10th IEEE Int'l Conf. Network Protocols (ICNP), Nov. 2002.
[5] Y. Pan and X. Ding, "Anomaly Based Web Phishing Page Detection," Proc. 22nd Ann. Computer Security Applications Conf. (ACSAC), Nov. 2006.
[6] B. Leiba and N. Borenstein, "A Multifaceted Approach to Spam Reduction," Proc. First Conf. Email and Anti-Spam, July 2004.
[7] J. Binkley and S. Singh, "An Algorithm for Anomaly-Based Botnet Detection," Proc. Second Workshop Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2006.
[8] E. Cooke and F. Jahanian, "The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets," Proc. First Workshop Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2005.
[9] F.C. Freiling, T. Holz, and G. Wicherski, "Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks," Proc. 10th European Symp. Research in Computer Security (ESORICS), Sept. 2005.
[10] R. Vogt, J. Aycock, and M. Jacobson, "Quorum Sensing and Self-Stopping Worms," Proc. Fifth ACM Workshop Recurring Malcode (WORM), Oct. 2007.
[11] Zdnet, Smart Worm Lies Low to Evade Detection, http://news. zdnet.co.uk/internet/security 0,39020375,39160285,00.htm, 2005.
[12] G.M. Voelker, J. Ma, and S. Savage, "Self-Stopping Worms," Proc. ACM Workshop Rapid Malcode (WORM), Nov. 2005.
[13] J. Wu, S. Vangala, and L.X. Gao, "An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques," Proc. 11th IEEE Network and Distributed System Security Symp. (NDSS), Feb. 2004.
[14] S. Venkataraman, D. Song, P. Gibbons, and A. Blum, "New Streaming Algorithms for Superspreader Detection," Proc. 12th IEEE Network and Distributed Systems Security Symp. (NDSS), Feb. 2005.
[15] Y. Xie, V. Sekar, D.A. Maltz, M.K. Reiter, and H. Zhang, "Worm Origin Identification Using Random Moonwalks," Proc. IEEE Symp. Security and Privacy (S&P), May 2005.
[16] A. Ahmad and A.B. Ruighaver, "Design of a Network-Access Audit Log for Security Monitoring and Forensic Investigation," Proc. First Australian Computer Network, Information and Forensics Conf., Nov. 2003.
[17] Z.S. Chen, L.X. Gao, and K. Kwiat, "Modeling the Spread of Active Worms," Proc. IEEE INFOCOM, Mar. 2003.
[18] X.F. Wang, Z. Li, J. Xu, M. Reiter, C. Kil, and J. Choi, "Packet Vaccine: Black-Box Exploit Detection and Signature Generation," Proc. 13th ACM Conf. Computer and Comm. Security (CCS), Oct./Nov. 2006.
[19] D. Gao, M. Reiter, and D. Song, "Behavioral Distance for Intrusion Detection," Proc. Symp. Recent Advance in Intrusion Detection (RAID), Sept. 1999.
[20] H.H. Feng, J.T. Giffin, Y. Huang, S. Jha, W. Lee, and B.P. Miller, "Formalizing Sensitivity in Static Analysis for Intrusion Detection," Proc. IEEE Symp. Security and Privacy (S&P), May 2004.
[21] M.G. Schultz, E. Eskin, E. Zadok, and S.J. Stolfo, "Data Mining Methods for Detection of New Malicious Executables," Proc. IEEE Symp. Security and Privacy (S&P), May 2001.
[22] M. Christodorescu, S. Jha, S.A. Seshia, D. Song, and R.E. Bryant, "Semantics-Aware Malware Detection," Proc. IEEE Symp. Security and Privacy (S&P), May 2005.
[23] SANS, Internet Storm Center, http:/isc.sans.org/, 2004.
[24] V. Yegneswaran, P. Barford, and D. Plonka, "On the Design and Utility of Internet Sinks for Network Abuse Monitoring," Proc. Symp. Recent Advances in Intrusion Detection (RAID), Sept. 2003.
[25] D. Moore, "Network Telescopes: Observing Small or Distant Security Events," Proc. Invited Presentation at the 11th USENIX Security Symp. (SEC), Aug. 2002.
[26] X. Wang and D.S. Reeves, "Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Manipulation of Inter-Packet Delays," Proc. ACM Conf. Computer and Comm. Security (CCS), Nov. 2003.
[27] W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao, "Dsss-Based Flow Marking Technique for Invisible Traceback," Proc. IEEE Symp. Security and Privacy (S&P), May 2007.
[28] D.J. Daley and J. Gani, Epidemic Modeling: An Introduction. Cambridge Univ. Press, 1999.
[29] C.C. Zou, W. Gong, and D. Towsley, "Code Red Worm Propagation Modeling and Analysis," Proc. Ninth ACM Conf. Computer and Comm. Security (CCS), Nov. 2002.
[30] M.J. Osborne and A. Rubinstein, A Course in Game Theory. MIT Press, 1994.
[31] V. Sekar, Y. Xie, D. Maltz, M. Reiter, and H. Zhang, "Toward a Framework for Internet Forensic Analysis," Proc. Third Workshop Hot Topics in Networks (HotNets), Nov. 2004.
[32] R.L. Allen and D.W. Mills, Signal Analysis: Time, Frequency, Scale, and Structure. Wiley and Sons, 2004.
[33] M.S. Kim, T. Kim, Y.J. Shin, S.S. Lam, and E.J. Powers, "A Wavelet-Based Approach to Detect Shared Congestion," ACM SIGCOMM Computer Comm. Rev., vol. 34, no. 4, pp. 293-306, 2004.
[34] Y. Zhao, Y. Chen, and D. Bindel, "Towards Unbiased End-to-End Network Diagnosis," Proc. ACM SIGCOMM, Sept. 2006.
[35] H. Balakrishnan, S. Seshan, and H. Rahul, "An Integrated Congestion Management Architecture for Internet Hosts," Proc. ACM SIGCOMM, Sept. 1999.
[36] R.E. Yantorno, K.R. Krishnamachari, J.M. Lovekin, D.S. Benincasa, and S.J. Wenndt, "The Spectral Autocorrelation Peak Valley Ratio (Sapvr)—a Usable Speech Measure Employed as a Co-Channel Detection System," Proc. IEEE Int'l Workshop Intelligent Signal Processing (WISP), May 2001.
[37] DShield.org, Distributed Intrusion Detection System, http:/www.dshield.org/, 2004.
[38] R. Perdisci, O. Kolesnikov, P. Fogla, M. Sharif, and W. Lee, "Polymorphic Blending Attacks," Proc. 15th USENIX Security Symp. (SECURITY), Aug. 2006.
[39] D. Bruschi, L. Martignoni, and M. Monga, "Detecting Self-Mutating Malware Using Control Flow Graph Matching," Proc. Conf. Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), July 2006.
[40] MetaPHOR, http://securityresponse.symantec.com/avcenter/ venc/dataw32.simile.html, 2010.
[41] P. Ferrie and P.S. Zmist, "Zmist Opportunities," Virus Bulletin, http:/www.virusbtn.com, 2010.
[42] J. Bethencourt, D. Song, and B. Waters, "Analysis-Resistant Malware," Proc. 15th IEEE Network and Distributed System Security Symp. (NDSS), Feb. 2008.
[43] M. Sharif, J. Giffin, W. Lee, and A. Lanzi, "Impeding Malware Analysis Using Conditional Code Obfuscation," Proc. 15th IEEE Network and Distributed System Security Symp. (NDSS), Feb. 2008.
[44] I.V. Popov, S.K. Debray, and G.R. Andrews, "Binary Obfuscation Using Signals," Proc. 17th USENIX Security Symp. (SECURITY), July 2008.
[45] M.G. Kang, J. Caballero, and D. Song, "Distributed Evasive Scan Techniques and Countermeasuress," Proc. Int'l Conf. Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), July 2007.
[46] C. Wright, S. Coull, and F. Monrose, "Traffic Morphing: An Efficient Defense against Statistical Traffic Analysis," Proc. 15th IEEE Network and Distributed System Security Symp. (NDSS), Feb. 2008.
[47] S. Staniford, V. Paxson, and N. Weaver, "How to Own the Internet in Your Spare Time," Proc. 11th USENIX Security Symp. (SECURITY), Aug. 2002.
[48] Y. Li, Z. Chen, and C. Chen, "Understanding Divide Conquer-Scanning Worms," Proc. Int'l Performance Computing and Comm. Conf. (IPCCC), Dec. 2008.
[49] D. Ha and H. Ngo, "On the Trade-Off between Speed and Resiliency of Flash Worms and Similar Malcodes," Proc. Fifth ACM Workshop Recurring Malcode (WORM), Oct. 2007.
[50] Y. Yang, S. Zhu, and G. Cao, "Improving Sensor Network Immunity under Worm Attacks: A Software Diversity Approach," Proc. ACM MobiHoc, May 2008.
[51] J. Jung, V. Paxson, A.W. Berger, and H. Balakrishnan, "Fast Portscan Detection Using Sequential Hypothesis Testing," Proc. IEEE Symp. Security and Privacy (S&P), May 2004.
[52] C. Zou, W.B. Gong, D. Towsley, and L.X. Gao, "Monitoring and Early Detection for Internet Worms," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), Oct. 2003.
[53] M. Crovella, A. Lakhina, and C. Diot, "Mining Anomalies Using Traffic Feature Distribution," Proc. ACM SIGCOMM, Aug. 2005.
[54] G.F. Gu, D. Dagon, M.I. Sharif, X.Z. Qin, W. Lee, and G.F. Riley, "Worm Detection, Early Warning, and Response Based on Local Victim Information," Proc. 20th Ann. Computer Security Applications Conf. (ACSAC), Dec. 2004.
[55] C. Zou, W. Gong, and D. Towsley, "Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense," Proc. First ACM CCS Workshop Rapid Malcode (WORM), Oct. 2003.
[56] B. Carrier and C. Shields, "The Session Token Protocol for Forensics and Traceback," ACM Trans. Information and System Security (TISSEC), vol. 7, no. 3, pp. 332-362, 2004.
[57] P. Liu and W.Y.M. Yu, "Incentive-Based Modeling and Inference of Attacker Intent, Objectives, and Strategies," ACM Trans. Information System and Security, vol. 8, no. 1, pp. 78-118, 2005.
[58] W. Yu and K.J.R. Liu, "Game Theoretic Analysis of Cooperation Stimulation and Security in Autonomous Mobile Ad Hoc Networks," IEEE Trans. Mobile Computing, vol. 6, no. 5, pp. 507-521, May 2007.
[59] Y. Liu, C. Comaniciu, and H. Man, "A Bayesian Game Approach for Intrusion Detection in Wireless Ad Hoc Networks," Proc. Workshop Game Theory for Comm. and Networks, 2006.
[60] T. Moscibroda, S. Schmid, and R. Wattenhofer, "When Selfish Meets Evil: Byzantine Players in a Virus Inoculation Game," Proc. 25th Ann. ACM SIGACT-SIGOPS Symp. Principles of Distributed Computing (PODC), July 2006.
[61] J. Farlow, J.E. Hall, J.M. McDill, and B.H. West, Differential Equations and Linear Algebra. Prentice-Hall, Inc., 2002.

Index Terms:

Worm, game theory, anomaly detection.

Citation:

Wei Yu, Nan Zhang, Xinwen Fu, Wei Zhao, "Self-Disciplinary Worms and Countermeasures: Modeling and Analysis," IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 10, pp. 1501-1514, Oct. 2010, doi:10.1109/TPDS.2009.161

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.