Issue No.02 - April-June (2008 vol.5)
pp: 71-86
Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms and then extended to preference scanning worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for uniform scanning worms, we are able to (1) provide a precise condition that determines whether the worm spread will eventually stop and (2) obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain preference scanning worms. Our strategy is based on limiting the number of scans to dark-address space. The limiting value is determined by our analysis. Our automatic worm containment scheme effectively contains both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be non-intrusive. We also show how to incrementally deploy our worm containment strategy.
(viruses, worms, Trojan horses), (Internet scanning worms), (stochastic worm modeling), (branching process model), (preference scanning worms), (automatic worm containment).
Ness B. Shroff, Saurabh Bagchi, "Modeling and Automated Containment of Worms", IEEE Transactions on Dependable and Secure Computing, vol.5, no. 2, pp. 71-86, April-June 2008, doi:10.1109/TDSC.2007.70230
[1] CAIDA, “CAIDA Analysis of Code-Red,” /, 2007.
[2] “The Cost of Code Red: $1.2 Billion,” USA Today News, , 2001.
[3] Cisco Documentation, “Configuring Port Security,” product/lan/cat6000/12_1e/swconfigport_sec.htm , 2007.
[4] H. Andersson and T. Britton, “Stochastic Epidemic Models and Their Statistical Analysis,” Lecture Notes in Statistics, vol. 151, 2000.
[5] J. Bartiomiejczyk and M. Phipps, Preventing Layer 2 Security Threats, 0,289483,sid7_ gci1009100,00.html, 2007.
[6] V.H. Berk, R.S. Gray, and G. Bakos, “Using Sensor Networks and Data Fusion for Early Detection of Active Worms,” Proc. SPIE AeroSense, vol. 5071, pp. 92-104, 2003.
[7] Z. Chen, L. Gao, and K. Kwiat, “Modeling the Spread of Active Worms,” Proc. IEEE INFOCOM '03, pp. 1890-1900, 2003.
[8] P.C. Consul, “Generalized Poisson Distributions, Properties and Applications,” STATISTICS: Textbooks and Monographs, vol. 99, Marcel Dekker, 1988.
[9] D.J. Daley and J. Gani, Epidemic Modelling, An Introduction. Cambridge Univ. Press, 1999.
[10] A. Ganesh, L. Massoulie, and D. Towsley, “The Effect of Network Topology on the Spread of Epidemics,” Proc. IEEE INFOCOM '05, pp. 1455-1466, 2005.
[11] A. Ganesh, D. Gunawardena, P. Key, L. Massoulie, and J. Scott, “Efficient Quarantining of Scanning Worms: Optimal Detection and Coordination,” Proc. IEEE INFOCOM '06, pp. 1-13, 2006.
[12] D. Dagon, X. Qin, G. Gu, W. Lee, J.B. Grizzard, J.G. Levine, and H.L. Owen, “HoneyStat: Local Worm Detection Using Honeypots,” Proc. RAID Symp., pp. 39-58, 2004.
[13] Foresount, WormScout, http:/, Jan. 2008.
[14] J. Jung, V. Paxson, A.W. Berger, and H. Balakrishnan, “Fast Portscan Detection Using Sequential Hypothesis Testing,” Proc. IEEE Symp. Security and Privacy, pp. 211-225, 2004.
[15] S. Karlin and H.M. Taylor, A First Course in Stochastic Processes, second ed. Academic Press, 1975.
[16] J.O. Kephart and S.R. White, “Directed-Graph Epidemiological Models of Computer Viruses,” Proc. IEEE Symp. Security and Privacy, pp. 343-359, 1991.
[17] J.O. Kephart, D.M. Chess, and S.R. White, “Computers and Epidemiology,” IEEE Spectrum, vol. 30, pp. 20-26, May 1993.
[18] J.O. Kephart and S.R. White, “Measuring and Modeling Computer Virus Prevalence,” Proc. IEEE Symp. Security and Privacy, pp. 2-15, 1993.
[19] LaBrea, “LaBrea Technologies,” http:/www.labreatechnologies. com/, 2007.
[20] M. Liljenstam, D.M. Nicol, V.H. Berk, and R.S. Gray, “Simulating Realistic Network Worm Traffic for Worm Warning System Design and Testing,” Proc. ACM Workshop Rapid Malcode, pp. 24-33, 2003.
[21] Mirage Networks, http:/, 2007.
[22] D. Moore, C. Shannon, and J. Brown, “Code-Red: A Case Study on the Spread and Victims of an Internet Worm,” Proc. ACM Internet Measurement Workshop, pp. 273-284, 2002.
[23] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, “Inside the Slammer Worm,” IEEE Security Privacy, vol. 1, no. 4, pp. 33-39, July 2003.
[24] D. Moore, C. Shannon, G.M. Voelker, and S. Savage, “Internet Quarantine: Requirements for Containing Self-Propagating Code,” Proc. IEEE INFOCOM '03, pp. 1901-1910, 2003.
[25] NLANR, “Bell Lab—I Data Set,” , 2007.
[26] V. Paxon, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, vol. 31, no. 23-24, pp. 2435-2463, Dec. 1999.
[27] S. Ross, Stochastic Processes, second ed. John Wiley & Sons, 1996.
[28] S. Staniford, V. Paxson, and N. Weaver, “How to Own the Internet in Your Spare Time,” Proc. Usenix Security Symp., pp. 149-167, 2002.
[29] M.M. Williamson, “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code,” Proc. IEEE Ann. Computer Security Applications Conf., pp. 61-68, 2002.
[30] C. Wong, C. Wang, D. Song, S. Bielski, and G.R. Ganger, “Dynamic Quarantine of Internet Worms,” Proc. IEEE Int'l Conf. Dependable Systems and Networks, pp. 73-82, 2004.
[31] C.C. Zou, W. Gong, and D. Towsley, “Code Red Worm Propagation Modeling and Analysis,” Proc. ACM Conf. Computer and Comm. Security, pp. 138-147, 2002.
[32] C.C. Zou, L. Gao, W. Gong, and D. Towsley, “Monitoring and Early Warning for Internet Worms,” Proc. ACM Conf. Computer and Comm. Security, pp. 190-199, 2003.
[33] C.C. Zou, W. Gong, and D. Towsley, “Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense,” Proc. ACM Workshop Rapid Malcode, pp. 51-60, 2003.
[34] Computer Eco nomics, “Economic Impact of Malicious Code Attacks,” pr92101.html, 2001.
[35] LBL-CONN-7, “Thirty Days' Wide-Area TCP Connections,” , 2007.
[36] H.W. Hethcote, “The Mathematics of Infectious Diseases,” SIAM Rev., vol. 42, no. 4, pp. 599-653, 2000.
[37] M.A. Rajab, F. Monrose, and A. Terzis, “On the Effectiveness of Distributed Worm Monitoring,” Proc. Usenix Security Symp., pp.225-237, 2005.
[38] M.A. Rajab, F. Monrose, and A. Terzis, “On the Impact of Dynamic Addressing on Malware Propagation,” Proc. ACM Workshop Rapid Malcode, pp. 51-56, 2006.
[39] K. Rohloff and T. Basar, “Stochastic Behavior of Random Constant Scanning Worms,” Proc. IEEE Int'l Conf. Computer Comm. and Networks, pp. 339-344, 2005.
[40] K. Rohloff and T. Basar, “The Detection of RCS Worm Epidemics,” Proc. ACM Workshop Rapid Malcode, pp. 81-86, 2005.
[41] S.E. Schechter, J. Jung, and A.W. Berger, “Fast Detection of Scanning Worm Infection,” Proc. Int'l Symp. Recent Advances in Intrusion Detection, pp. 59-81, 2004.
[42] S. Sellke, N. Shroff, and S. Bagchi, “Modeling and Automated Containment of Worms,” Proc. IEEE Int'l Conf. Dependable Systems and Networks, pp. 528-537, 2005.
[43] E. Skoudis, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses. Prentice Hall, 2002.
[44] N. Weaver, S. Staniford, and R. Cunningham, “A Taxonomy of Computer Worms,” Proc. ACM Workshop Rapid Malcode, pp. 11-18, 2003.
[45] N. Weaver, S. Staniford, and V. Paxson, “Very Fast Containment of Scanning Worms,” Proc. Usenix Security Symp., pp. 29-44, 2004.