« Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds | Main | The Creation of a Botnet Tracking Web Application »
A Self-Learning Worm Using Importance Scanning
Another "smart worm" design paper. I don't think I see many of these sorts of things in the wild, but they're always fun to dream up and try and defend against.The use of side information by an attacker can help a worm speed up the propagation. This philosophy has been the basis for advanced worm scanning mechanisms such as hitlist scanning, routable scanning, and importance scanning. Some of these scanning methods use information on vulnerable hosts. Such information, however, may not be easy to collect before a worm is released. Questions then arise whether and how a worm can self-learn and use such information while propagating, and how virulent the resulting worm may be. In this paper, we design a self-learning worm using importance scanning. An optimal yet practical importancescanning strategy is derived based on a new metric. A selflearning worm is demonstrated to have the ability to accurately estimate the underlying vulnerable-host distribution if a sufficient number of infected hosts are observed. Experimental results based on parameters chosen from Code Red show that after accurately estimating the distribution of vulnerable hosts, a self-learning worm can spread much faster than a random-scanning worm, a permutation-scanning worm, and a Class A routing worm. Some guidelines for detecting and defending against such self-learning worms are also discussed.Source: A Self-Learning Worm Using Importance Scanning, Zesheng Chen, Chuanyi Ji.
February 15, 2006 in defense, papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
The comments to this entry are closed.
