A spread model of flash worms
I can't let another week go by and not post a paper on worm modeling. This one looks at a more rigorous model of how a "Flash Worm" would work. Some decent math, it's worth the effort to make sure you understand the equations.In this work we we introduce a mathematical model for epidemics of worms using hit-list spreading technique. Flash worms to infect the whole vulnerable population. The estimated infection time shows that even heavy network worm can potentially infect large-scale vulnerable population within few seconds. Primarily the work is based on results of the work Top Speed of Flash Worms by S. Staniford et al.. We also genralize infection doubling technique used to increase a resilience of flash worms epidemics. It took the whole day for Code Red I v2 to spread among over 350,000 Internet hosts. Slammer worm infected more than 90 percent of up to 100,000 vulnerable hosts within 10 minutes (Inside the Slammer Worm by D. Moore et al.), Witty worm infected almost all of its 12,000 victims in 45 minutes (The Spread of the Witty Worm by C. Shannon and D. Moore).Source: A spread model of flash worms,Yury Bulygin.
November 7, 2006 in modeling, papers | Permalink | Comments (3)
An epidemiological model of virus spread and cleanup
Quite a good, focused paper on the outbreak of malware.
Signature based anti-virus technologies are widely used to fight computer viruses. It is difficult to evaluate such systems because they work in the wild and few companies would be willing to turn them off to be part of a control group! This paper presents a new model of these technologies that can be used to predict and evaluate their effectiveness. The paper will demonstrate how the model can be used to understand the overall system dynamics, calculate expected costs of outbreaks, give insight into the relative importance of parts of the system and suggest ways to improve the technology. It is also used to evaluate new approaches to fighting viruses.
Source: An epidemiological model of virus spread and cleanup, Williamson, Matthew M.; Laeveillae, Jasmin.
October 14, 2006 in modeling, papers | Permalink | Comments (0)
Experiences With Internet Traffic Measurement and Analysis
Most of this worm data isn't new to regular readers of Wormblog. If you've seen much of Vern Paxson's work, or that of his colleagues at CAIDA, then you're familiar with much of the data. However, this slide deck puts together the worm data with Internet-scale meausrement data of the normal Internet, not something you see often. A neat set of slides. From: Experiences With Internet Traffic Measurement and Analysis [PPT], a slide deck by Vern Paxson.September 27, 2006 in modeling, slides | Permalink | Comments (0)
Simulation and Analysis on the Resiliency and Efficiency of Malnets
More work by the team from yesterday's paper, again on difficult to remove malware.Future network intruders will probably use an organized army of malicious nodes (here called "malnodes", or collectively a "malnet") to deliver many different attacks, rather than recruiting a disorganized set of compromised nodes per attack. However, partly due to the lack of understanding of the resiliency and efficiency a malnet can have, countering malnets has been ineffctive.Source: Simulation and analysis on the resiliency and efficiency of malnets, Jun Li, Toby Ehrenkranz, Geoff Kuenning, and Peter Reiher, in Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation PADS '05.This paper begins to address this defficiency Through calculation and simulation for three representative malnets|random, small-world, and Gnutella-like|we show that extremely resilient malnets can be formed to deliver attack code quickly. In particular, we show that disconnecting malnets is possible, but extremely naive approaches such as randomly disinfecting malnodes will not suffice, and effective defenses must either happen very quickly during a second-wave attack, or take effect prior to it.
September 20, 2006 in defense, modeling, papers | Permalink | Comments (0)
Midgard Worms: Sudden Nasty Surprises from a Large Resilient Zombie Army
Almost another "worst-case worm scenario", but unlike most people propose self-defending worms, these folks actually do some design and analysis of how it may work.
Future network intruders will probably use a zombie army to deliver many different attacks, rather than recruiting a new army per attack. We describe a Midgard Worm, which can build an extremely resilient and scalable overlay network to deliver attack code quickly. The worm's master could disseminate a 1-megabyte exploit or upgrade to a million zombies from any zombie in less than six minutes. Even if 80% of the zombies were disinfected, 70% of the remainder would remain connected and ready to receive new exploits. We discuss the basic design principles behind such a worm and methods of combating this kind of attack.
Source: Midgard Worms: Sudden Nasty Surprises from a Large Resilient Zombie Army, by Peter Reiher, Jun Li, and Geoff Kuenning.
September 19, 2006 in defense, modeling, papers | Permalink | Comments (0)
A Distributed Host-based Worm Detection System
Not a new idea, but this paper does a pretty good job of explaining the algorithms in use.
We present a method for detecting large-scale worm attacks using only end-host detectors. These detectors propagate and aggregate alerts to cooperating partners to detect largescale distributed attacks in progress. The properties of the host-based detectors may in fact be relatively poor in isolation but when taken collectively result in a high-quality distributed worm detector. We implement a cooperative alert sharing protocol coupled with distributed sequential hypothesis testing to generate global alarms about distributed attacks. We evaluate the system's response in the presence of a variety of false alarm conditions and in the presence of an Internet worm attack. Our evaluation is conducted with agents on the Emulab and DETER emulated testbeds using real operating systems and computing platforms.
Source: A Distributed Host-based Worm Detection System, Senthilkumar G. Cheetancheri, John Mark Agosta, Denver H. Dash, Karl N. Levitt, Jeff Rowe, Eve M. Schooler.
September 16, 2006 in detection, modeling, papers | Permalink | Comments (0)
A Distributed Host-Based Worm Detection System
I've posted papers describing the approach of using collaborative host-based detection tools for worm outbreaks previously. This is some more research from Cheetancher on the subject.We present a method for detecting large-scale worm attacks using only end-host detectors. These detectors propagate and aggregate alerts to cooperating partners to detect largescale distributed attacks in progress. The properties of the host-based detectors may in fact be relatively poor in isolation but when taken collectively result in a high-quality distributed worm detector. We implement a cooperative alert sharing protocol coupled with distributed sequential hypothesis testing to generate global alarms about distributed attacks. We evaluate the system's response in the presence of a variety of false alarm conditions and in the presence of an Internet worm attack. Our evaluation is conducted with agents on the Emulab and DETER emulated testbeds using real operating systems and computing platforms.Source: A Distributed Host-Based Worm Detection System. Senthilkumar G. Cheetancheri, John Mark Agosta, Denver H. Dash, Karl N. Levitt, Jeff Rowe, Eve M. Schooler, Proceedings of the ACM SIGCOMM Workshop on Large Scale Attack Defense (LSAD06).
September 8, 2006 in detection, modeling, papers | Permalink | Comments (0)
Towards a framework for Worm Defense Evaluation
Part of Senthilkumar Cheetancheri's Ph.D. research, this is a brief paper describing the framework they built for setting up experiments in the EMIST/DETER testbed.Computer worms are a serious problem. Much research has been done to detect and contain worms. One major de- ficiency in most research is that the claims are supported by theoretic models or simulations only and not by realistic tests. Network testbeds such as emulab and deter can be used to conduct worm experiments on networks of a few hundreds nodes. However, setting up such an experiment is not trivial. In this paper, we describe a wrapper around emulab to deploy such experiments quickly. We also demonstrate its use by evaluating an example worm containment strategy.Source: Towards a framework for Worm Defense Evaluation, Senthilkumar G Cheetancheri, Denys Ma, Todd Heberlien, Karl Levitt Proceedings of the IEEE IPCCC Workshop on Swarm Intelligence(MALWARE'06) Apr'06.
September 7, 2006 in modeling, papers | Permalink | Comments (0)
Automatically deducing propagation sequences that circumvent a collaborative worm defense
A veyr short paper (only 6 pages), but this one is worm defense flipped on it's ear: the worm defends is propagation strategy. Kind of neat.We present an approach to the question of evaluating worm defenses against future, yet unseen, and possibly defense-aware worm behavior. Our scheme employs model checking to produce worm propagation sequences that defeat a worm defense of interest. We demonstrate this approach using an exemplar collaborative worm defense, in which LANs share alerts about encountered infections. Through model checking experiments, we then generate propagation sequences that are able to infect the whole population in the modeled network. We discuss these experimental results and also identify open problems in applying formal methods more generally in the context of worm quarantine research.Source: Automatically deducing propagation sequences that circumvent a collaborative worm defense. Linda Briesemeister and Phillip A. Porras. In Proceedings of the 25th International Performance Computing and Communications Conference (Workshop on Malware), pages 587-592, April 2006.
September 6, 2006 in defense, modeling, papers | Permalink | Comments (1)
Formally Specifying Design Goals of Worm Defense Strategies
A formal paper, but this is one of a small set of interesting works I'll post this week. While this is a short work (it's an extended abstract), it provides a nice framework to think about worm defense measures.There are many key challenges to developing the apparatus and methodologies necessary to evaluate the emerging suite of approaches to large-scale worm defense. Within the DETER/EMIST initiative, challenges that have arisen during the development of our experimental framework include the need to support experiment repeatability, greater scalability in network topology, and greater realism in traffic dynamics. Among these key challenges, we also seek to expand the rigor with which we model the protection claims of the worm defense algorithm, particularly as we design tests that we hope can fully stress and evaluate the protection claims of the algorithm of interest.Source: Formally specifying design goals of worm defense strategies. Linda Briesemeister and Phillip A. Porras. Proceedings of DETER Community Workshop on Cyber Security Experimentation and Test, June 2006.To date, most of the work in understanding the behavior of malicious code propagation and defense has centered exclusively on understanding the effects of a proposed malware countermeasure on the global infection growth rate given a specific modeled network and malicious code scenario. In this study we consider how to more rigorously express design goals regarding the local impact of a defensive algorithm from the perspective of those who participate in the defense. We contrast this perspective of local benefit from what we view as the current tradition of evaluating worm defense performance based on assessing growth rate impact on an abstracted topology of global population.
September 5, 2006 in defense, modeling, papers | Permalink | Comments (0)
