Exact Modeling of Propagation for Permutation-Scanning Worms
Parbati Kumar Manna, Shigang Chen, Sanjay Ranka
INFOCOM’08
2008/11/19 Speaker: Li-Ming Chen 2
Virus/Worm: A Brief History1969 APARNET (forerunner of the Internet)
1979 Engineers at Xerox Research Center discover the computer worm
1983 Fred Cohen – Computer Virus
1988 Robert Morris: unleashes a worm that invades ARPANET computers
1995 Microsoft release Windows 95 (and macro virus appears)
1992 Toolkits, mutation engine
1999 Melissa virus
2000 “I Love You” virus, DoS, DDoS
2001 CodeRed I, II, Nimda
2003 Slammer (fastest-spreading), Blaster
2004 Sasser
2008/11/19 Speaker: Li-Ming Chen 3
History of Worm Propagation Modeling
1999
2002
2001
2003
2004
“Directed-graph epidemiological models of computer virus”
CodeRed I, II, Nimda
Simple epidemic model (considering scanning rate) Modeling CodeRed propagation (how about network congestion/human countermeasures?)
Modeling propagation w/ the idea of “hitlist”, “death rate”, “patching rate”…
Study the top speed of flash worm
2005 Self-stopping worm
2006 Worus (Worm + Virus)
2008 Permutation-scanning worms
2008/11/19 Speaker: Li-Ming Chen 4
Why Modeling Worm Propagation? Simulation
Pros Cons Limitation?
Modeling Pros Cons Limitation?
2008/11/19 Speaker: Li-Ming Chen 5
Outline
Permutation-scanning (basis) A 0-jump Worm Model (extension) The k-jump Worm Model Usage of the Analytical Model Conclusion and comments
2008/11/19 Speaker: Li-Ming Chen 6
Permutation-scanning Worms Traditional: Random-scanning worms Permutation-scanning:
Divide-and-Conquer Jumping:
Avoid being detected: Virtual permutation address space
Fast vs. Stealthy the big name vs. nearly no network footprints?
2008/11/19 Speaker: Li-Ming Chen 7
Scanzone
(Def:) A scanzone is the contiguous range of the addresses that are currently being scanned by an active infected host since the last time it jumped. Jump: Old/new infection: k-jump worm:
A special case: 0-jump worm
2008/11/19 Speaker: Li-Ming Chen 8
Example: 0-jump Worm
2008/11/19 Speaker: Li-Ming Chen 9
Example: 0-jump Worm (cont’d)
2008/11/19 Speaker: Li-Ming Chen 10
Classification of Scanning Hosts By judging the effectiveness of scanning of the
active host (ability to generate new infection) Effective (x): Ineffective (y): Nascent (α):
2008/11/19 Speaker: Li-Ming Chen 11
Classification of Scanning Hosts (cont’d)
2008/11/19 Speaker: Li-Ming Chen 12
Modeling a 0-jump Worm
Questions: Q1: Q2: Q3:
2008/11/19 Speaker: Li-Ming Chen 13
Modeling a 0-jump Worm (cont’d)
2008/11/19 Speaker: Li-Ming Chen 14
Ans1: hit ratio
2008/11/19 Speaker: Li-Ming Chen 15
Ans2: old/new infection
2008/11/19 Speaker: Li-Ming Chen 16
Ans3: the effectiveness
2008/11/19 Speaker: Li-Ming Chen 17
Verification of 0-jump Worm Model
2008/11/19 Speaker: Li-Ming Chen 18
Extend to k-jump Worm(see results first :p)
2008/11/19 Speaker: Li-Ming Chen 19
Extend to k-jump Worm
Difference from 0-jump worm: a
2008/11/19 Speaker: Li-Ming Chen 20
Example: State Diagram of a 2-jump Worm
2008/11/19 Speaker: Li-Ming Chen 21
k-jump Worm Model
2008/11/19 Speaker: Li-Ming Chen 22
(Recall) Usage of the Analytical Model Simulation vs. Analytical Model Finding the Truly Independent variables in the
model Effects of parameters on propagation
N V φ r k
2008/11/19 Speaker: Li-Ming Chen 23
2008/11/19 Speaker: Li-Ming Chen 24
2008/11/19 Speaker: Li-Ming Chen 25
2008/11/19 Speaker: Li-Ming Chen 26
Top Related