Figure 2 - uploaded by Tom Vogt
Content may be subject to copyright.
Source publication
This paper describes a series of simulations run to estimate various worm growth patterns and their corresponding propagation algorithms. It also tests and verifies the impact of various improvements, starting from a trivial simulation of worm propagation and the underlying network infrastructure to more refined models, it attempts to determine the...
Contexts in source publication
Context 1
... a simulation, shifting the distribution of hosts accomplishes this effect, by declaring nonvulnerable hosts or such with a different service (to take into account worms with multiple infection vectors) as vulnerable. Figure 10 shows the resulting graph from the simulation with four times as many vulnerable hosts as the model used elsewhere in this paper, twice the resolution (one tick being 300 seconds) and otherwise the same parameters as in figure 2 on page 8. ...
Context 2
... worm in figure 16 has one shortcoming that has already been found to be a slowdown factor: It is single-threaded. The speed gain from the initial worm ( figure 2 on page 8) to the multithreading worm (figure 5 on page 11) was more than a factor of five, for ten threads. If a similar gain can be made with a more advanced worm, the result should be able to beat the Flash Worms. ...
Similar publications
As the long term evolution (LTE) standard comes to an end, 3rd Generation Partnership Project is discussing further evolution of the LTE to meet the international mobile telecommunications advanced requirements, which is referred to as LTE-Advanced (LTE release 10 and beyond). This article first presents the network infrastructure of the LTE-Advanc...
Internet of Things and Blockchain are considered two major technologies. Lower latency and a higher linked system number provide greater flexibility for remote execution of Internet of Things (IoT) applications. It is no secret that IoT devices often have insufficient computing capacity (both in terms of processing power and storage requirements) t...
The advent of advanced mobile communication systems like 5G and beyond holds promise for vertical sectors, particularly in transport & logistics (T&L), by enhancing network performance and ensuring high levels of quality of service (QoS), crucial for automating and optimizing T&L processes. However, assessing the impact of 5G requires investments i...
Telecommunications is an essential enabler of modern societies and a global vertical industry, providing communication and information services, with its annual revenue of over trillion euros. In this book, a company providing these services is referred to as a telecom operator or communications service provider (CSP). CSPs create value by offering...
Citations
... Finally, the user program get the final result from all reduce workers. shorter than the Code Red worm (about 13 hours which using the random scan strategy [12]). ...
Cloud computing technology not only provides us powerful computing, on-demand service, rapid elasticity, but also possible great destruction by the internet criminal accordingly. This prompts us to consider the cloud-based worm propagation problem. We set up the analytical model through a highly abstract network environment and achieve the overall characteristics of the worm research purposes. In this paper, we firstly analyze the factors affect worm scan and propagation in the cloud and put forward a novel cloud-based worm model: the MapReduce Divide-and-Conquer model (MRDC). Secondly, we analyze the architecture and performance of MRDC worm contrast to Code Red, the hit-list worm, and flash worm, etc. the simulation shows that the MRDC worm significantly improves the worm propagation. And finally, we discuss some threat trends of cloud-based worm propagation and some possible solutions. Our simulation shows that the MRDC worm propagate much faster than the other worms that the MRDC worm can scan and infect entire IPv4 space in no more than 10 minutes, the perfect MRDC worm can infect 360,000 vulnerable machines in no more than 1 second and all vulnerable machines in the entire IPv4 space in no more than 10 seconds.
... An attacking host would preferentially scan local network addresses. Vogt [63] shows that worms using localized scanning can spread faster in the initial stages, but that once a large fraction of vulnerable hosts are infected, the infection process slows down. One of the attacker's advantages of scanning in this manner is that once a host behind a firewall is infected, it can directly infect other hosts without passing through the firewall, depending on network topology. ...
... This hit-list can then be split up and distributed to newly infected hosts. A variant on this idea is to distribute an anti-hit list along with the worm which contains a list of networks to avoid scanning [63], [51]. These networks could simply be empty and thus be a waste of time to attempt to probe, or could be known to harbour network telescopes attempting to automatically generate worm signatures. ...
This paper surveys the Internet worms-related literature and how stealthy worm behaviour can be discovered. Discussion is provided on the anatomy of worms, specifically covering the mech-anisms by which worms spread, how they are detected, and how they may attempt to hide. The paper presents common detection mechanisms that we divide based on worm architecture properties. Namely, we summarize how worms can be detected at each of the following stages: target discovery, while they are being distributed, while being activated at the hosts, and when they run their payloads (where applicable). We also discuss some attack patterns for famous recent worms. The paper concludes with a discussion on current so-lutions (academic research, commercial products, and open-source tools) to detect worms and a comparative summary of these solu-tions/tools' capabilities.
... Various methods could be used to improve the propagation of worms, thereby speeding up their infection and/or more narrowly focusing their e↵ects to specific target populations. [29] So while it is true that the disruptive attack described above could also be performed using a worm -especially if the worm did significant damage to filesystem contents, increasing both the cleanup costs and down time -it is still likely that random propagation worms like those we have seen to date would not be the single CNA weapon of choice for two main reasons: ...
Hardly a day goes by without a story in the IT press about the compromise of business records, employee (or employee-access) hacking attacks on corporate networks, and intrusions into the networks of military sites, government contractors, and U.S. federal agencies and departments. Several major countries have publicly announced the development of Computer Network Defense (CND) and/or Computer Network Attack (CNA) capabilities for use in cyberspace. At the same time, there is little clarity in how international conventions apply to these capabilities or how existing international laws of war would interpret the use of force, or what constitutes a proportional defensive response with respect to cyber activities in either physical or cyber space. Policy makers are faced with the issues of how to establish deterrence and rules of engagement in the event of detecting a hostile computer network attack, and a starting point on the road to addressing these questions is to understand what could reasonably be anticipated from an adversary. To that end, this paper endeavors to answer the question, If a technologically sophisticated nation-state with substantial intellectual and financial resources were to try to develop capabilities for using CNA or 'close-access' attacks (in the logical as opposed to physical sense) on adversary computers, what capabilities could it develop and how would it develop those capabilities?
Work performed for the Committee on Offensive Information Warfare, National Research Council, under agreement D-235-DEPS-2007-001, February 2008.
... Through active traffic response, " Honeynet " [11] and " Honeyd " [22] can gather more detailed information of Internet malicious traffic. A close work to ours is the simulation studies of various worm scanning strategies conducted by Vogt [27]. However, his work is entirely based on simulation experiments without mathematical analysis and modeling. ...
In recent years, fast spreading worms, such as Code Red, Slammer, Blaster and Sasser, have become one of the major threats to the security of the Internet. In order to defend against future worms, it is important to first understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In this paper, we systematically model and analyze worm propagation under various scanning strategies, such as uniform scan, routing scan, hit-list scan, cooperative scan, local preference scan, sequential scan, divide-and-conquer scan, target scan, etc. We also provide an analytical model to accurately model Witty worm’s destructive behavior. By using the same modeling framework, we reveal the underlying similarity and relationship between different worm scanning strategies. In addition, based on our simulation and analysis of Blaster worm propagation and monitoring, we provide a guideline for building a better worm monitoring infrastructure.
... Through active traffic response, " Honeynet " [11] and " Honeyd " [22] can gather more detailed information of Internet malicious traffic. A close work to ours is the simulation studies of various worm scanning strategies conducted by Vogt [27]. However, his work is entirely based on simulation experiments without mathematical analysis and modeling. ...
In recent years, fast spreading worms, such as Code Red, Slammer, Blaster and Sasser, have become one of the major threats to the security of the Internet. In order to defend against future worms, it is important to first understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In this paper, we systematically model and analyze worm propagation under various scanning strategies, such as uniform scan, routing scan, hit-list scan, cooperative scan, local preference scan, sequential scan, divide-and-conquer scan, target scan, etc. We also provide an analytical model to accurately model Witty worm's destructive behavior. By using the same modeling framework, we reveal the underlying similarity and relationship between different worm scanning strategies. In addition, based on our simulation and analysis of Blaster worm propagation and monitoring, we provide a guideline for building a better worm monitoring infrastructure. © 2005 Elsevier B.V. All rights reserved.
... Therefore they can prevent the widespread of a worm on the Internet level by analyzing the quarantine on the Internet. [13][14] present a discrete-time worm model that considers the patching and cleaning erect during worm propagation. As shown previously, most of damage propagation models focus on virus and worm. ...
With rapid development in the Internet technology, business management in an organization becomes dependent on network dependency
and cohesiveness in a critical information and communications infrastructure. However, the occurrence of cyber attacks has
increased, targeted against vulnerable resources in information systems. Hence, in order to protect private information and
computer resources, risk analysis and damage propagation need to be studied. However, the existing models present mechanisms
for risk management, and these models can only be applied to specified threats such as a virus or a worm. Therefore, a probabilistic
model for damage propagation based on Markov process is proposed, which can be applied to diverse threats in information systems.
The proposed model enables us to predict the occurrence probability and occurrence frequency of each threat in the information
systems.
... Once a host is infected, it is assumed that it stays in that state. This model is used in a number of research areas, usually slightly modified to simulate different phenomenon [33, 32, 28]. In the General Epidemic Model [35], a host is in infected, susceptible or removed state. ...
... CR-Iv2 runs 100 threads, 99 of them performing random IP scanning using TCP with a time out value of 21 seconds. Assuming that only 25% of the IP address space is online (similar percentage is used in [32]), we calculated the average scanning rate of a host to be around 6 scans per second. This complies with reports that approximate this value to be between 5 and 11. ...
Self-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to plague the Internet community. Existing anti-virus and intrusion detection systems are clearly inadequate to defend against many recent fast-spreading worms. In this paper we explore an active counter-attack method - anti-worms. We propose a method that transforms a malicious worm into an anti-worm which disinfects its original. The method is evaluated using the CodeRed, Blaster and Slammer worms. We show through simulation the effectiveness of an anti-worm with several propagation schemes and its impact on the overall network. We also discuss important limitations of the proposed method.
... There have been a number of publications on epidemic spreading of viruses for biological diseases but also for computer worms. In the latter case, the authors either use simulations [53] or mathematical models of epidemic spreading [54]. Yan et. ...
... The spread of anonymous malware can be halted by the author anonymously controlling the propagation, eventually sending a stop propagation message once the anonymity network is large enough. Alternately, the malware can model its own spread, ceasing further propagation activity when it estimates that enough machines have been compromised [23]. ...
Zombie networks have been used for spamming and DDoS attacks. Worms have been designed to receive commands from their creator and update themselves automatically. But the combination of malware and powerful anonymous communication techniques has not been seen - yet. There is a growing body of research work on anonymous communication schemes, which are developed legitimately to allow people to communicate without fear of identification or retribution. For example, such communication could be used by people living under oppressive regimes. Malware using anonymous communication would be as capable as current malware 'applications', but in a form that is extremely difficult to trace. There are other possibilities, too. An anonymous communication network established using malware could be used for exchanging illegal or copyrighted information, as well as illicit communication for organized crime or terrorist organizations. This paper discusses anonymous communication methods and shows how they can be modified for use with malware. To counter this threat, we present new methods to identify the existence of malware using anonymous communication schemes, and counterattack techniques that can be used to identify additional nodes within the anonymity network. The awareness of these threats and their countermeasures can be used to build defences before such threats are seen in the wild.
... L'amélioration régulière des processus de fabrication [3] (des traces d'IDE ont été trouvées dans certains virus), la constante progression des divers domaines de la sécurité informatique donne aux nouveaux virus des capacités : de polymorphisme, afin de compliquer la réalisation des signatures virales ; de camouflage, par des procédés de plus en plus élaborés , jusqu'à la virtualisation [4] ; de « nettoyage », afin de désactiver les firewall, antivirus et antispyware locaux qui pourraient les découvrir ; de blindage, afin de retarder leur analyse par les auteurs d'antivirus par le biais de la cryptographie, de codes morts, de branchement aléatoire et d'anti-debuggage ; de mise à jour : pour changer la signature, pour obtenir de nouveaux modes de propagation, de nouveaux modes d'attaque ou encore de nouvelles fonctionnalités ; de génération de réseaux P2P pour les canaux de contrôle et de mise à jour. ...
Résumé Dans un contexte changeant, où les agressions n'ont pas d'horaires, la défense périmétrique statique n'est plus suffisante, la juxtaposition d'outils de sécurité non plus. Une des adaptations possibles consiste à fédérer l'ensemble de l'infrastructure informatique de l'organisme, ses processus et ses matériels afin de pouvoir : – détecter les comportements déviants, généralement liés aux agressions (automatiques ou non) ; – lancer, de manière automatique, des processus de mise en quarantaine afin d'isoler la menace, en avertissant de manière claire et précise les divers protagonistes de l'incident ; – permettre la suppression du processus d'agression pour terminer par la « libération » de la ou des machines incriminées. On retrouve des principes dans l'approche dite de la défense en profondeur [1]. Les résultats de l'application de cette approche sur une université seront ensuite présentés.
