No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Novel Cloud-based Worm Propagation Model
Abstract
Cloud computing technology not only provides us powerful computing, on-demand service, rapid elasticity, but also possible great destruction by the internet criminal accordingly. This prompts us to consider the cloud-based worm propagation problem. We set up the analytical model through a highly abstract network environment and achieve the overall characteristics of the worm research purposes. In this paper, we firstly analyze the factors affect worm scan and propagation in the cloud and put forward a novel cloud-based worm model: the MapReduce Divide-and-Conquer model (MRDC). Secondly, we analyze the architecture and performance of MRDC worm contrast to Code Red, the hit-list worm, and flash worm, etc. the simulation shows that the MRDC worm significantly improves the worm propagation. And finally, we discuss some threat trends of cloud-based worm propagation and some possible solutions. Our simulation shows that the MRDC worm propagate much faster than the other worms that the MRDC worm can scan and infect entire IPv4 space in no more than 10 minutes, the perfect MRDC worm can infect 360,000 vulnerable machines in no more than 1 second and all vulnerable machines in the entire IPv4 space in no more than 10 seconds.
Due to the proactive defend against the worm propagation and patch the susceptible hosts, benign worms are attracting wide attentions in the field of worm research. In this paper, we point out the errors of worm-anti-worm model (WAW) and present a revised model named Re-WAW based on the law of worm propagation and Two-Factor model. Based on the discussion of the worm propagation factors such as time delay and initial number of benign worms, we put forward a novel cloud-based Re-WAW model to achieve effectively worm containment by quickly delivery of the initial number of benign worms. Simulation results show that the cloud-based Re-WAW model significantly improves the worm propagation containment effect relative to the Re-WAW model and Two-Factor model, cloud computing help achieve the rapid delivery of massive initial benign worms and thus obtain close to valuable 20 hours time delay. 1548-7741/
The negative selection algorithm (NSA) is an important algorithm to generate artificial immune detectors. But the time cost is too high and the number of detectors is too many, and they are the main problems of NSA algorithm. In this paper, we propose an improved NSA called DS_RNSA, which is based on detector suppression. In DS_RNSA, candidate detectors are generated randomly, detectors not only match with self-cell for self tolerance, but also recognize other detectors. When a detector is recognized by other detectors, this detector is suppressed. Eliminating those suppressed detectors will significantly reduce detector redundancy in the non-self space. The termination condition of DS_RNSA is met when the expected non-self coverage is reached. The theory analysis shows that DS_RNSA effectively reduce the number of detectors and improve the efficiency of the detector generation. Experimental results show that the proposed algorithm outperforms other classic algorithms such as RNSA and V-Detector. Under data set BCW and the same expected coverage, the detection rate of DS_RNSA is higher than that of RNSA and V-detector algorithms by 21.07% and 1.20% respectively. Moreover, the false alarm rate is lower by 78.15% and 70.95% respectively, and the time cost is lower by 99.78% and 91.47% respectively.
The existing artificial immune based incremental data clustering algorithms have some short comings, such as without scalability, adapting to new patterns slowly, and so on. This paper puts forward a manifold distance based artificial immune incremental data clustering algorithm, denoted md-aiNet. The algorithm introduces the manifold distance as the global similarity measure, adopts Euclidean distance as the local similarity measure, and proposes an incremental data clustering method based on the immune response model, simulating the initial response and secondary response in the immune system. Through simulation experiments in artificial datasets and UCI datasets, md-aiNet is better than MSMAIS and ISFaiNet which are influential immune based incremental data clustering algorithms. The algorithm can effectively deal with real-world data clustering problems with complex distributions and higher dimensions, and can extract the intrinsic mode of the data. Especially for the data set with non-spherical distribution, clustering accuracy of the algorithm has raised by 40% than MSMAIS and ISFaiNet.
The deficiency of traditional immune-based intrusion model is that the definition of detector will not change after it has been defined, the static definition of detection profiles could not well adapt to the real complex network environment. This results in lower detection rate and higher false alarm rate. Dynamically real-time intrusion detection algorithm with immune network (DIDAIN) is proposed in this paper. We establish a quantitative description for the model, and adopt the immune network stimulation-suppression mechanism to real-time update mature detector set dynamically. The dynamic definition of detector could well adapt to the real complex network environment. Meanwhile, the stimulation of a mature detector in the immune network decides the probability of clone and mutation. The higher the stimulation level is, the greater the probability of clone and mutation makes excellent detector retained. Under KDD Cup99 dataset, comparing with the traditional immune-based intrusion models, the proposed algorithm DIDAIN could get the highest detection rate and the lowest false alarm rate. 1553-9105/
In open network environment, trust and reputation mechanism for information security is increasingly becoming an important prerequisite and foundation. For e-commerce, trust is an important causation between merchants and customers in the successful network business, and the reputation of a merchant is a vital factor that customers take into account when they select bargainers. In the traditional trust evaluation methods, the fake recommendation and the joint cheat recommendation of malicious customers can not be avoided, so the objectivity and creditability of the evaluation results are affected. In order to solve these problems, a novel reputation reporting mechanism based on cloud model and gray system theory is proposed in this paper. In this mechanism, the evaluation data provided by the customer is collected using the cloud model firstly, then the data is handled using the gray system theory, and the trust degree of the corresponding evaluated entity is obtained. Application example shows that this mechanism has the advantages of credible evaluation, strong maneuverability and great practical value, etc. It is a valuable method that can be used to evaluate the entity's trust degree in network trading circumstance.
Benign worms have been attracting wide attention in the field of worm research due to the proactive defense against the worm propagation and patch for the susceptible hosts. In this paper, two revised Worm–Anti-Worm (WAW) models are proposed for cloud-based benign worm countermeasure. These Re-WAW models are based on the law of worm propagation and the two-factor model. One is the cloud-based benign Re-WAW model to achieve effective worm containment. Another is the two-stage Re-WAW propagation model, which uses proactive and passive switching defending strategy based on the ratio of benign worms to malicious worms. This model intends to avoid the network congestion and other potential risks caused by the proactive scan of benign worms. Simulation results show that the cloud-based Re-WAW model significantly improves the worm propagation containment effect. The cloud computing technology enables rapid delivery of massive initial benign worms, and the two stage Re-WAW model gradually clears off the benign worms with the containment of the malicious worms.
This paper describes a series of simulations run to estimate various worm growth patterns and their corresponding propagation algorithms. It also tests and verifies the impact of various improvements, starting from a trivial simulation of worm propagation and the underlying network infrastructure to more refined models, it attempts to determine the theoretical maximum propagation speed of worms and how it can be achieved. It also estimates the impact a malicious worm could have on the overall infrastructure.
This paper serves worm defenders' objective to improve their immunity to future active worms by giving them a deep insight into propagation characteristics of active worms from a worm authors' perspective. Active worms self-propagate across networks by employing scanning, pre-generated target list, or internally generated target lists as their target discovery technique. We find target acquisition and network reconnaissance actions during the network propagation phase in a worm's life cycle basically embody its target discovery technique. We derive the significance of target discovery techniques in shaping a worm's propagation characteristics from the life cycles of worms. A variety of target discovery techniques employed by active worms are discussed and compared. We find hitting probability (the probability of hitting a vulnerable or infected host) is the most frequently improved factor by attackers to increase a worm's propagation speed. We anticipate future active worms would employ a combination of target discovery techniques to greatly accelerate their propagation. Various deterministic and stochastic models of active worms are presented and compared. Their accuracy of and applicability to modelling the propagation of active worms under different conditions are discussed. A discussion of opportunities, challenges and solutions from a worm defenders' perspective is presented in this survey paper. We also propose a new defence system called Distributed Active Defence System (DADS) to effectively defend against worms. This new system follows an active surveillance-trace-control cycle, which could be the emerging solution to the active worm problem.
You may have heard a new term that started making rounds very recently – “cloud-based security”. In this paper we describe past and contemporary security technologies based on the knowledge provided from the servers in the Internet “cloud”. We discuss how cloud-based malware scanners can simbiotically coexist with traditional scanning technologies, what are the advantages and limitations of the new approach. We also touch on the privacy aspects and challenges related to testing (especially comparative testing) of the cloud security solutions.
been plagued by a number of worms. One popular mechanism that worms use to detect vulnerable targets is random IP address-space probing. This is feasible in the current Internet due to the use of 32-bit addresses, which allow fast-operating worms to scan the entire address space in a matter of a few hours. The question has arisen whether or not their spread will be affected by the deployment of IPv6.In par-ticular, it has been suggested that the 128-bit IPv6 address space (relative to the cur-rent 32-bit IPv4 address space) will make life harder for the worm writers: assuming that the total number of hosts on the Internet does not suddenly increase by a similar factor, the work factor for finding a target in an IPv6 Internet will increase by approximately 2,, rendering random scan-ning seemingly prohibitively expensive.
Since the days of the Morris worm, the spread of malicious code has been the most imminent menace to the Internet. Worms use various scanning methods to spread rapidly. Worms that select scan destinations carefullycancausemoredamagethanwormsemploying random scan. This paper analyzes various scan tech- niques. We then propose a generic worm detection ar- chitecture that monitors malicious activities. We pro- pose and evaluate an algorithm to detect the spread of wormsusingrealtimetracesandsimulations. Weflnd that our solution can detect worm activities when only 4%ofthevulnerablemachinesareinfected. Ourresults bringinsightonthefuturebattleagainstwormattacks.
In recent years, fast spreading worms, such as Code Red, Slammer, Blaster and Sasser, have become one of the major threats to the security of the Internet. In order to defend against future worms, it is important to first understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In this paper, we systematically model and analyze worm propagation under various scanning strategies, such as uniform scan, routing scan, hit-list scan, cooperative scan, local preference scan, sequential scan, divide-and-conquer scan, target scan, etc. We also provide an analytical model to accurately model Witty worm’s destructive behavior. By using the same modeling framework, we reveal the underlying similarity and relationship between different worm scanning strategies. In addition, based on our simulation and analysis of Blaster worm propagation and monitoring, we provide a guideline for building a better worm monitoring infrastructure.
With the explosive growth and increasing complexity of network applications, the threats of Internet worms against network security are more and more serious. This paper presents the concepts and research situations of Internet worms, their function component, and their execution mechanism. It also addresses the scanning strategies, propagation models, and the critical techniques of Internet worm prevention. Finally, the remaining problems and emerging trends in this area are also outlined.
The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation. In this paper we provide a careful analysis of Code Red propagation by accounting for two factors: one is the dynamic countermeasures taken by ISPs and users; the other is the slowed down worm infection rate because Code Red rampant propagation caused congestion and troubles to some routers. Based on the classical epidemic Kermack-Mckendrick model, we derive a general Internet worm model called the two-factor worm model. Simulations and numerical solutions of the two-factor worm model match the observed data of Code Red worm better than previous models do. This model leads to a better understanding and prediction of the scale and speed of Internet worm spreading.
The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways.
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model en- ables identification of malicious and unwanted software by multiple, heterogeneous detection engines in paral- lel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced foren- sics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud an- tivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network ser- vice with ten antivirus engines and two behavioral detec- tion engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly mini- mize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.
On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hours. The cost of this epidemic, including subsequent strains of Code-Red, is estimated to be in excess of $2.6 billion. Despite the global damage caused by this attack, there have been few serious attempts to characterize the spread of the worm, partly due to the challenge of collecting global information about worms. Using a technique that enables global detection of worm spread, we collected and analyzed data over a period of 45 days beginning July 2nd, 2001 to determine the characteristics of the spread of Code-Red throughout the Internet.In this paper, we describe the methodology we use to trace the spread of Code-Red, and then describe the results of our trace analyses. We first detail the spread of the Code-Red and CodeRedII worms in terms of infection and deactivation rates. Even without being optimized for spread of infection, Code-Red infection rates peaked at over 2,000 hosts per minute. We then examine the properties of the infected host population, including geographic location, weekly and diurnal time effects, top-level domains, and ISPs. We demonstrate that the worm was an international event, infection activity exhibited time-of-day effects, and found that, although most attention focused on large corporations, the Code-Red worm primarily preyed upon home and small business users. We also qualified the effects of DHCP on measurements of infected hosts and determined that IP addresses are not an accurate measure of the spread of a worm on timescales longer than 24 hours. Finally, the experience of the Code-Red worm demonstrates that wide-spread vulnerabilities in Internet hosts can be exploited quickly and dramatically, and that techniques other than host patching are required to mitigate Internet worms.
The dynamics of deterministic and stochastic discrete-time epidemic models are analyzed and compared. The discrete-time stochastic models are Markov chains, approximations to the continuous-time models. Models of SIS and SIR type with constant population size and general force of infection are analyzed, then a more general SIS model with variable population size is analyzed. In the deterministic models, the value of the basic reproductive number R0 determines persistence or extinction of the disease. If R0 < 1, the disease is eliminated, whereas if R0 > 1, the disease persists in the population. Since all stochastic models considered in this paper have finite state spaces with at least one absorbing state, ultimate disease extinction is certain regardless of the value of R0. However, in some cases, the time until disease extinction may be very long. In these cases, if the probability distribution is conditioned on non-extinction, then when R0 > 1, there exists a quasi-stationary probability distribution whose mean agrees with deterministic endemic equilibrium. The expected duration of the epidemic is investigated numerically.
The Largest Cloud in the World is Owned By A Criminal
- A Williams
A. Williams, "The Largest Cloud in the World is Owned By A Criminal," Apr. 2010,
http://www.readwriteweb.com/cloud/2010/04/the-largest-cloud-in-the-world.php.
The Art of port scanning
Fyodor, "The Art of port scanning," Phrack Magazine, vol. 7(51), pp:11-17, Sep. 1997.