Fast simulation of rare events in queueing and reliability models
ACM Transactions on Modeling and Computer Simulation (TOMACS)
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
IEEE Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
IEEE Security and Privacy
Proceedings of the 2004 ACM workshop on Rapid malcode
Routing Worm: A Fast, Selective Attack Worm Based on IP Address Information
Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation
Proceedings of the 2005 ACM workshop on Rapid malcode
A self-learning worm using importance scanning
Proceedings of the 2005 ACM workshop on Rapid malcode
On the performance of internet worm scanning strategies
Performance Evaluation
On the effectiveness of distributed worm monitoring
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Quick simulation: a review of importance sampling techniques in communications systems
IEEE Journal on Selected Areas in Communications
Measuring the size of the Internet via importance sampling
IEEE Journal on Selected Areas in Communications
A new service for increasing the effectiveness of network address blacklists
SRUTI'07 Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet
Highly predictive blacklisting
SS'08 Proceedings of the 17th conference on Security symposium
Deriving a closed-form expression for worm-scanning strategies
International Journal of Security and Networks
An information-theoretic view of network-aware malware attacks
IEEE Transactions on Information Forensics and Security
Creation of the importance scanning worm using information collected by Botnets
Computer Communications
Demystifying service discovery: implementing an internet-wide scanner
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Characterizing and defending against divide-conquer-scanning worms
Computer Networks: The International Journal of Computer and Telecommunications Networking
On the scalability of Delay-Tolerant Botnets
International Journal of Security and Networks
Inside the permutation-scanning worms: propagation modeling and analysis
IEEE/ACM Transactions on Networking (TON)
Characterizing internet worm infection structure
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Wireless telemedicine and m-health: technologies, applications and research issues
International Journal of Sensor Networks
The effect of leaders on the consistency of group behaviour
International Journal of Sensor Networks
Security and Communication Networks
| Hi-index | 0.00 |
Most internet worms use random scanning. The distribution of vulnerable hosts on the internet, however, is highly non-uniform over the IP-address space. This implies that random scanning wastes many scans on invulnerable addresses and more virulent scanning schemes may take advantage of the non-uniformity of a vulnerable-host distribution. Questions then arise as to how attackers may exploit such information and how virulent the resulting worm may be. These issues provide 'worst-case scenarios'for defenders and 'best-case scenarios'for attackers when the vulnerable-host distribution is available. This work develops such a scenario, called importance scanning, which results from importance sampling in statistics. Importance scanning scans the IP-address space according to an empirical distribution of vulnerable hosts. An analytical model is developed to relate the infection rate of worms with the Importance-Scanning (IS) strategies. Based on parameters chosen from Witty and Code Red worms, the experimental results show that an IS worm can spread much faster than either a random-scanning worm or a routing worm. In addition, a game-theoretical approach suggests that the best strategy for defenders is to scatter applications uniformly in the entire IP-address space.