Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
IEEE Security and Privacy
Proceedings of the 2004 ACM workshop on Rapid malcode
Routing Worm: A Fast, Selective Attack Worm Based on IP Address Information
Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation
The monitoring and early detection of internet worms
IEEE/ACM Transactions on Networking (TON)
A self-learning worm using importance scanning
Proceedings of the 2005 ACM workshop on Rapid malcode
An algorithm for anomaly-based botnet detection
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Using uncleanliness to predict future botnet addresses
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Peer-to-peer botnets: overview and case study
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Wide-scale botnet detection and characterization
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
A case study of the rustock rootkit and spam bot
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Optimal worm-scanning method using vulnerable-host distributions
International Journal of Security and Networks
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
SS'08 Proceedings of the 17th conference on Security symposium
Fast and evasive attacks: highlighting the challenges ahead
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.24 |
Importance scanning worm exploits a non-uniform distribution of vulnerable hosts on the Internet. To realize an importance scanning worm, the attacker needs to obtain or estimate the distribution of vulnerable hosts. Zesheng Chen and Chuanyi Ji claimed that a worm can infer the distribution of vulnerable hosts on the Internet by either using public information (e.g., empirical distribution of web servers) or using the distribution of worm-infected hosts during worm propagation. However, the first method may often fail and the second method may not be fast as expected. In this paper, we answer the question, ''How do we determine which part on the Internet is more vulnerable, while maintaining a simple worm propagation mechanism?''. To learn the distribution of vulnerable hosts on the Internet, the proposed estimation method applies statistical sampling and estimation theory while using a Botnet, which is a distributed network of Bots. From analytical models and their validation results, we show the proposed estimation method can get sufficiently accurate estimations; in many cases, the good-enough sampling ratio is as small as 0.6%. Also, it is shown that the estimated distribution is unbiased toward the actual distribution of vulnerable hosts on the Internet. Thus, we believe that the estimated distribution table of vulnerable hosts on the Internet will help the worm identify target systems more effectively.