Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Routing Worm: A Fast, Selective Attack Worm Based on IP Address Information
Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
This paper examines the general behaviour of stealthy worms. In particular, we focus on worms that are designed based on network awareness. We study the case where a worm, instead of aiming to spread as fast as possible and penetrate Intrustion Detection Systems (IDS), aims to avoid IDS and spread with the minimum number of detections. We compare different scanning strategies for this worm, including different combinations of hitlist and random scanning, and how they affect the number of infections and the rate of detected infection attempts. We compare the network-aware worm's behavior to that of the Code Red II worm. Simulations show that scanning worms can generate many fewer detections using localized scanning while maintaining its capability to infect.