Characterizing and defending against divide-conquer-scanning worms

Authors:
Chao Chen;Zesheng Chen;Yubin Li
Affiliations:
Department of Engineering, Indiana University - Purdue University Fort Wayne, Fort Wayne, IN 46805, United States;Department of Engineering, Indiana University - Purdue University Fort Wayne, Fort Wayne, IN 46805, United States;Department of Software and Information System, University of North Carolina at Charlotte, Charlotte, NC 28223, United States
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2010

Citing 16
Cited 1

Introduction to Algorithms

Introduction to Algorithms
Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Inside the Slammer Worm

IEEE Security and Privacy
The Spread of the Witty Worm

IEEE Security and Privacy
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
The limits of global scanning worm detectors in the presence of background noise

Proceedings of the 2005 ACM workshop on Rapid malcode
Advanced Routing Worm and Its Security Challenges

Simulation
On the performance of internet worm scanning strategies

Performance Evaluation
On Detecting Camouflaging Worm

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Effective worm detection for various scan techniques

Journal of Computer Security
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Implementing and testing a virus throttle

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
On the effectiveness of distributed worm monitoring

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Optimal worm-scanning method using vulnerable-host distributions

International Journal of Security and Networks
An information-theoretic view of network-aware malware attacks

IEEE Transactions on Information Forensics and Security

Resilience strategies for networked malware detection and remediation

NSS'12 Proceedings of the 6th international conference on Network and System Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Internet worms are a significant security threat. Divide-conquer scanning is a simple yet effective technique that can potentially be exploited for future Internet epidemics. Therefore, it is imperative that defenders understand the characteristics of divide-conquer-scanning worms and study the effective countermeasures. In this work, we first examine the divide-conquer-scanning worm and its potential to spread faster and stealthier than a traditional random-scanning worm. We then characterize the relationship between the propagation speed of divide-conquer-scanning worms and the distribution of vulnerable hosts through mathematical analysis and simulations. Specifically, we find that if vulnerable hosts follow a non-uniform distribution such as the Witty-worm victim distribution, divide-conquer scanning can spread a worm much faster than random scanning. We also empirically study the effect of important parameters on the spread of divide-conquer-scanning worms and a worm variant that can potentially enhance the infection ability at the late stage of worm propagation. Furthermore, to counteract such attacks, we discuss the weaknesses of divide-conquer scanning and study two defense mechanisms: infected-host removal and active honeynets. We find that although the infected-host removal strategy can greatly reduce the number of final infected hosts, active honeynets (especially uniformly distributed active honeynets) are more practical and effective to defend against divide-conquer-scanning worms.