On the impact of dynamic addressing on malware propagation
Proceedings of the 4th ACM workshop on Recurring malcode
Internet background radiation revisited
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
| Hi-index | 0.00 |
Self-propagating malware like worms and bots can dramatically impact the availability and reliability of the Internet. Techniques for the detection and mitigation of Internet threats using content prevalence and scan detectors are based on assumptions of how threats propagate. Some of these assumptions have recently been called into question by observations of huge discrepancies in the quantity of specific threats detected at different points around the Internet. We call these deviations from uniform propagation "hotspots". This paper quantifies and explains these influences on malware propagation. We then propose that hotspots can be explained by two fundamental influences on propagation: algorithmic factors and environmental factors. We use measurement data from sensors deployed at 11 locations around the Internet to demonstrate the impact of these factors on worm and bot propagation. With this understanding, we simulate the outbreak of new threats with hotspots and show how algorithmic and environmental factors reduce the visibility of distributed detectors resulting in the inability to identify new threats.