Abstract
Active worms propagate across networks by employing the various target discovery techniques. The significance of target discovery techniques in shaping a worm’s propagation characteristics is derived from the life cycle of a worm. The various target discovery techniques that could be employed by active worms are discussed. It is anticipated that future active worms would employ multiple target discovery techniques simultaneously to greatly accelerate their propagation. To accelerate a worm’s propagation, the slow start phase in the worm’s propagation must be shortened by letting the worm infect the first certain percentage of susceptible hosts as soon as possible. Strategies that future active worms might employ to shorten the slow start phase in their propagation are studied. Their respective cost-effectiveness is assessed. A novel active defense mechanism is proposed, which could be an emerging solution to the active worm problem. Our major contributions in this article are first, we found the combination of target discovery techniques that can best accelerate the propagation of active worms; second, we proposed several strategies to shorten a worm’s slow start phase in its propagation and found the cost-effective hit-list size and average size of internally generated target lists; third, we proposed a novel active defense mechanism and evaluated its effectiveness; and fourth, we proposed three novel discrete time deterministic propagation models of active worms.
References
Weaver N, Paxson V, Staniford S, Cunningham R (2003) A taxonomy of computer worms. In: WORM ’03, Washington, DC, USA, 2003, pp 11–18
Berghel H (2001) The Code Red worm: malicious software knows no bounds. Commun ACM 44:15–19
Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) Inside the Slammer worm. IEEE Secur Priv 1(4):33–39
Shannon C, Moore D (2004) The spread of the Witty worm. IEEE Secur Priv 2(4):46–50
Xiang Y, Zhou W, Chowdhury M (2004) A survey of active and passive defence mechanisms against DDoS attacks. Technical Report, TR C04/02, School of Information Technology, Deakin University, Australia
Xiang Y, Zhou W (2006) Protecting web applications from DDoS attacks by an active distributed defense system. Int J Web Inf Syst (IJWIS) 2:37–44
Kienzle DM, Elder MC (2003) Recent worms: a survey and trends. In: WORM ’03, Washington, DC, USA, 2003, pp 1–10
Wong C, Bielski S, McCune JM, Wang C (2004) A study of mass-mailing worms. In: WORM ’04, Washington, DC, USA, 2004, pp 1–10
Mannan M, van Oorschot PC (2005) On instant messaging worms, analysis and countermeasures. In: WORM ’05, Fairfax, VA, USA, 2005, pp 2–11
Spafford EH (1989) The Internet worm program: an analysis. ACM SIGCOMM Comput Commun Rev 19:17–57
Schechter SE, Smith MD (2003) Access for sale: a new class of worm. In: WORM ’03, Washington, DC, USA, 2003, pp 19–23
Ma J, Voelker GM, Savage S (2005) Self-stopping worms. In: WORM ’05, Fairfax, VA, USA, 2005, pp 12–21
Moore D, Shannon C, Brown J (2002) Code-Red: a case study on the spread and victims of an Internet worm. In: IMW ’02, Marseille, France, 2002, pp 273–284
Zou CC, Towsley D, Gong W (2003) On the performance of Internet worm scanning strategies. University of Massachusetts. Technical Report: TR-03-CSE-07
Zou CC, Towsley D, Gong W, Cai S (2005) Routing worm: a fast, selective attack worm based on IP address information. In: PADS ’05, 2005, pp 199–206
Chen Z, Ji C (2005) Importance-scanning worm using vulnerable-host distribution. In: IEEE GLOBECOM, 2005, pp 1779–1784
Chen Z, Ji C (2005) A self-learning worm using importance scanning. In: WORM ’05, Fairfax, VA, USA, 2005, pp 22–29
Staniford S, Paxson V, Weaver N (2002) How to own the Internet in your spare time. In: Security ’02, San Francisco, CA, USA, 2002, pp 149–167
Staniford S, Moore D, Paxson V, Weaver N (2004) The top speed of flash worms. In: WORM ’04, Washington, DC, USA, 2004, pp 33–42
Xiang Y, Fan X, Zhu W (2008) Propagation of active worms: a survey. Int J Comput Syst Sci Eng (IJCSSE) (accepted)
Williamson MM (2002) Throttling viruses: restricting propagation to defeat malicious mobile code. In: IEEE ACSAC, Las Vegas, NV, USA, 2002, pp 61–68
Wong C, Wang C, Song D, Bielski S, Ganger GR (2004) Dynamic quarantine of Internet worms. In: DSN ’05, Florence, Italy, 2004, pp 73–82
Antonatos S, Akritidis P, Markatos EP, Anagnostakis KG (2005) Defending against hitlist worms using network space randomization. In: WORM ’05, Fairfax, VA, USA, 2005, pp 1–11
Sellke S, Shroff NB, Bagchi S (2005) Modeling and automated containment of worms. In: DSN ’05, 2005, pp 528–537
Rajab MA, Monrose F, Terzis A (2006) On the impact of dynamic addressing on Malware propagation. In: WORM ’06, Fairfax, VA, USA, 2006, pp 51–56
Chen S, Tang Y (2007) DAW: a distributed antiworm system. IEEE Trans Parallel Distrib Syst 18:893–906
Zou CC, Gong W, Towsley D (2002) Code Red worm propagation modeling and analysis. In: CCS ’02, Washington, DC, USA, 2002, pp 138–147
Anderson RM, May RM (1991) Infectious diseases of humans: dynamics and control. Oxford University Press, Oxford
Andersson H, Britton T (2000) Stochastic epidemic models and their statistical analysis. Springer, New York
Bailey NT (1975) The mathematical theory of infectious diseases and its applications. Hafner Press, New York
Frauenthal JC (1980) Mathematical modeling in epidemiology. Springer, New York
Daley DJ, Gani J (1999) Epidemic modelling: an introduction. Cambridge University Press, Cambridge
Chen Z, Gao L, Kwiat K (2003) Modeling the spread of active worms. In: IEEE INFOCOM, 2003, pp 1890–1900
Wang Y, Wang C (2003) Modeling the effects of timing parameters on virus propagation. In: WORM ’03, Washington, DC, USA, 2003, pp 61–66
Rohloff K, Basar T (2005) Stochastic behavior of random constant scanning worms. In: 14th ICCCN, San Diego, CA, USA, 2005, pp 339–344
Hoel PG, Port SC, Stone CJ (1971) Introduction to probability theory. Houghton Mifflin, Boston
Karlin S, Taylor HM (1975) A first course in stochastic processes, 2nd edn. Academic Press, San Diego
Ross S (1996) Stochastic processes, 2nd edn. Wiley, New York
Fan X, Xiang Y (2008) Accelerating the propagation of active worms by employing multiple target discovery techniques. In: 2008 IFIP international conference on network and parallel computing (NPC 2008), Shanghai, China, 2008, pp 150–161
Ellis D (2003) Worm anatomy and model. In: WORM ’03, Washington, DC, USA, 2003, pp 42–50
Zou CC, Gao L, Gong W, Towsley D (2003) Monitoring and early warning for Internet worms. In: CCS ’03, Washington, DC, USA, 2003, pp 190–199
Zou CC, Gong W, Towsley D, Gao L (2005) The monitoring and early detection of Internet worms. IEEE/ACM Trans Netw 13:961–974
Wagner A, Dubendorfer T (2003) Experiences with worm propagation simulations. In: WORM ’03, Washington, DC, USA, 2003, pp 34–41
Weaver N, Hamadeh I, Kesidis G, Paxson V (2004) Preliminary results using scale-down to explore worm dynamics. In: WORM ’04, Washington, DC, USA, 2004, pp 65–72
Fan X, Xiang Y (2008) Shortening the slow start phase in the propagation of active worms. In: 2008 international symposium on computer science and its applications (CSA 2008), Hobart, Australia, 2008, pp 90–95
Fan X, Xiang Y (2008) Defending against the propagation of active worms. In: 2008 IEEE/IFIP international conference on embedded and ubiquitous computing (EUC 2008), Shanghai, China, 2008, pp 350–355
Yu W (2004) Analyze the worm-based attack in large scale P2P networks. In: The 8th IEEE international symposium on high assurance systems engineering (HASE 2004), 2004
Arce I, Levy E (2003) An analysis of the Slapper worm. IEEE Secur Priv 1(1):82–87
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Fan, X., Xiang, Y. Defending against the propagation of active worms. J Supercomput 51, 167–200 (2010). https://doi.org/10.1007/s11227-009-0283-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-009-0283-8