Authors: Eric Filiol, Edouard Franc, Alessandro Gubbioli, Benoit Moquet, Guillaume Roblot

Abstract:

Worm propagation profiles have significantly changed since 2003-2004: sudden world outbreaks like Blaster or Slammer have progressively disappeared and slower but stealthier worms appeared since, most of them for botnets dissemination. Decreased worm virulence results in more difficult detection. In this paper, we describe a stealth worm propagation model which has been extensively simulated and analysed on a huge virtual network. The main features of this model is its ability to infect any Internet-like network in a few seconds, whatever may be its size while greatly limiting the reinfection attempt overhead of already infected hosts. The main simulation results shows that the combinatorial topology of routing may have a huge impact on the worm propagation and thus some servers play a more essential and significant role than others. The real-time capability to identify them may be essential to greatly hinder worm propagation.

Keywords: Combinatorial worm, worm spreading, worm virulence, stealth worm, spreading simulation, vertex cover, networktopology, WAST simulator, SuWAST simulator.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1335272

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2132

References:

[1] Chambet P. (2005), FakeNetBIOS, French Honeynet Projet Homepage, http://honeynet.rstack.org/tools.php
[2] Cormen T., Leiserson C. and Rivest R. (1990), Introduction to Algorithms, MIT Press.
[3] Dharwadker A. (2006), The Vertex Cover Algorithm, http://www. geocities.com/dharwadker/vertex_cover
[4] Gubiolli A. (2007), Un simulatore della diffusione di worm in un sistema informatico, Master-s Thesis, Politecnico di Milano. A technical report in English will be available soon.
[5] Filiol E., Franc E., Moquet B. and Roblot G. (2007), SUWAST: a large-scale simulation environment for worm network attacks. Technical Report ESAT 2007 11.
[6] Filiol E., Franc E., Gubbioli A., Moquet B. and Roblot G. (2007), Combinatorial Optimisation of Worm Propagation on an Unknown Network. The extended version of the present paper. To appear.
[7] Li J., Leong B. and Sollins K. (2005), Implementing Aggregation/ Broadcast over Distributed Hash Tables, ACM Computer Communication Review, 35 (1), http://krs.lcs.mit.edu/regions/ docs/broadcast.pdf
[8] Maymounkov and Nazi`eres (2002), Kademlia: A Peer-to-Peer Information System Based on the XOR Metrics. Proceedings of IPTPS02, http: //www.cs.rice.edu/Conferences/IPTPS02/109.pdf
[9] Provos, N. (2003), A Virtual Honeypot Framework, http://niels. xtdnet.nl/papers/honeyd.pdf.
[10] Provos, N., McNamee D., Mavrommatis P., Wang K. and Modadugu (2007), The Ghost in the Browser - Analysis of Web-malware. In HotBots-07 Confererence, http://www.usenix.org/events/ hotbots07/tech/full_papers/provos/provos.pdf
[11] Staniford S., Paxson V. and Weaver N. (2002), How to 0wn the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, San Francisco, CA.
[12] Weaver N. (2002), Potential Strategies for High Speed Active Worms: A Worst Case Analysis, http://www.cgisecurity.com/lib/ worms.pdf
[13] Wiley B. (2002), Curious Yellow: The first Coordinated Worm Design, http://blanu.net/curious_yellow.html