Authors: Zoran Nikoloski, Narsingh Deo, Ludek Kucera

Abstract:

Despite the recent surge of research in control of worm propagation, currently, there is no effective defense system against such cyber attacks. We first design a distributed detection architecture called Detection via Distributed Blackholes (DDBH). Our novel detection mechanism could be implemented via virtual honeypots or honeynets. Simulation results show that a worm can be detected with virtual honeypots on only 3% of the nodes. Moreover, the worm is detected when less than 1.5% of the nodes are infected. We then develop two control strategies: (1) optimal dynamic trafficblocking, for which we determine the condition that guarantees minimum number of removed nodes when the worm is contained and (2) predictive dynamic traffic-blocking–a realistic deployment of the optimal strategy on scale-free graphs. The predictive dynamic traffic-blocking, coupled with the DDBH, ensures that more than 40% of the network is unaffected by the propagation at the time when the worm is contained.

Keywords: Network worms, distributed detection, optimaltraffic-blocking, individual-based simulation.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1333072

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1388

References:

[1] R. M. Anderson and R. M. May, Infectious Diseases in Humans, Oxford University Press, 1992.
[2] E. Cooke, M. Bailey, Z. Morley Mao, and D. McPherson, Toward Understanding Distributed Blackhole Placement, Proceedings of the ACM Workshop on Rapid Malcode, 2004, pp. 54-54.
[3] J. Cowie, A. T. Ogielski, B. J. Premore, and Y. Yuan, Global Routing Instabilities Triggered by Code Red II and Nimda. Available at: www.renesys.com, (2001).
[4] M. de Vivo, E. Carrasco, G. Isern, and G. de Vivo, A Review of Port Scanning Techniques, Operating Systems Review 29 (1999), no. 2, 41- 48.
[5] M. de Vivo, G. de Vivo, R. Koeneke, and G. Isern, Internet Vulnerabilities Related to TCP/IP and T/TCP, Internet Security Attacks at the Basic Level, Operating Systems Review 32 (1998), no. 2, 4-15.
[6] M. Faloutsos, P. Faloutsos, and C. Faloutsos, On Power-Law Relationships of the Internet Topology, Proceedings of SIGCOMM, 1999.
[7] M. R. Garey and D. S. Johnson, Computers and Intractability,W. H. Freeman, 1999.
[8] H. W. Hethcote, Mathematics of Infectious Diseases, SIAM Review 42 (2000), no. 4, 599-653.
[9] Computer Security Institute, Ninth Annual Computer Crime and Security Survey. Available at: i.cmpnet.com, (2004).
[10] K. Lan, A. Hussain, and D. Dutta, Effects of Malicious Traffic on the Network, Proceedings of PAM-03, 2003.
[11] J. Levine, R. LaBella, H. Owen, D. Contis, and B. Culver, The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks, Proceedings of the 2003 IEEE Workshop on Information Assurance, 2003.
[12] M. Liljenstam and D. M. Nicol, Comparing Passive and Active Worm Defenses, Proceedings of the First International Conference on the Quantitative Evaluation of Systems (QEST), 2004, pp. 18-27.
[13] D. Moore, Network Telescopes. Available at: www.caida.org, (2003).
[14] D. Moore, G. M. Voelker, C. Shannon, and S. Savage, Internet Quarantine: Requirements for Containing Self- Propagating Code, Proceedings of the IEEE INFOCOM, 2003.
[15] D. M. Nicol and M. Liljenstam, Models of Active Worm Defenses, Proccedings of the IPSI Studenica Conference, 2004.
[16] Z. Nikoloski and N. Deo, Complexity of Quarantining Network Worms, Discrete Applied Mathematics, (submitted).
[17] N. Provos, A Virtual Honeypot Framework, Proceedings of the 12th USENIX Security Symposium, 2004, pp. 1-14.
[18] N. Weaver, Potential Strategies for High Speed Active Worms: A Worst Case Analysis. Available at: brass.cs.berkeley.edu, (2002).
[19] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, Large Scale Malicious Code: A Research Agenda. Available at: www.cs.berkeley.edu/ nweaver, (2003).
[20] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, A Taxonomy of Computer Worms, Proceedings of ACM Workshop on Rapid Malcode, 2003.
[21] C. C. Zou, W. Gong, D. Towsley, and D. Gao, Monitoring and Early Detection for Internet Worms, Proceedings of the 10th ACM Conference on Computer and Communication Security, 2003.
[22] C. C. Zou, W. Gong, D. Towsley, and D. Gao, Worm Propagation Modeling and Analysis under Dynamic Quarantine Defenses, Proceedings of the ACM CCS Workshop on Rapid Malcode, 2003.