Heterogeneity in Vulnerable Hosts Slows Down Worm Propagation

Similar documents
X- Chart Using ANOM Approach

Parallelism for Nested Loops with Non-uniform and Flow Dependences

Analysis of Collaborative Distributed Admission Control in x Networks

Some Advanced SPC Tools 1. Cumulative Sum Control (Cusum) Chart For the data shown in Table 9-1, the x chart can be generated.

User Authentication Based On Behavioral Mouse Dynamics Biometrics

Simulation Based Analysis of FAST TCP using OMNET++

Network Coding as a Dynamical System

A Closed-Form Expression for Static Worm-Scanning Strategies

y and the total sum of

Quantifying Responsiveness of TCP Aggregates by Using Direct Sequence Spread Spectrum CDMA and Its Application in Congestion Control

S1 Note. Basis functions.

A MOVING MESH APPROACH FOR SIMULATION BUDGET ALLOCATION ON CONTINUOUS DOMAINS

A Binarization Algorithm specialized on Document Images and Photos

Cluster Analysis of Electrical Behavior

Private Information Retrieval (PIR)

Improvement of Spatial Resolution Using BlockMatching Based Motion Estimation and Frame. Integration

The Research of Support Vector Machine in Agricultural Data Classification

The Shortest Path of Touring Lines given in the Plane

Reducing Frame Rate for Object Tracking

Explicit Formulas and Efficient Algorithm for Moment Computation of Coupled RC Trees with Lumped and Distributed Elements

Sum of Linear and Fractional Multiobjective Programming Problem under Fuzzy Rules Constraints

CS 534: Computer Vision Model Fitting

Determining the Optimal Bandwidth Based on Multi-criterion Fusion

Neural Network Control for TCP Network Congestion

Wishing you all a Total Quality New Year!

Fusion Performance Model for Distributed Tracking and Classification

Mathematics 256 a course in differential equations for engineering students

For instance, ; the five basic number-sets are increasingly more n A B & B A A = B (1)

Query Clustering Using a Hybrid Query Similarity Measure

The Codesign Challenge

An Entropy-Based Approach to Integrated Information Needs Assessment

Content Based Image Retrieval Using 2-D Discrete Wavelet with Texture Feature with Different Classifiers

VISUAL SELECTION OF SURFACE FEATURES DURING THEIR GEOMETRIC SIMULATION WITH THE HELP OF COMPUTER TECHNOLOGIES

AADL : about scheduling analysis

Lecture 5: Probability Distributions. Random Variables

Computer Communications

Delay Variation Optimized Traffic Allocation Based on Network Calculus for Multi-path Routing in Wireless Mesh Networks

Constructing Minimum Connected Dominating Set: Algorithmic approach

Video Proxy System for a Large-scale VOD System (DINA)

Zhiyong Huang* and Xiaoping Zeng

Gateway Algorithm for Fair Bandwidth Sharing

An Iterative Solution Approach to Process Plant Layout using Mixed Integer Optimisation

Learning the Kernel Parameters in Kernel Minimum Distance Classifier

Proper Choice of Data Used for the Estimation of Datum Transformation Parameters

Future Generation Computer Systems

Comparisons of Packet Scheduling Algorithms for Fair Service among Connections on the Internet

Modeling Local Uncertainty accounting for Uncertainty in the Data

6.854 Advanced Algorithms Petar Maymounkov Problem Set 11 (November 23, 2005) With: Benjamin Rossman, Oren Weimann, and Pouya Kheradpour

Simulation: Solving Dynamic Models ABE 5646 Week 11 Chapter 2, Spring 2010

An Optimal Algorithm for Prufer Codes *

SLAM Summer School 2006 Practical 2: SLAM using Monocular Vision

Helsinki University Of Technology, Systems Analysis Laboratory Mat Independent research projects in applied mathematics (3 cr)

A New Approach For the Ranking of Fuzzy Sets With Different Heights

Comparison of Heuristics for Scheduling Independent Tasks on Heterogeneous Distributed Environments

Base Station Location Protection in Wireless Sensor Networks: Attacks and Defense

Resource and Virtual Function Status Monitoring in Network Function Virtualization Environment

An Improved Image Segmentation Algorithm Based on the Otsu Method

A Topology-aware Random Walk

NUMERICAL SOLVING OPTIMAL CONTROL PROBLEMS BY THE METHOD OF VARIATIONS

USING GRAPHING SKILLS

C2 Training: June 8 9, Combining effect sizes across studies. Create a set of independent effect sizes. Introduction to meta-analysis

DESIGNING TRANSMISSION SCHEDULES FOR WIRELESS AD HOC NETWORKS TO MAXIMIZE NETWORK THROUGHPUT

A Fast Content-Based Multimedia Retrieval Technique Using Compressed Data

Load Balancing for Hex-Cell Interconnection Network

A CLASS OF TRANSFORMED EFFICIENT RATIO ESTIMATORS OF FINITE POPULATION MEAN. Department of Statistics, Islamia College, Peshawar, Pakistan 2

Classifier Selection Based on Data Complexity Measures *

Analysis of Continuous Beams in General

FEATURE EXTRACTION. Dr. K.Vijayarekha. Associate Dean School of Electrical and Electronics Engineering SASTRA University, Thanjavur

Quantifying Performance Models

Scheduling Remote Access to Scientific Instruments in Cyberinfrastructure for Education and Research

Routing in Degree-constrained FSO Mesh Networks

Term Weighting Classification System Using the Chi-square Statistic for the Classification Subtask at NTCIR-6 Patent Retrieval Task

Compiler Design. Spring Register Allocation. Sample Exercises and Solutions. Prof. Pedro C. Diniz

Analytic Evaluation of Quality of Service for On-Demand Data Delivery

Overview. Basic Setup [9] Motivation and Tasks. Modularization 2008/2/20 IMPROVED COVERAGE CONTROL USING ONLY LOCAL INFORMATION

Yubin Li Florida International University. Zesheng Chen Florida International University. Chao Chen Indiana University Purdue University Fort Wayne

BANDWIDTH OPTIMIZATION OF INDIVIDUAL HOP FOR ROBUST DATA STREAMING ON EMERGENCY MEDICAL APPLICATION

FAHP and Modified GRA Based Network Selection in Heterogeneous Wireless Networks

Effectiveness of Information Retraction

A Fast Visual Tracking Algorithm Based on Circle Pixels Matching

Module Management Tool in Software Development Organizations

New Exploration of Packet-Pair Probing for Available Bandwidth Estimation and Traffic Characterization

Learning-Based Top-N Selection Query Evaluation over Relational Databases

An Application of the Dulmage-Mendelsohn Decomposition to Sparse Null Space Bases of Full Row Rank Matrices

APPLICATION OF MULTIVARIATE LOSS FUNCTION FOR ASSESSMENT OF THE QUALITY OF TECHNOLOGICAL PROCESS MANAGEMENT

Derivation of Three Queue Nodes Discrete-Time Analytical Model Based on DRED Algorithm

Distributed Middlebox Placement Based on Potential Game

Evaluation of an Enhanced Scheme for High-level Nested Network Mobility

APPLICATION OF PREDICTION-BASED PARTICLE FILTERS FOR TELEOPERATIONS OVER THE INTERNET

A Statistical Model Selection Strategy Applied to Neural Networks

Steps for Computing the Dissimilarity, Entropy, Herfindahl-Hirschman and. Accessibility (Gravity with Competition) Indices

A mathematical programming approach to the analysis, design and scheduling of offshore oilfields

APPLICATION OF PREDICTION-BASED PARTICLE FILTERS FOR TELEOPERATIONS OVER THE INTERNET

A NOTE ON FUZZY CLOSURE OF A FUZZY SET

Adaptive Energy and Location Aware Routing in Wireless Sensor Network

with `ook-ahead for Broadcast WDM Networks TR May 14, 1996 Abstract

Evaluation of Parallel Processing Systems through Queuing Model

Avoiding congestion through dynamic load control

IP Camera Configuration Software Instruction Manual

Cordial and 3-Equitable Labeling for Some Star Related Graphs

Transcription:

Heterogenety n Vulnerable Hosts Slows Down Worm Propagaton Zesheng Chen and Chao Chen Department of Engneerng Indana Unversty - Purdue Unversty Fort Wayne, Indana 4685 Emal: {zchen, chen}@engr.pfw.edu Abstract Worm attacks contnue to be a sgnfcant threat to the Internet and have been a man tool used by botnets to recrut bots. Worm propagaton models are mportant for understandng worm dynamcs and desgnng effectve and effcent detecton and defense systems. The exstng models, however, gnore the heterogenety n vulnerable hosts and assume that the wormscannng rate s the same for all nfected hosts. In ths work, we analytcally and emprcally study the mpact of heterogenety of vulnerable hosts on worm propagaton. Specfcally, we frst apply the Jensen s nequalty to show that the heterogenety n vulnerable hosts ndeed hnders the speed of worm propagaton. We then conjecture, through the approxmaton analyss, that f the degree of the heterogenety n vulnerable hosts s hgher, the worm spreads slower. Next, we propose a novel model to predct and characterze worm dynamcs among heterogeneous vulnerable hosts. Fnally, applyng the scale-down smulatons and smulatng the propagaton of a Wtty-lke worm n the Internet, we verfy our analytcal results and demonstrate that our proposed model can accurately predct the spread of worms among heterogeneous vulnerable hosts. I. INTRODUCTION Worms nfect vulnerable hosts and use them to compromse other vulnerable hosts. Such a self-propagaton attack has been a sgnfcant threat to network securty snce. Internet worms, such as Code Red, Nmda, Slammer, Wtty, and Storm, nfected a large number of hosts and caused huge damages. In recent years, worms have also been a man tool used by botnets to recrut a certan number of compromsed machnes and collect the nformaton of nfected hosts. Therefore, t s mportant and mperatve to accurately model the spread of worms n the Internet. Worm propagaton models can help better understand worm dynamc characterstcs. More mportantly, such models are fundamental for detectng and defendng aganst Internet worms. Mathematcal models of worm spreadng have been wdely studed. For example, dfferental equatons have been used to descrbe random-scannng worms [], [9] and to desgn a worm detecton system [8]. A dscrete-tme model has been proposed wth the consderaton of host recovery and patch, and has been exploted to montor, detect, and defend aganst worms []. A stochastc model has been studed to reflect the varaton of worm propagaton and ts mpact to worm detecton []. All exstng models, however, assume that vulnerable hosts are homogeneous and as a result, that all nfected hosts use the same scannng rate to search for targets. Two related works [7], [6] consder that the scannng rate of nfected hosts can vary wth tme. But these two works also make the assumpton that the worm-scannng rate s the same for all nfected hosts. Therefore, the mpact of heterogenety n vulnerable hosts on worm propagaton has not been studed yet. Vulnerable hosts n the Internet have been shown to be sgnfcantly heterogeneous. The network condtons and the computer performance of end-hosts are very dfferent. Specfcally, t has been shown that 7% of the end-hosts n a popular BtTorrent system have an upload capacty between 5 Kbps and Mbps, whereas % of them have an upload capacty of Mbps or more [5]. Moreover, 64% of the avalable resources are contrbuted by only 5% of hosts that have the bandwdth between 55 Mbps and Mbps. A measurement study of the Wtty worm also ndcates strong heterogenety n vulnerable hosts []. For nstance, the bt rates of nfected hosts span from less than 56 Kbps to more than Mbps. Hence, when studyng worm propagaton models, we cannot gnore the effect of the heterogenety n vulnerable hosts. The goal of ths work s to study the mpact of heterogenety n vulnerable hosts on worm propagaton. Specfcally, we attempt to answer the followng questons: Does heterogenety n vulnerable hosts slow down worm propagaton? If vulnerable hosts have a hgher degree of heterogenety, would ths have a greater mpact on worm spreadng? How can we effectvely predct and model worm propagaton among heterogeneous vulnerable hosts? To answer these questons, we analytcally and emprcally study the worm propagaton among both homogeneous and heterogeneous vulnerable hosts. Our analyss s based on the probablstc model, and the nequalty and approxmaton technques; whereas the smulaton uses the scale-down method and mmcs the spread of the Wtty-lke worm n the Internet. Specfcally, we summarze our dscoveres and contrbutons n the followng: Through both analyss and smulaton, we fnd that statstcally the worm has a smaller spreadng speed among heterogeneous vulnerable hosts wth dstnct scannng rates than among homogeneous vulnerable hosts wth the same scannng rate. For nstance, we demonstrate that a Wtty-lke worm can be slowed down three tmes on average n the heterogeneous case than n the homoge-

neous case. Therefore, heterogenety n vulnerable hosts can potentally slow down worm spreadng sgnfcantly. We show analytcally and conjecture that f the degree of heterogenety n vulnerable hosts s hgher, the worm propagates slower. Our smulaton results verfy the conjecture. Ths ndcates that the current hgh degree of heterogenety among vulnerable hosts n the Internet ndeed helps defenders to gan some tme to respond to worm attacks. We then desgn a novel model to predct the spread of worms among heterogeneous vulnerable hosts. Such a model characterzes the worm propagaton delay,.e., the tme dfference between the homogeneous case and the heterogeneous case. Smulaton results show that our model can accurately predct the dynamcs of worm propagaton among heterogeneous vulnerable hosts. The remander of ths paper s structured as follows. Secton II dscusses the heterogenety n vulnerable hosts. Secton III gves our analyss on worm propagaton among heterogeneous vulnerable hosts, whereas Secton IV uses smulatons to verfy our analytcal results. Fnally, Secton V concludes ths paper. II. HETEROGENEITY IN VULNERABLE HOSTS Vulnerable hosts n the Internet are heterogeneous. Ths les n the fact that end-hosts n the Internet have dstnct bandwdth and computer performance. A host may connect to the Internet through a dal-up connecton (e.g., 56 Kbps), a dgtal subscrber lne (DSL) (e.g., 4 Kbps 5 Kbps), a local area network (LAN) (e.g., Mbps, Mbps, or Gbps), or a wreless LAN (e.g., 54 Mbps) [7]. Moreover, many worms such as Slammer and Wtty are bandwdth lmted and send packets as fast as the nfected hosts Internet connecton allows [8], []. A measurement study on the Wtty worm has shown that the nfected hosts are heterogeneous []. Specfcally, whle the average transmsson speed of an nfected host s Mbps, 6% of nfected hosts transmt wth bt rates between 96 Kbps and 5 Kbps. For an ndvdual nfected host, the bandwdth manly determnes how many scans per unt tme a bandwdth-lmted worm can send to fnd targets,.e., the worm-scannng rate. If an nfected host has a hgher bandwdth, the worm-scannng rate s always hgher. In ths work, therefore, we use the varaton of worm-scannng rates to reflect the heterogenety n vulnerable hosts. III. THEORETICAL ANALYSIS Snce vulnerable hosts have dstnct bandwdth and computer performance, worm-scannng rates from nfected hosts can be very dfferent. In ths paper, we specfcally focus on the mpact of the varaton of scannng rates on worm propagaton and make several smplfed assumptons. Frst, we assume that once a host s nfected, t remans n the nfecton state. Such a susceptble nfected (SI) model has been wdely used n studyng worm spreadng [], [9], [], [4], []. Second, we focus on random-scannng worms. Random scannng selects target IPv4 addresses unformly and has been exploted by many worms such as Code Red [9], Slammer [8], and Wtty []. The observatons found n ths paper, however, can be well extended to other scannng methods such as localzed scannng [] and mportance scannng []. Fnally, whle the scannng rates of nfected hosts can be dfferent from each other, we assume that the scannng rate of an ndvdual host does not vary wth tme. Ths s a reasonable assumpton for two reasons: () As ndcated by our analyss, the tme perod of worm propagaton that we are nterested n s at the early stage,.e., before the worm has nfected many hosts and congested networks. () It has been observed that an nfected host always scans for vulnerable hosts at the maxmum speed allowed by ts network condtons and computng resources [6]. In ths secton, we frst show theoretcally that compared wth worm propagaton among homogeneous vulnerable hosts, worm spreadng s slowed down among heterogeneous vulnerable hosts. We then demonstrate and conjecture that f the degree of heterogenety n vulnerable hosts s hgher, worms spread slower. Fnally, we provde a novel worm model that characterzes the spread of worms among heterogeneous vulnerable hosts. A. Comparng Worm Propagaton wth Homogeneous Vulnerable Hosts and wth Heterogeneous Vulnerable Hosts We use a dscrete-tme system to analyze the effect of the varaton of scannng rates on worm propagaton. Specfcally, t s assumed that there are totally N vulnerable hosts and currently I nfected hosts. Infected host ( =,,,I) uses a scannng rate of s,.e., sends s scans per unt tme. Then, the total number of scans at the next tme step s = s. Therefore, the probablty that an unnfected vulnerable host s ht by a worm scan at the next tme step s p h = N I I s, () = where s the scannng space. Thus, the tme to recrut a new vctm, T, follows the geometrc dstrbuton,.e., Pr(T = k) = p h ( p h ) k, k =,,, () whch leads to E[T s,s,,s I ] = = p h (N I) = s. () It can be seen that f E[T] s smaller, the worm spreads faster. If all nfected hosts are homogeneous, s = s,,.e., the scannng rate for all nfected hosts s a constant. Thus, the expected tme to recrut a new vctm s E[T] = si(n I). (4) On the other hand, f nfected hosts are heterogeneous, the scannng rate can be very dfferent for dstnct nfected hosts. Because of the nature of random scannng, each nstant of worm propagaton can nfect vulnerable hosts n totally dfferent orders. Hence, we assume that s s are ndependent

and dentcally-dstrbuted (..d.) random varables wth mean s and varance σ (σ ). Note that f σ =, vulnerable hosts are homogeneous; otherwse, they are heterogeneous. Therefore, from the law of total expectaton, we have E[T] = E[E[T s,s,,s I ]] = N I E [ = s ]. (5) Accordng to the Jensen s nequalty [], [4], f X s a random varable, f s a strctly convex functon (.e., f (x) > ), and E[X] and E[f(X)] exst, then E[f(X)] f(e[x]), (6) where the equalty holds f an only f X s a constant. Here, we apply the Jensen s nequalty by settng f(x) = x. Snce f (x) = x and f (x) = x > when x >, x s a strctly convex functon. We then fnd from Equaton (5) that E[T] N I E[ = s ] = si(n I), (7) where the equalty holds f and only f σ =. Comparng Equaton (4) and Inequalty (7), we have the followng theorem. Theorem : If worm-scannng rates s s are..d. random varables wth mean s and varance σ, then the worm spreads slower when σ > than when σ =. That s, statstcally the worm has a smaller spreadng speed among heterogeneous vulnerable hosts wth dstnct scannng rates than among homogeneous vulnerable hosts wth the same scannng rate. Theorem ndcates that the exstng worm propagaton models gnore the varaton of scannng rates and thus overestmate the worm propagaton speed. Moreover, Theorem reflects that the heterogenety n vulnerable hosts ndeed hnders worm propagaton and can help defenders gan some tme to respond to worm attacks. B. Conjecturng the Impact of the Degree of Heterogenety n Vulnerable Hosts Snce the heterogenety n vulnerable hosts slows down worm propagaton, a queston arses: Would the worm spread slower f the degree of the heterogenety of vulnerable hosts s hgher? That s, when σ ncreases, would E[T] be larger? To answer ths queston, we apply Taylor expanson and approxmaton technques. Specfcally, we study the Taylor expanson of functon f(x) = x,.e., f(x) = a + f (a)(x a) + f (a)(x a) + H (8) a x a (x a) a + a. (9) In the above equaton, H contans the hgher-order terms and can be gnored. Note that E[ = s ] = si. Then, settng x = = s and a = si n the above equaton, we have = s si s I + ( = s si) s I. () = s si Takng the expectaton on both sdes of the above equaton, we obtan [ ] E = s si + E[( = s si) ] s I () = si + Var[ = s ] s I () = si + σ s I. () Therefore, from Equatons (5) and (), the expected tme to recrut a new vctm s E[T] si(n I) + σ s I (N I). (4) In the above equaton, the frst term (.e., si(n I) ) s dentcal to E[T] for the homogeneous case, and the second term s proportonal to σ. Based on ths approxmaton result, t s obvous that when σ ncreases, E[T] also ncreases. Hence, we have the followng conjecture. Conjecture : When σ s larger, the worm spreads slower. That s, the worm propagates slower among the vulnerable hosts wth a hgher degree of heterogenety. C. Modelng Worm Propagaton among Heterogeneous Vulnerable Hosts We apply a novel approach to characterze the spread of random-scannng worms among heterogeneous vulnerable hosts. Instead of obtanng the propagaton speed of worms, we attempt to study how much worm propagaton delay, compared wth the homogeneous case, s caused by the varaton of worm-scannng rates. In ths way, once we smulate or model the worm spreadng among homogeneous vulnerable hosts, we can predct or model the worm propagaton among heterogeneous vulnerable hosts. We frst use two worm-scannng rates as an example to demonstrate our modelng procedure. We assume that among N vulnerable hosts, p N hosts have a scannng rate of r, and ( p) N hosts have a scannng rate of r, where p and r r. That s, a randomly selected nfected host has a scannng rate of r wth probablty p and a scannng rate of r wth probablty p. Thus, the average scannng rate s s = pr + ( p)r. That s, p = r s r r. Note that p can be derved, gven arbtrary values of r, r, and s. Moreover, among the I nfected hosts, the number of hosts havng the scannng rate of r follows the bnomal dstrbuton B(I, p). If k nfected hosts have a scannng rate of r, then = s = kr + (I k)r. From Equaton (5), we then obtan [ ] E = s = I k= ( ) I p k ( p) I k. k kr + (I k)r (5) Therefore, based on the above equaton and Equaton (4), we can calculate the tme dfference to recrut a new vctm between the heterogeneous case and the homogeneous case,

4.e., E[T I ] = I k= ( ) I p k ( p) I k k [kr + (I k)r ](N I) si(n I). (6) Accordng to the feature of the bnomal dstrbuton, when I s large, kr +(I k)r approaches si wth a hgh probablty, and thus E[T I ] s very small and can be gnored. Therefore, we only need to calculate the tme dfference when I s not large (e.g., I % of the total number of vulnerable hosts). In other words, the worm propagaton dfference between the heterogeneous case and the homogeneous case only occurs at the early stage of worm spreadng when the number of nfected hosts s small. Statstcally, once a worm has recruted a suffcent number of nfected hosts, the heterogenety n vulnerable hosts has lttle mpact on the worm propagaton. On the other hand, when a worm has just started spreadng from one or a small number of nfected hosts, the mpact of the heterogenety n vulnerable hosts on worm dynamcs can be sgnfcant, whch wll be shown n the next secton. Specfcally, f we assume that a worm starts spreadng from one nfected host and set I as the upper bound for calculatng E[T I ] n Equaton (6), then D H = I = E[T ] (7) represents how much delay s caused by the varaton of scannng rates at the early stage of worm propagaton. That s, once we obtan the propagaton curve for worms among homogeneous vulnerable hosts, we can then shft the curve wth the delay D H to predct the worm spreadng among heterogeneous vulnerable hosts wth the same average scannng rate. Note that such a modelng procedure can be easly extended to the case of multple worm-scannng rates or the case when worm-scannng rates follow an arbtrary dstrbuton. For example, when a worm has multple scannng rates (.e., r, r,, r m ), an nfected host has a scannng rate of r wth probablty p, where m s the number of scannng rates and m = p =. Let n (n ) denote the number of nfected hosts among I nfected hosts that have the scannng rate of r, where m = n = I. Then, n s have a multnomal dstrbuton wth parameters I and p s, and = s = m = n r. Therefore, Equaton (5) becomes E [ = s ] = n=i (I!)( m = pn ) ( m = n!)( m = n r ). (8) Moreover, f s s are..d. random varables wth probablty dstrbuton f S (s). Then, [ ] I = E = s = f S(s ) = s ds ds I. (9) In a smlar way, we can obtan E [T I ] and D H for the worm wth multple scannng rates or an arbtrary dstrbuton of scannng rates, and use them to predct the worm propagaton among heterogeneous vulnerable hosts. IV. SIMULATION VERIFICATION We verfy the analytcal results n the prevous secton by smulatng the spread of a worm among vulnerable hosts wth both homogeneous and heterogeneous scannng rates. As an ntal attempt, we only study random-scannng worms wth two scannng rates. That s, we assume that some nfected hosts have a scannng rate of scan, whereas others have a scannng rate of scan. If scan = scan, t s the homogeneous case; otherwse, t s the heterogeneous case. Both homogeneous and heterogeneous cases have the same average worm-scannng rate. Moreover, the target of each worm scan s created by a random number generator over the scannng space, so that each host s ht by the worm scan wth an equal probablty. Once an unnfected vulnerable host s ht by a worm scan, we record the nfecton tme,.e., when ths vulnerable host s compromsed. Based on ths nfecton tme, we can count the number of nfected hosts at each tme step and thus obtan the worm propagaton curve. In our smulatons, the worm starts spreadng from one nfected host (.e., htlst = ), whch s randomly selected from the vulnerable hosts. To obtan the analytcal results for worm propagaton n the heterogeneous case, we frst obtan the smulaton results for worm spreadng n the homogeneous case, and use Equatons (6) and (7) to calculate the delay (.e., D H ) caused by the varaton of scannng rates. We then shft the worm propagaton curve from the homogeneous case wth the delay D H to predct worm spreadng n the heterogeneous case. Specfcally, n ths secton we frst apply scale-down smulatons to obtan the observatons of worm propagaton n a /6 network. We then smulate the spread of Wtty worms n the IPv4 address space. A. Scale-Down Smulatons A scale-down smulaton studes worm propagaton n a much smaller scannng space, nstead of the IPv4 address space that contans IP addresses [5]. In such a way, the patterns of worm spreadng can be obtaned n a much shorter tme through smulatons. We apply the technque of scale-down smulatons and smulate the spread of randomscannng worms n a /6 subnet. Specfcally, we assume that the scannng space s 6 (.e., = 6556), the number of vulnerable hosts s 5 (.e., N = 5), and the average scannng rate s /second (.e., s = /second). Fgure shows the smulaton results of worm propagaton wth four cases of two scannng rates: () scan = scan = ; () scan = 5 and scan = 5; () scan = and scan = 9; (4) scan = and scan = 9. The curves n the fgure are averages over runs. It can be seen that compared wth the worm n the homogeneous case (.e., case ()), worms spread slower n the heterogeneous cases (.e., cases ()-(4)), whch verfes

5 Number of nfected hosts 5 4 scan = scan = scan = 5, scan = 5 scan =, scan = 9 scan =, scan = 9 4 5 Tme (second) Fg.. Impact of scannng-rate varaton on worm propagaton n scale-down smulatons ( = 6556, N = 5, s = /second, and htlst = ). Number of nfected hosts 5 4 scan = 5, scan = 5 (smulaton) scan = 5, scan = 5 (model) scan =, scan = 9 (smulaton) scan =, scan = 9 (model) scan =, scan = 9 (smulaton) scan =, scan = 9 (model) 4 6 8 Tme (second) Fg.. Comparsons of worm propagaton from scale-down smulatons and from the model ( = 6556, N = 5, s = /second, htlst =, and I = 5). Theorem. Moreover, f the degree of the heterogenety n vulnerable hosts s hgher, the worm spreads slower, whch confrms Conjecture. Specfcally, the worm takes on average 8. seconds to nfect all vulnerable hosts n case (), whereas the worm uses 8.8, 6., and 55. seconds n cases (), (), and (4), respectvely. Moreover, t can be seen from the fgure that after the worm has nfected a certan number of hosts (e.g., % of vulnerable hosts), the propagaton curves for all four cases are dentcal, whch verfes our observatons from Equaton (6). Fgure compares the smulaton results to our analytcal results for the heterogeneous cases. In Equaton (7), we set 5 as the upper bound (.e., I = 5) to calculate the delay (.e., D H ). Specfcally, we fnd that D H =.7, 8., and 6.8 seconds for cases ()-(4). From the fgure, t can be seen that the curves of analytcal results and smulaton results overlap, ndcatng that our predcton s accurate. B. Wtty-Worm Propagaton Smulatons Next, we smulate the spread of a worm n the IPv4 address space, usng the parameters from the Wtty worm. Specfcally, the Wtty worm scans the entre IPv4 address space (.e., = ), targets 5599 vulnerable hosts (.e., N = 5599), and uses an average scannng rate of /seconds (.e., s = /seconds) []. We consder three cases of two worm-scannng rates: () scan = scan = ; () scan = and scan = ; () scan = and scan =. For case (), two scannng rates dffer tmes, whch s motvated from the observaton that the bandwdth capacty of end-hosts can have tmes dfference [5]. For each scenaro, we smulate runs wth dfferent seeds. Snce the major dfference among three cases occurs n the tme perod before the worm nfect a sgnfcant porton of vulnerable hosts, our smulator stops runnng when the worm has compromsed hosts. Fgure shows the spread of the Wtty worm wth three dfferent combnatons of two scannng rates. In each subfgure, the 5% curve ndcates that a worm spreads no faster than ths curve n 5 out of smulaton runs. The smlar defnton s appled to the 5%, 5%, 75%, and 95% curves. Moreover, the mean curve s the average over runs. It can be seen that the worm propagates faster n the homogeneous case than n the heterogeneous cases. Furthermore, when the degree of heterogenety n vulnerable hosts ncreases, the worm spreads slower, and the varaton of worm propagaton s larger. These observatons are smlar to those n the scale-down smulatons and verfy our analyss. Specfcally, comparng cases () and (), we fnd that the worm uses on average 756. seconds to nfect hosts n the homogeneous case, whereas the worm needs.9 seconds to compromse the same number of hosts n the heterogeneous case. Ths means that the worm s slowed down about tmes due to the varaton of scannng rates and ndcates that the heterogenety n vulnerable hosts can potentally mpact worm spreadng sgnfcantly. We then further evaluate the performance of our predcton to worm propagaton among heterogeneous vulnerable hosts n Fgure 4. In our predcaton, we use only as the upper bound n Equaton (7),.e., I =. In ths fgure, the curves of smulatons are the averages over runs, whereas the curves of the model are based on Equatons (6) and (7). It can also be seen that the curves of smulaton and analytcal results are very close, ndcatng that our model well characterzes the dynamcs of worm propagaton among heterogeneous vulnerable hosts. V. CONCLUSIONS In ths work, we have shown that heterogenety n vulnerable hosts slows down worm propagaton through both analyss and smulaton. Moreover, a hgher degree of heterogenety n vulnerable hosts leads to slower propagaton of worms. We have also desgned a new model to characterze worm spreadng among heterogeneous vulnerable hosts. Our model focuses on the worm propagaton tme dfference between the heterogeneous case and the homogeneous case, and s shown emprcally to have a good performance to predct worm dynamcs. To the best of our knowledge, ths s the

6 Number of nfected hosts.5 x 4.5.5 5% 5% 5% 75% 95% Mean Number of nfected hosts.5 x 4.5.5 5% 5% 5% 75% 95% Mean Number of nfected hosts.5 x 4.5.5 5% 5% 5% 75% 95% Mean.5.5.5 4 6 8 Tme (second) (a) Case : scan = scan = 5 5 Tme (second) (b) Case : scan = and scan = 4 Tme (second) (c) Case : scan = and scan = Fg.. Impact of scannng-rate varaton on wtty-worm propagaton ( =, N = 5599, s = /second, and htlst = ). Number of nfected hosts 5 x 4 4 scan =, scan = (smulaton) scan =, scan = (model) scan =, scan = (smulaton) scan =, scan = (model) 5 5 5 Tme (second) Fg. 4. Comparsons of wtty-worm propagaton from smulatons and from the model ( =, N = 5599, s = /second, htlst =, and I = ). frst attempt n understandng the mpact of the heterogenety of vulnerable hosts on worm propagaton quanttatvely. As our on-gong work, we plan to extend the study to other scannng methods such as mportance scannng. REFERENCES [] Z. Chen, L. Gao, and K. Kwat, Modelng the spread of actve worms, n Proc. of INFOCOM, vol., San Francsco, CA, Apr., pp. 89-9. [] Z. Chen and C. J, Optmal worm-scannng method usng vulnerablehost dstrbutons, Internatonal Journal of Securty and Networks: Specal Issue on Computer and Network Securty, vol., no. /, 7. [] Z. Chen and C. J, An nformaton-theoretc vew of network-aware malware attacks, IEEE Transactons on Informaton Forenscs and Securty, vol. 4, no., Sept. 9, pp. 5-54. [4] T. M. Cover and J. A. Thomas, Elements of Informaton Theory. New York: Wley, 99. [5] T. Isdal, M. Patek, A. Krshnamurthy, and T. Anderson, Leveragng BtTorrent for end host measurements, n Proc. of the 8th Passve and Actve Measurement Conference (PAM 7), Louvan-la-neuve, Belgum, Apr. 7. [6] E. Krman and C. S. Hood, Analyss of a scannng model of worm propagaton, Journal n Computer Vrology, vol. 6, no.,, pp. -4. [7] J. F. Kurose and K. W. Ross, Computer Networkng: A Top-Down Approach, 4th Edton, Pearson Educaton, Inc., 8. [8] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Stanford, and N. Weaver, Insde the Slammer worm, IEEE Securty and Prvacy, vol., no. 4, July, pp. -9. [9] D. Moore, C. Shannon, and J. Brown, Code-red: a case study on the spread and vctms of an Internet worm, n ACM SIGCOMM/USENIX Internet Measurement Workshop, Marselle, France, Nov.. [] D. M. Ncol, The mpact of stochastc varance on worm propagaton and detecton, n Proc. ACM/CCS Workshop on Rapd Malcode (WORM 6), Farfax, VA, Nov. 6. [] S. M. Ross, Stochastc Processes, Second Edton. John Wley & Sons, Inc., 996. [] C. Shannon and D. Moore, The spread of the Wtty worm, IEEE Securty and Prvacy, vol., no 4, Jul-Aug 4, pp. 46-5. [] S. Stanford, V. Paxson, and N. Weaver, How to wn the Internet n your spare tme, n Proc. of the th USENIX Securty Symposum (Securty ), San Francsco, CA, Aug., pp. 49-67. [4] M. Vojnovc, V. Gupta, T. Karaganns, and C. Gkantsds, Samplng strateges for epdemc-style nformaton dssemnaton, IEEE/ACM Transactons on Networkng, vol. 8, no. 4, Aug., pp. -5. [5] N. Weaver, I. Hamadeh, G. Kesds, and V. Paxson, Prelmnary results usng scale-down to explore worm dynamcs, n Proc. of the nd ACM Workshop on Rapd Malcode (WORM 4), Farfax, VA, Oct. 4. [6] S. We and J. Mrkovc, Correctng congeston-based error n network telescopes observatons of worm dynamcs, n Proc. of the 8th Internet Measurement Conference (IMC 8), Voulagmen, Greece, Oct. 8. [7] C. C. Zou, W. Gong, and D. Towsley, Code red worm propagaton modelng and analyss, n Proc. of the 9th ACM Conference on Computer and Communcaton Securty (CCS ), Washngton DC, Nov., pp. 8-47. [8] C. C. Zou, W. Gong, D. Towsley, and L. Gao, The montorng and early detecton of Internet worms, IEEE/ACM Transactons on Networkng, vol., no. 5, Oct. 5, pp. 96-974. [9] C. C. Zou, D. Towsley, and W. Gong, On the performance of Internet worm scannng strateges, Elsever Journal of Performance Evaluaton, vol. 6. no. 7, July 6, pp. 7-7.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback