Combinatorial Optimisation of Worm Propagationon an Unknown Network

Worm propagation profiles have significantly changed since 2003-2004: sudden world outbreaks like Blaster or Slammer have progressively disappeared and slower but stealthier worms appeared since, most of them for botnets dissemination. Decreased worm virulence results in more difficult detection. In this paper, we describe a stealth worm propagation model which has been extensively simulated and analysed on a huge virtual network. The main features of this model is its ability to infect any Internet-like network in a few seconds, whatever may be its size while greatly limiting the reinfection attempt overhead of already infected hosts. The main simulation results shows that the combinatorial topology of routing may have a huge impact on the worm propagation and thus some servers play a more essential and significant role than others. The real-time capability to identify them may be essential to greatly hinder worm propagation.

Authors:

• Eric Filiol
• Edouard Franc
• Alessandro Gubbioli
• Benoit Moquet
• Guillaume Roblot

Keywords:

• Combinatorial worm
• worm spreading
• worm virulence
• stealth worm
• spreading simulation
• vertex cover
• networktopology
• WAST simulator
• SuWAST simulator.

References:

[1] Chambet P. (2005), FakeNetBIOS, French Honeynet Projet Homepage,
http://honeynet.rstack.org/tools.php
[2] Cormen T., Leiserson C. and Rivest R. (1990), Introduction to Algorithms,
MIT Press.
[3] Dharwadker A. (2006), The Vertex Cover Algorithm, http://www.
geocities.com/dharwadker/vertex_cover
[4] Gubiolli A. (2007), Un simulatore della diffusione di worm in un sistema
informatico, Master-s Thesis, Politecnico di Milano. A technical report
in English will be available soon.
[5] Filiol E., Franc E., Moquet B. and Roblot G. (2007), SUWAST: a
large-scale simulation environment for worm network attacks. Technical
Report ESAT 2007 11.
[6] Filiol E., Franc E., Gubbioli A., Moquet B. and Roblot G. (2007),
Combinatorial Optimisation of Worm Propagation on an Unknown
Network. The extended version of the present paper. To appear.
[7] Li J., Leong B. and Sollins K. (2005), Implementing Aggregation/
Broadcast over Distributed Hash Tables, ACM Computer Communication
Review, 35 (1), http://krs.lcs.mit.edu/regions/
docs/broadcast.pdf
[8] Maymounkov and Nazi`eres (2002), Kademlia: A Peer-to-Peer Information
System Based on the XOR Metrics. Proceedings of IPTPS02, http:
//www.cs.rice.edu/Conferences/IPTPS02/109.pdf
[9] Provos, N. (2003), A Virtual Honeypot Framework, http://niels.
xtdnet.nl/papers/honeyd.pdf.
[10] Provos, N., McNamee D., Mavrommatis P., Wang K. and Modadugu
(2007), The Ghost in the Browser - Analysis of Web-malware. In
HotBots-07 Confererence, http://www.usenix.org/events/
hotbots07/tech/full_papers/provos/provos.pdf
[11] Staniford S., Paxson V. and Weaver N. (2002), How to 0wn the
Internet in Your Spare Time, Proceedings of the 11th USENIX Security
Symposium, San Francisco, CA.
[12] Weaver N. (2002), Potential Strategies for High Speed Active Worms:
A Worst Case Analysis, http://www.cgisecurity.com/lib/
worms.pdf
[13] Wiley B. (2002), Curious Yellow: The first Coordinated Worm Design,
http://blanu.net/curious_yellow.html