Combinatorial Optimisation of Worm Propagationon an Unknown Network
Worm propagation profiles have significantly changed
since 2003-2004: sudden world outbreaks like Blaster or Slammer
have progressively disappeared and slower but stealthier worms
appeared since, most of them for botnets dissemination. Decreased
worm virulence results in more difficult detection.
In this paper, we describe a stealth worm propagation model
which has been extensively simulated and analysed on a huge virtual
network. The main features of this model is its ability to infect any
Internet-like network in a few seconds, whatever may be its size while
greatly limiting the reinfection attempt overhead of already infected
hosts. The main simulation results shows that the combinatorial
topology of routing may have a huge impact on the worm propagation
and thus some servers play a more essential and significant role than
others. The real-time capability to identify them may be essential to
greatly hinder worm propagation.
[1] Chambet P. (2005), FakeNetBIOS, French Honeynet Projet Homepage,
http://honeynet.rstack.org/tools.php
[2] Cormen T., Leiserson C. and Rivest R. (1990), Introduction to Algorithms,
MIT Press.
[3] Dharwadker A. (2006), The Vertex Cover Algorithm, http://www.
geocities.com/dharwadker/vertex_cover
[4] Gubiolli A. (2007), Un simulatore della diffusione di worm in un sistema
informatico, Master-s Thesis, Politecnico di Milano. A technical report
in English will be available soon.
[5] Filiol E., Franc E., Moquet B. and Roblot G. (2007), SUWAST: a
large-scale simulation environment for worm network attacks. Technical
Report ESAT 2007 11.
[6] Filiol E., Franc E., Gubbioli A., Moquet B. and Roblot G. (2007),
Combinatorial Optimisation of Worm Propagation on an Unknown
Network. The extended version of the present paper. To appear.
[7] Li J., Leong B. and Sollins K. (2005), Implementing Aggregation/
Broadcast over Distributed Hash Tables, ACM Computer Communication
Review, 35 (1), http://krs.lcs.mit.edu/regions/
docs/broadcast.pdf
[8] Maymounkov and Nazi`eres (2002), Kademlia: A Peer-to-Peer Information
System Based on the XOR Metrics. Proceedings of IPTPS02, http:
//www.cs.rice.edu/Conferences/IPTPS02/109.pdf
[9] Provos, N. (2003), A Virtual Honeypot Framework, http://niels.
xtdnet.nl/papers/honeyd.pdf.
[10] Provos, N., McNamee D., Mavrommatis P., Wang K. and Modadugu
(2007), The Ghost in the Browser - Analysis of Web-malware. In
HotBots-07 Confererence, http://www.usenix.org/events/
hotbots07/tech/full_papers/provos/provos.pdf
[11] Staniford S., Paxson V. and Weaver N. (2002), How to 0wn the
Internet in Your Spare Time, Proceedings of the 11th USENIX Security
Symposium, San Francisco, CA.
[12] Weaver N. (2002), Potential Strategies for High Speed Active Worms:
A Worst Case Analysis, http://www.cgisecurity.com/lib/
worms.pdf
[13] Wiley B. (2002), Curious Yellow: The first Coordinated Worm Design,
http://blanu.net/curious_yellow.html
[1] Chambet P. (2005), FakeNetBIOS, French Honeynet Projet Homepage,
http://honeynet.rstack.org/tools.php
[2] Cormen T., Leiserson C. and Rivest R. (1990), Introduction to Algorithms,
MIT Press.
[3] Dharwadker A. (2006), The Vertex Cover Algorithm, http://www.
geocities.com/dharwadker/vertex_cover
[4] Gubiolli A. (2007), Un simulatore della diffusione di worm in un sistema
informatico, Master-s Thesis, Politecnico di Milano. A technical report
in English will be available soon.
[5] Filiol E., Franc E., Moquet B. and Roblot G. (2007), SUWAST: a
large-scale simulation environment for worm network attacks. Technical
Report ESAT 2007 11.
[6] Filiol E., Franc E., Gubbioli A., Moquet B. and Roblot G. (2007),
Combinatorial Optimisation of Worm Propagation on an Unknown
Network. The extended version of the present paper. To appear.
[7] Li J., Leong B. and Sollins K. (2005), Implementing Aggregation/
Broadcast over Distributed Hash Tables, ACM Computer Communication
Review, 35 (1), http://krs.lcs.mit.edu/regions/
docs/broadcast.pdf
[8] Maymounkov and Nazi`eres (2002), Kademlia: A Peer-to-Peer Information
System Based on the XOR Metrics. Proceedings of IPTPS02, http:
//www.cs.rice.edu/Conferences/IPTPS02/109.pdf
[9] Provos, N. (2003), A Virtual Honeypot Framework, http://niels.
xtdnet.nl/papers/honeyd.pdf.
[10] Provos, N., McNamee D., Mavrommatis P., Wang K. and Modadugu
(2007), The Ghost in the Browser - Analysis of Web-malware. In
HotBots-07 Confererence, http://www.usenix.org/events/
hotbots07/tech/full_papers/provos/provos.pdf
[11] Staniford S., Paxson V. and Weaver N. (2002), How to 0wn the
Internet in Your Spare Time, Proceedings of the 11th USENIX Security
Symposium, San Francisco, CA.
[12] Weaver N. (2002), Potential Strategies for High Speed Active Worms:
A Worst Case Analysis, http://www.cgisecurity.com/lib/
worms.pdf
[13] Wiley B. (2002), Curious Yellow: The first Coordinated Worm Design,
http://blanu.net/curious_yellow.html
@article{"International Journal of Information, Control and Computer Sciences:64088", author = "Eric Filiol and Edouard Franc and Alessandro Gubbioli and Benoit Moquet and Guillaume Roblot", title = "Combinatorial Optimisation of Worm Propagationon an Unknown Network", abstract = "Worm propagation profiles have significantly changed
since 2003-2004: sudden world outbreaks like Blaster or Slammer
have progressively disappeared and slower but stealthier worms
appeared since, most of them for botnets dissemination. Decreased
worm virulence results in more difficult detection.
In this paper, we describe a stealth worm propagation model
which has been extensively simulated and analysed on a huge virtual
network. The main features of this model is its ability to infect any
Internet-like network in a few seconds, whatever may be its size while
greatly limiting the reinfection attempt overhead of already infected
hosts. The main simulation results shows that the combinatorial
topology of routing may have a huge impact on the worm propagation
and thus some servers play a more essential and significant role than
others. The real-time capability to identify them may be essential to
greatly hinder worm propagation.", keywords = "Combinatorial worm, worm spreading, worm virulence,stealth worm, spreading simulation, vertex cover, networktopology, WAST simulator, SuWAST simulator.", volume = "1", number = "10", pages = "3321-7", }