Distributed Detection and Optimal Traffic-blocking of Network Worms
Despite the recent surge of research in control of
worm propagation, currently, there is no effective defense system
against such cyber attacks. We first design a distributed detection
architecture called Detection via Distributed Blackholes (DDBH).
Our novel detection mechanism could be implemented via virtual
honeypots or honeynets. Simulation results show that a worm can be
detected with virtual honeypots on only 3% of the nodes. Moreover,
the worm is detected when less than 1.5% of the nodes are infected.
We then develop two control strategies: (1) optimal dynamic trafficblocking,
for which we determine the condition that guarantees
minimum number of removed nodes when the worm is contained and
(2) predictive dynamic traffic-blocking–a realistic deployment of
the optimal strategy on scale-free graphs. The predictive dynamic
traffic-blocking, coupled with the DDBH, ensures that more than
40% of the network is unaffected by the propagation at the time
when the worm is contained.
[1] R. M. Anderson and R. M. May, Infectious Diseases in Humans, Oxford
University Press, 1992.
[2] E. Cooke, M. Bailey, Z. Morley Mao, and D. McPherson, Toward
Understanding Distributed Blackhole Placement, Proceedings of the
ACM Workshop on Rapid Malcode, 2004, pp. 54-54.
[3] J. Cowie, A. T. Ogielski, B. J. Premore, and Y. Yuan, Global Routing
Instabilities Triggered by Code Red II and Nimda. Available at:
www.renesys.com, (2001).
[4] M. de Vivo, E. Carrasco, G. Isern, and G. de Vivo, A Review of Port
Scanning Techniques, Operating Systems Review 29 (1999), no. 2, 41-
48.
[5] M. de Vivo, G. de Vivo, R. Koeneke, and G. Isern, Internet
Vulnerabilities Related to TCP/IP and T/TCP, Internet Security Attacks
at the Basic Level, Operating Systems Review 32 (1998), no. 2, 4-15.
[6] M. Faloutsos, P. Faloutsos, and C. Faloutsos, On Power-Law
Relationships of the Internet Topology, Proceedings of SIGCOMM,
1999.
[7] M. R. Garey and D. S. Johnson, Computers and Intractability,W. H.
Freeman, 1999.
[8] H. W. Hethcote, Mathematics of Infectious Diseases, SIAM Review 42
(2000), no. 4, 599-653.
[9] Computer Security Institute, Ninth Annual Computer Crime and Security
Survey. Available at: i.cmpnet.com, (2004).
[10] K. Lan, A. Hussain, and D. Dutta, Effects of Malicious Traffic on the
Network, Proceedings of PAM-03, 2003.
[11] J. Levine, R. LaBella, H. Owen, D. Contis, and B. Culver, The Use of
Honeynets to Detect Exploited Systems Across Large Enterprise
Networks, Proceedings of the 2003 IEEE Workshop on Information
Assurance, 2003.
[12] M. Liljenstam and D. M. Nicol, Comparing Passive and Active Worm
Defenses, Proceedings of the First International Conference on the
Quantitative Evaluation of Systems (QEST), 2004, pp. 18-27.
[13] D. Moore, Network Telescopes. Available at: www.caida.org, (2003).
[14] D. Moore, G. M. Voelker, C. Shannon, and S. Savage, Internet
Quarantine: Requirements for Containing Self- Propagating Code,
Proceedings of the IEEE INFOCOM, 2003.
[15] D. M. Nicol and M. Liljenstam, Models of Active Worm Defenses,
Proccedings of the IPSI Studenica Conference, 2004.
[16] Z. Nikoloski and N. Deo, Complexity of Quarantining Network Worms,
Discrete Applied Mathematics, (submitted).
[17] N. Provos, A Virtual Honeypot Framework, Proceedings of the 12th
USENIX Security Symposium, 2004, pp. 1-14.
[18] N. Weaver, Potential Strategies for High Speed Active Worms: A Worst
Case Analysis. Available at: brass.cs.berkeley.edu, (2002).
[19] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, Large Scale
Malicious Code: A Research Agenda. Available at:
www.cs.berkeley.edu/ nweaver, (2003).
[20] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, A Taxonomy of
Computer Worms, Proceedings of ACM Workshop on Rapid Malcode,
2003.
[21] C. C. Zou, W. Gong, D. Towsley, and D. Gao, Monitoring and Early
Detection for Internet Worms, Proceedings of the 10th ACM Conference
on Computer and Communication Security, 2003.
[22] C. C. Zou, W. Gong, D. Towsley, and D. Gao, Worm Propagation
Modeling and Analysis under Dynamic Quarantine Defenses,
Proceedings of the ACM CCS Workshop on Rapid Malcode, 2003.
[1] R. M. Anderson and R. M. May, Infectious Diseases in Humans, Oxford
University Press, 1992.
[2] E. Cooke, M. Bailey, Z. Morley Mao, and D. McPherson, Toward
Understanding Distributed Blackhole Placement, Proceedings of the
ACM Workshop on Rapid Malcode, 2004, pp. 54-54.
[3] J. Cowie, A. T. Ogielski, B. J. Premore, and Y. Yuan, Global Routing
Instabilities Triggered by Code Red II and Nimda. Available at:
www.renesys.com, (2001).
[4] M. de Vivo, E. Carrasco, G. Isern, and G. de Vivo, A Review of Port
Scanning Techniques, Operating Systems Review 29 (1999), no. 2, 41-
48.
[5] M. de Vivo, G. de Vivo, R. Koeneke, and G. Isern, Internet
Vulnerabilities Related to TCP/IP and T/TCP, Internet Security Attacks
at the Basic Level, Operating Systems Review 32 (1998), no. 2, 4-15.
[6] M. Faloutsos, P. Faloutsos, and C. Faloutsos, On Power-Law
Relationships of the Internet Topology, Proceedings of SIGCOMM,
1999.
[7] M. R. Garey and D. S. Johnson, Computers and Intractability,W. H.
Freeman, 1999.
[8] H. W. Hethcote, Mathematics of Infectious Diseases, SIAM Review 42
(2000), no. 4, 599-653.
[9] Computer Security Institute, Ninth Annual Computer Crime and Security
Survey. Available at: i.cmpnet.com, (2004).
[10] K. Lan, A. Hussain, and D. Dutta, Effects of Malicious Traffic on the
Network, Proceedings of PAM-03, 2003.
[11] J. Levine, R. LaBella, H. Owen, D. Contis, and B. Culver, The Use of
Honeynets to Detect Exploited Systems Across Large Enterprise
Networks, Proceedings of the 2003 IEEE Workshop on Information
Assurance, 2003.
[12] M. Liljenstam and D. M. Nicol, Comparing Passive and Active Worm
Defenses, Proceedings of the First International Conference on the
Quantitative Evaluation of Systems (QEST), 2004, pp. 18-27.
[13] D. Moore, Network Telescopes. Available at: www.caida.org, (2003).
[14] D. Moore, G. M. Voelker, C. Shannon, and S. Savage, Internet
Quarantine: Requirements for Containing Self- Propagating Code,
Proceedings of the IEEE INFOCOM, 2003.
[15] D. M. Nicol and M. Liljenstam, Models of Active Worm Defenses,
Proccedings of the IPSI Studenica Conference, 2004.
[16] Z. Nikoloski and N. Deo, Complexity of Quarantining Network Worms,
Discrete Applied Mathematics, (submitted).
[17] N. Provos, A Virtual Honeypot Framework, Proceedings of the 12th
USENIX Security Symposium, 2004, pp. 1-14.
[18] N. Weaver, Potential Strategies for High Speed Active Worms: A Worst
Case Analysis. Available at: brass.cs.berkeley.edu, (2002).
[19] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, Large Scale
Malicious Code: A Research Agenda. Available at:
www.cs.berkeley.edu/ nweaver, (2003).
[20] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, A Taxonomy of
Computer Worms, Proceedings of ACM Workshop on Rapid Malcode,
2003.
[21] C. C. Zou, W. Gong, D. Towsley, and D. Gao, Monitoring and Early
Detection for Internet Worms, Proceedings of the 10th ACM Conference
on Computer and Communication Security, 2003.
[22] C. C. Zou, W. Gong, D. Towsley, and D. Gao, Worm Propagation
Modeling and Analysis under Dynamic Quarantine Defenses,
Proceedings of the ACM CCS Workshop on Rapid Malcode, 2003.
@article{"International Journal of Information, Control and Computer Sciences:56121", author = "Zoran Nikoloski and Narsingh Deo and Ludek Kucera", title = "Distributed Detection and Optimal Traffic-blocking of Network Worms", abstract = "Despite the recent surge of research in control of
worm propagation, currently, there is no effective defense system
against such cyber attacks. We first design a distributed detection
architecture called Detection via Distributed Blackholes (DDBH).
Our novel detection mechanism could be implemented via virtual
honeypots or honeynets. Simulation results show that a worm can be
detected with virtual honeypots on only 3% of the nodes. Moreover,
the worm is detected when less than 1.5% of the nodes are infected.
We then develop two control strategies: (1) optimal dynamic trafficblocking,
for which we determine the condition that guarantees
minimum number of removed nodes when the worm is contained and
(2) predictive dynamic traffic-blocking–a realistic deployment of
the optimal strategy on scale-free graphs. The predictive dynamic
traffic-blocking, coupled with the DDBH, ensures that more than
40% of the network is unaffected by the propagation at the time
when the worm is contained.", keywords = "Network worms, distributed detection, optimaltraffic-blocking, individual-based simulation.", volume = "1", number = "10", pages = "3115-7", }
