1 / 23

On The Performance of Internet Worm Scanning Strategies

This paper analyzes the effectiveness of Worm scanning strategies on propagation rate and develops a model to simulate the Worm's propagation across the network. It validates the model using observed data.

clevelandd
Download Presentation

On The Performance of Internet Worm Scanning Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On The Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Journal of Performance Evaluation James Campbell Authors: Publisher: Presenter:

  2. Outline • Objectives/Contributions • Modeling Basis • Worm Types • Propositions/Results • Case Study (Witty) • Conclusions • Strengths/Weaknesses/Further Research

  3. Objective • Analyze the effectiveness of Worm scanning strategies on propagation rate given various target profiles • Develop a model to provide accurate simulations of the Worm’s propagation across the network • Validate the model using observed data

  4. Major Contributions The primary focus of the paper is the Worm propagation model, which estimates the prevalence of the Worm across the network An ancillary focus is evaluating and comparing the effectiveness of the Worm propagation strategies using the model

  5. Modeling Basis • Uniform Scan Model • Principles • Vulnerable hosts are homogenous • Ideal network environment • Discount human intervention and network congestion • Equation

  6. Types of Worms • Flash • Sequential Scan • Selective • Combinations • Uniform Scan • Hit-List • Routing • Divide-and-Conquer

  7. Propositions • 1. Public indexes of vulnerable hosts provide a list of targets for Worm authors and should be minimized whenever possible Selective strategies are substantially more efficient (right); public indexes of infection targets reduce work for Worm authors and required complexity of Worm behavior

  8. Propositions (cont’d) • 2. Divide-and-Conquer strategy offers no advantage over Uniform Scan if vulnerable hosts are evenly distributed

  9. Propositions (cont’d) • 3. Optimal cooperation maintains exponential growth but does not significantly increase propagation During early infection redundant infection attempts are rare due to the size of the network; at later periods the number of infected hosts is sufficiently large as to maintain a high infection rate despite the number of collisions

  10. Propositions (cont’d) • 4. Flash strategy is optimal if combined with cooperative behavior Normally, Flash strategy offers a high infection rate due to the efficiency of its infection attempts; cooperative behavior is more feasible here than under other strategies, and offers a performance improvement similar to that in the general case (Prop. 3)

  11. Propositions (cont’d) • 5. Local preference increases propagation if vulnerable hosts are not evenly distributed; optimal local preference is proportional to network size

  12. Propositions (cont’d) Local preference has a trade-off between the increased likelihood of local hosts being vulnerable with redundant scans due to multiple infected hosts showing preference for the same restricted set of hosts; larger local networks minimize this penalty in proportion to their size

  13. Propositions (cont’d) • 6. Local preference decreases propagation for Sequential Scan strategy • 7. Uniform and Sequential Scan strategies are equivalent if vulnerable hosts are evenly distributed

  14. Propositions (cont’d) Local selection increases the likelihood of redundant scans For (7), in the general case one host is as likely to be vulnerable as any other, so all host selection strategies which do not affect redundancy rates are equivalent under these conditions

  15. Propositions (cont’d) • 8. Selective Attack strategy is more efficient if scans are concentrated in the target domain when the concentration of vulnerable hosts in that domain is above average Concentrated Unconcentrated

  16. Case Study: Witty • 9. Mean crash time for a Witty-infected computer is proportional to disk space and inversely proportional to network bandwidth

  17. Propositions (cont’d) • 10. Monitored addresses should be as distributed as possible to increase detection chances for sequential and nonuniform strategies

  18. Propositions (cont’d) Sequential infection rates have a mean time to reach a particular address equal to half the network size; concentrated network sensors are roughly equivalent to single addresses for large networks Similarly, nonuniform strategies focus on local networks which are unlikely to be monitored and exhibit detection profiles similar to sequential at the macro level

  19. Conclusions • Model is accurate • Useful for predictions, tracking, damage assessment • Acceptable for simulation • Can indicate properties of a Worm by comparing observed rates to the model • Model framework is suitable for additional research and simulation

  20. Strengths • Model is reasonably accurate and likely to provide reliable predictions and inferences from observed real Worm behavior • Abstraction of various strategies into one or two variables simplifies classification and simulation • Strong, clear justification for model and permutations

  21. Weaknesses • Several of the propositions are trivial • Little evidence provided from observed data, though what is there strongly supports the model • Model can’t handle unusual propagation strategies, network issues, or error very well as-is

  22. Improvements • Further development of the model • Utility for prediction? • Error/congestion/unusual propagation strategies

  23. Questions?

More Related