150 likes | 294 Views
Optimization of Blaster worms. by Stochastic Modeling. Performance Evaluation Laboratory. Supervised by Prof. Hiroshi Toyoizumi. s1080060 Tatehiro Kaiwa. Purpose. Modeling a Blaster worm, we investigate influence on a local network.
E N D
Optimization of Blaster worms by Stochastic Modeling Performance Evaluation Laboratory Supervised by Prof. Hiroshi Toyoizumi s1080060 Tatehiro Kaiwa
Purpose • Modeling a Blaster worm, we investigate influence on a local network. • Optimizing a Blaster worm, we observe and investigate the threat. • To compare the difference between the existing Blaster worms and the optimized ones in local network.
Causes system instability Target Virus • Name: W32.Blaster.Worm (Symantec) WORM_MSBLAST.A (Trend Micro) W32/Lovsan.worm.a (McAfee) • Type : Worm • Systems Affected : Windows 2000, XP Blaster worm exploits a vulnerability of DCOM RPC Service to penetrate.
Spread Algorithm (1) Select an IP address These methods selected only once when the Blaster worm is executed. 0.6 0.4 Complete Random Local Create malicious Packets 0.8 0.2 For XP For 2000 Start to send many malicious packets
Spread Algorithm (2) When the worm use own IP address, A.B.C.D, the worm change D into 0. Then the worm make the target address increasing monotonically. Probability a first worm and other worms attack to the same IP address with is very high. Infection rate of all worm except a first worm in the local network become smaller.
The Experimental Network This figure shows a local experimental network to collect Blaster worm packets data. To confirm and obtain some information about the Blaster worm.
HUB Prepare a PC no infect, and connection as the figure, then capture all packets. Sniffer Worm Data Collection Systems attacked and infected by Blaster worm may be instability, then sometimes shutdown. Target We cannot capture some packets with a infected PC and all target PCs installed Sniffer. Blaster
The Infection Model This figure is the worm infection model. ν: Infection rate of a Blaster worm outside of the local network. λ: Infection rate of Blaster worms inside of the local network. λ λ λ λ ν ν ν ν ν
ν ν+nλ n n ν ν+(n-1)λ ν ν+2λ 2 2 ν ν+λ 1 1 where ν ν 0 0 The Model Solution (1) The process with infection rate ν is Poisson Process, and the process with infection rate λ is Yule Process. nλ n Each infection activities are independent. (n-1)λ We obtain the new model to mix a Poisson Process and a Yule Process. 3 2λ 2 λ 1
XP XP The Model Solution (2) A ratio of each systems having the vulnerability in a local network. Windows XP Windows 2000
Average of the number of packets Rate of successful infection The Model Solution (3) Each Infection Rate
XP:2000=1:8 All WinXP All Win2000 Graphs of changing a ratio of each systems in the network The performance of the Blaster worms can be improved if the ratio of the Windows XP machines is high in the local network.
Existing Blaster Optimized Blaster The difference between optimized and existing XP:2000=1:8 The Optimized Blaster worms prove great threat. Thus, the existing Blaster worm also has a potential threat the same.
Conclusion • A performance of the Blaster worm is great influence a ratio of each OS in the target network. • Optimized Blaster worms is the worm having a great threat. Thus, we need to be careful individually.
Future Works • As the stochastic model may be different from existing Blaster worms、we need to close to the accurate model of the existing Blaster worms in the future.