VII. ALCANCES Y LIMITACIONES
6.4 DISEÑO FRONT-END
In Chapter 6, three aspects are investigated jointly: (a) a network vulnerability as the non-uniform vulnerable-host distribution, (b) threats, i.e., intelligent worms that exploit such a vulnerability, and (c) defense, i.e., challenges for fighting the threats. First, five data sets are studied, and consistent clustered vulnerable-host distribu- tions are observed. Then, a new metric, referred to as the non-uniformity factor, is presented. The non-uniformity factor quantifies the unevenness of a vulnerable-host distribution. This metric is essentially the Renyi information entropy and better char- acterizes the non-uniformity of a distribution than the Shannon entropy. Next, the infection rate and the propagation speed of network-aware worms are measured ana- lytically and empirically. A representative network-aware worm is shown to increase the spreading speed by exactly or nearly a non-uniformity factor when compared to a random-scanning worm at the early stage of worm propagation. This implies that when a worm exploits an uneven vulnerable-host distribution as a network-wide vulnerability, the Internet can be infected much more rapidly. Furthermore, the ef- fectiveness of defense strategies on the spread of network-aware worms is analyzed.
Experimental results demonstrate that counteracting network-aware worms is a sig- nificant challenge for the strategies that include host-based defense and IPv6.
8.1.4 Modeling the Spread of Topological-Scanning Worms
Topology information is a fundamental element that enables topological-scanning worms, such as the Morris worm. The spread of topological-scanning worms, how- ever, is especially hard to model. The difficulty lies in characterizing the impact of topologies and the interactions among nodes in both space and time.
In Chapter 7, the spread of topological worms is modeled. Our model is moti- vated by probabilistic graphs, which have been widely investigated in machine learn- ing. First, a graphical representation is used to abstract the propagation of worms that employ different scanning methods. Then, a spatial-temporal random process is presented to describe the statistical dependence of worm propagation in arbitrary topologies. As the spatial dependence is particularly difficult to characterize, the problem becomes how to use simple (i.e., biased) models to approximate the spatially dependent process. In particular, the independent model and the Markov model are proposed as simple approximations. Both theoretical analysis and extensive simula- tions on large networks using both real measurements and synthesized topologies are conducted to test the performance of the proposed models. Our results show that the independent model can capture the temporal dependence and the detailed topology information and thus outperforms the previous models, whereas the Markov model incorporates a certain spatial dependence and thus achieves a greater accuracy in characterizing both the transient and equilibrium behaviors of worm propagation.
8.2
Future Research Directions
• Worm Defense System Design and Analysis: An effective yet practical worm defense system is important and urgent. Since some areas of the Internet are responsible for a disproportionate number of vulnerable hosts, the problem is
how to adequately secure these areas. A collaboration system among firewalls will be developed, exploiting the vulnerable-host distribution. The following important questions will be answered: How can firewalls cooperate with each other to block worm traffic effectively? How do firewalls treat traffic differently based on where the traffic is generated? How can the system defeat the malicious firewall(s)?
• Worm Tomography: Internet security and resilience require methods to de- tect and estimate worm behaviors. Most worms use random scanning to re- cruit new bots, which can be observed byDarknet that is defined as a globally routable address space in which no active services or servers reside. The term,
worm tomography, is used to describe the process of inferring the characteris-
tics of worms from Darknet observations. The primary difficulty in using this approach lies in the growth trend of background noise [51].
• Malicious Sources Analysis: It is important that defenders identify Internet areas that are responsible for a significant portion of attacks. We have obtained 402-day traces from DShield [84]. We attempt to discover how the malicious sources distribute across the Internet and how they change with time.
• Game Theory Between Attackers and Defenders: The evolution of the Internet has created a real arms race between attackers and defenders. Defend- ers attempt to understand the skills that attackers use and develop systems against them. On the other hand, attackers endeavor to learn the weakness of the systems that defenders build and design new methods to overcome or evade these systems. Both attackers and defenders can eventually learn about the op- ponent’s strategies and design the optimal tactics. Therefore, this interaction naturally leads to a game theory framework between attackers and defenders. A simple game theory approach has been applied to the optimal worm-scanning
attack and defense described in this thesis. The more complex interaction in the game, however, should be considered in the future research.
REFERENCES
[1] H. Andersson and T. Britton, “Stochastic epidemic models and their statistical analysis,” in Lecture Notes in Statistics. New York: Springer-Verlag, 2000, vol. 151.
[2] A. Barab´asi and R. Albert, “Emergence of scaling in random networks,” Science 286, 1999, pp. 509-512.
[3] P. Barford, R. Nowak, R. Willett, and V. Yegneswaran, “Toward a model for sources of Internet background radiation,” in Proc. of the Passive and Active
Measurement Conference (PAM’06), Mar. 2006.
[4] S. M. Bellovin, B. Cheswick, and A. Keromytis, “Worm propagation strategies in an IPv6 Internet,” ;login:, vol. 31, no. 1, Feb. 2006, pp. 70-76.
[5] P. J. Bickel and K. A. Doksum,Mathematical Statistics: Basic Ideas and Selected
Topics, Vol I (2nd Edition). New Jersey: Prentice-Hall, 2001.
[6] M. Bogu˜n´a, R. Pastor-Satorras, and A. Vespignani, “Epidemic spreading in com- plex networks with degree correlations,” in Statistical Mechanics of Complex
Networks, R. Pastor-Satorras et al., Eds., 2003, pp. 127-147.
[7] D. Brumley, L. Liu, P. Poosankam, and D. Song, “Design space and analysis of worm defense strategies,” in ACM Symposium on InformAtion, Computer and
Communications Security (ASIACCS), Mar. 2006.
[8] Z. Chen, L. Gao, and K. Kwiat, “Modeling the spread of active worms,” inProc.
of INFOCOM’03, vol. 3, San Francisco, CA, Apr. 2003, pp. 1890-1900.
[9] Z. Chen, L. Gao, and C. Ji, “On effectiveness of defense systems against active worms,” Tech. Rep., 2003.
[10] Z. Chen and C. Ji, “Optimal worm-scanning method using vulnerable-host dis- tributions,” to appear in the International Journal of Security and Networks:
Special Issue on Computer and Network Security, 2007.
[11] Z. Chen and C. Ji, “Measuring network-aware worm spreading ability,” in Proc.
of INFOCOM’07, Anchorage, AK, May 2007.
[12] Z. Chen, C. Chen, and C. Ji, “Understanding localized-scanning worms,” inProc.
of IPCCC’07, New Orleans, LA, April 2007.
[13] Z. Chen and C. Ji, “Intelligent worms: searching for preys,”Mathematics Aware-
[14] Z. Chen, “Worm propagation models,” Mathematics Awareness Month: Mathe-
matics and Internet Security Theme Essays, 2006.
[15] Z. Chen and C. Ji, “Spatial-temporal modeling of malware propagation in net- works,” IEEE Transactions on Neural Networks: Special Issue on Adaptive
Learning Systems in Communication Networks, vol. 16, no. 5, Sept. 2005, pp.
1291-1303.
[16] Z. Chen and C. Ji, “A self-learning worm using importance scanning,” in Proc.
ACM/CCS Workshop on Rapid Malcode (WORM’05), Fairfax, VA, Nov. 2005,
pp. 22-29.
[17] Z. Chen and C. Ji, “Importance-scanning worm using vulnerable-host dis- tribution,” in Proc. 48th Ann. IEEE Global Telecommunications Conference
(GLOBECOM’05), St. Louis, MO, Nov. 2005.
[18] E. Cooke, F. Jahanian, and D. McPherson, “The zombie roundup: understand- ing, detecting, and disrupting botnets,” in Proc. of Steps to Reducing Unwanted
Traffic on the Internet Workshop (SRUTI’05), Boston, MA, 2005.
[19] T. M. Cover and P. E. Hart, “Nearest neighbor pattern classification,” IEEE
Transactions on Information Theory, vol. IT-13, no. 1, Jan. 1967, pp. 21-27.
[20] T. M. Cover and J. A. Thomas, Elements of Information Theory. New York: Wiley, 1991.
[21] A. Doucet, N. de Freitas, and N. Gordon, Sequential Monte Carlo Methods in
Practice. New York: Springer-Verlag, 2001.
[22] H. Ebel, L. Mielsch, and S. Bornholdt, “Scale-free topology of e-mail networks,”
in Phys. Rev. E 66, 2002, 035103(R).
[23] P. Erd¨os and A. R´enyi, “On the evolution of random graphs,” in Publ. Math.
Inst. Hung. Acad. Sci., Vol. 5, 1960, pp. 17-61.
[24] J. D. Esary, F. Proschan, and D. W. Walkup, “Association of random variables, with applications,” in Ann. Math. Statist., vol. 38, no. 5, Oct. 1967, pp. 1466- 1474.
[25] M. Faloutsos, P. Faloutsos, and C. Faloutsos, “On power-law relationships of the Internet topology,” in Proc. of ACM SIGCOMM’99, 1999, pp. 251-262.
[26] H. Feng, A. Kamra, V. Misra, and A. D. Keromytis, “The effect of DNS delays on worm propagation in an IPv6 Internet,” in Proc. of INFOCOM’05, vol. 4, Miami, FL, Mar. 2005, pp. 2405-2414.
[27] A. Ganesh, L. Massoulie, and D. Towsley, “The effect of network topology on the spread of epidemics,” in Proc. of INFOCOM’05, vol. 2, Miami, FL, Mar. 2005, pp. 1455-1466.
[28] M. Garetto, W. Gong, and D. Towsley, “Modeling malware spreading dynamics,”
in Proc. of INFOCOM’03, vol. 3, San Francisco, CA, Apr. 2003, pp.1869-1879.
[29] G. Gu, Z. Chen, P. Porras, and W. Lee, “Misleading and defeating importance- scanning malware propagation,” submitted for publication, 2007.
[30] G. Gu, M. Sharif, X. Qin, D. Dagon, W. Lee, and G. Riley, “Worm detec- tion, early warning and response based on local victim information,” in Proc.
20th Ann. Computer Security Applications Conf. (ACSAC’04), Tucson, AZ, Dec.
2004.
[31] P. Heidelberger, “Fast simulation of rare events in queueing and reliability mod- els,”ACM Transactions on Modeling and Computer Simulation, vol.5, no.1, Jan. 1995, pp. 43-85.
[32] J. O. Kephart and S. R. White, “Directed-graph epidemiological models of com- puter viruses,” in Proc. of the 1991 IEEE Computer Society Symposium on Re-
search in Security and Privacy, 1991, pp. 343-359.
[33] M. Kodialam and T. V. Lakshman, “Detecting network intrusions via sampling: a game theoretic approach,” inProc. of IEEE INFOCOM’03, San Francisco, CA, Apr., 2003, pp. 1880-1889.
[34] E. Kohler, J. Li, V. Paxson, and S. Shenker, “Observed structure of addresses in IP traffic,” in ACM SIGCOMM Internet Measurement Workshop, Marseille, France, Nov. 2002.
[35] S. L. Lauritzen,Graphical Models. London, U.K.: Oxford Univ. Press, 1996. [36] T. M. Liggett, Interacting Particle Systems. New York: Springer-Verlag, 1985. [37] M. Locasto, J. Parekh, S. Stolfo, A. Keromytis, T. Malkin, and V. Misra, “Col-
laborative distributed intrusion detection,” Dept. Computer Science, Columbia Univ., Tech. Rep. CUCS-012-04, 2004.
[38] A. Medina, A. Lakhina, I. Matta, and J. Byers, “BRITE: universal topology generation from a user’s perspective,” Tech. Rep. (User Manual) BU-CS-TR- 2001-003, Apr. 2001.
[39] D. Moore, C. Shannon, and J. Brown, “Code-Red: a case study on the spread and victims of an Internet worm,” in ACM SIGCOMM/USENIX Internet Mea-
surement Workshop, Marseille, France, Nov. 2002.
[40] D. Moore, C. Shannon, G. Voelker, and S. Savage, “Internet quarantine: require- ments for containing self-propagating code,” in Proc. of INFOCOM’03, vol. 3, San Francisco, CA, Apr., 2003, pp. 1901-1910.
[41] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, “Inside the Slammer worm,” IEEE Security and Privacy, vol. 1 no. 4, July 2003, pp. 33-39.
[42] R. Narasimha, Z. Chen, and C. Ji, “Modeling malware propagation on networks: spatial dependence and its significance,” submitted to IEEE Transactions on
Secure and Dependable Computing, 2006.
[43] M. Opper and D. Saad, Eds., Advanced Mean Field Methods, Theory and Prac- tice. Cambridge, MA: MIT Press, Feb. 2001.
[44] H. Orman, “The Morris worm: a fifteen-year perspective,” IEEE Security and
Privacy Magazine, vol. 1, Sept./Oct., 2003, pp. 35- 43.
[45] G. Owen, Game Theory. New York: Academic Press, 2001.
[46] Y. Pryadkin, R. Lindell, J. Bannister, and R. Govindan, “An empirical evaluation of IP address space occupancy,” Tech. Rep. ISI-TR-2004-598, USC/Information Sciences Institute, Nov. 2004.
[47] R. Puri, “Bots & botnet: an overview,” in SANS Institute’03, 2003.
[48] M. A. Rajab, F. Monrose, and A. Terzis, “Fast and evasive attacks: highlighting the challenges ahead,” in Proc. of the 9th International Symposium on Recent
Advances in Intrusion Detection (RAID’06), Hamburg, Germany, Sept. 2006.
[49] M. A. Rajab, F. Monrose, and A. Terzis, “On the effectiveness of distributed worm monitoring,” in Proc. of the 14th USENIX Security Symposium (Secu-
rity’05), Baltimore, MD, Aug. 2005, pp. 225-237.
[50] A. Renyi, Probability Theory. North-Holland, Amsterdam, 1970.
[51] D. W. Richardson, S. D. Gribble, and E. D. Lazowska, “The limits of global scan- ning worm detectors in the presence of background noise,” in Proc. ACM/CCS
Workshop on Rapid Malcode (WORM’05), Fairfax, VA, Nov. 2005, pp. 60-70.
[52] S. Ross, Simulation (3rd edition). Elsevier, 2002.
[53] S. Ross, Introduction to Probability Models (7th edition). New York: Academic Press, 2000.
[54] S. Saroiu, P. K. Gummadi, and S. D. Gribble, “A measurement study of peer- to-peer file sharing systems,” inProc. of Multimedia Computing and Networking
(MMCN’02), San Jose, CA, Jan. 2002.
[55] S. E. Schechter, J. Jung, W. Stockwell, and C. McLain, “Inoculating SSH against address harvesting,” inProc. 13th Ann. Network and Distributed System Security
Symposium (NDSS’06), San Diego, CA, Feb. 2006.
[56] C. Shannon and D. Moore, “The spread of the Witty worm,”IEEE Security and
[57] P.J. Smith, M. Shafi, and H. Gao, “Quick simulation: a review of importance sampling techniques in communications systems,” IEEE Jour. Selected Areas
Commun., vol.15, May 1997, pp.597-613.
[58] D. Song, R. Malan, and R. Stone, “A snapshot
of global Internet worm activity,” Tech. Rep., 2001, http://www.arbor.net/downloads/research39/snapshot worm activity.pdf (March/2007 accessed).
[59] S. Staniford, V. Paxson, and N. Weaver, “How to 0wn the Internet in your spare time,” in Proc. of the 11th USENIX Security Symposium (Security’02), San Francisco, CA, Aug. 2002.
[60] S. Staniford, D. Moore, V. Paxson, and N. Weaver, “The top speed of flash worms,” in Proc. ACM/CCS Workshop on Rapid Malcode (WORM’04), Wash- ington DC, Oct. 2004, pp. 33-42.
[61] P. Szor, The Art of Computer Virus Research and Defense. Symantec Press, 2005.
[62] R. Thomas,The Team Cymru Bogon List v3.0 30 JUN 2005, [Online]. Available: http://www.cymru.com/Documents/bogon-list.html (March/2007 accessed). [63] J. Twycross and M. M. Williamson, “Implementing and testing a virus throttle,”
in Proc. of the 12th USENIX Security Symposium (Security’03), Washington,
DC, Aug. 2003, pp. 285-294.
[64] A. V´azquez, R. Pastor-Satorras, and A. Vespignani, “Large-scale topological and dynamical properties of the Internet,” Phys. Rev. E 65, 2002, 066130.
[65] M. J. Wainwright and M. I. Jordan, “Graphical models, exponential families, and variational inference,” Dept. Statist., Univ. California, Berkeley, Tech. Rep. 649, 2003.
[66] C. Wang, J.C. Knight, and M. Elder, “On viral propagation and the effect of immunization,” in Proc. 16th ACM Annual Computer Applications Conference, New Orleans, LA, Dec., 2000, pp. 343-354.
[67] Y. Wang, D. Chakrabarti, C. Wang, and C. Faloutsos, “Epidemic spreading: an eigenvalue viewpoint,” in Proc. 2003 Symposium of Reliable and Distributed
Systems, Florence, Italy, Oct. 2003.
[68] N. Weaver, “Warhol worms, the potential for very fast Internet plagues” [Online]. Available: http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm (March/2007 accessed).
[69] E. W. Weisstein, “Chebyshev sum inequality,” From MathWorld–A Wolfram
Web Resource, http://mathworld.wolfram.com/ChebyshevSumInequality.html
[70] J. Wu, S. Vangala, L. Gao, and K. Kwiat, “An effective architecture and al- gorithm for detecting worms with various scan techniques,” in Proc. 11th Ann.
Network and Distributed System Security Symposium (NDSS’04), San Diego,
CA, Feb. 2004.
[71] Y. Xie, V. Sekar, D. A. Maltz, M. K. Reiter, and H. Zhang, “Worm origin identification using random moonwalks,” in Proc. of the IEEE Symposium on
Security and Privacy (Oakland’05),Oakland, CA, May 2005.
[72] S. Xing and B.-P. Paris, “Measuring the size of the Internet via importance sampling,” IEEE journal on selected areas in communications, vol. 21, no. 6, Aug. 2003, pp. 922-933.
[73] S. Xing and B.-P. Paris, “Mapping the growth of the Internet,” in Proc. of IEEE 2003 International Conference on Computer Communications and Net-
works, Dallas, TX, Oct. 2003, pp 199-204.
[74] J. S. Yedidia, “An idiosyncratic journey beyond mean field theory,” Advanced
Mean Field Methods, Theory and Practice, Feb. 2001, pp. 21-36.
[75] V. Yegneswaran, P. Barford, and D. Plonka, “On the design and utility of In- ternet sinks for network abuse monitoring,” in Proc. of Symposium on Recent
Advances in Intrusion Detection (RAID’04), 2004.
[76] C. C. Zou, “Witty worm propagation modeling,”
http://www.cs.ucf.edu/˜czou/research/wittyModel.html (March/2007 ac- cessed).
[77] C. C. Zou, L. Gao, W. Gong, and D. Towsley, “Monitoring and early warning for Internet worms,” in10th ACM Conference on Computer and Communication
Security (CCS’03), Washington DC, Oct. 2003.
[78] C. C. Zou, W. Gong, and D. Towsley, “Code Red worm propagation model- ing and analysis,” in Proc. 9th ACM Conf. on Computer and Communication
Security (CCS’02), Washington DC, Nov. 2002, pp. 138-147.
[79] C. C. Zou, D. Towsley, W. Gong, and S. Cai, “Routing worm: a fast, selective attack worm based on IP address information,” in Proc. 19th ACM/IEEE/SCS
Workshop on Principles of Advanced and Distributed Simulation (PADS’05),
Monterey, CA, June 2005.
[80] C. C. Zou, D. Towsley, and W. Gong, “Email worm modeling and defense,”
in Proc. 13th International Conf. on Computer Communications and Networks
(ICCCN’04), Chicago, IL, Oct. 2004, pp. 409-414.
[81] C. C. Zou, D. Towsley, and W. Gong, “On the performance of Internet worm scanning strategies,”Elsevier Journal of Performance Evaluation, vol. 63, no. 7, July 2006, pp. 700-723.
[82] CERT Coordination Center, “‘Code Red II:’ another worm exploiting buffer overflow in IIS indexing service DLL,” CERT Incident Note IN-2001-09 [Online]. Available: http://www.cert.org/incident notes/IN-2001-09.html (March/2007 accessed).
[83] CERT Coordination Center, CERT Advisory CA-2001-26 Nimda Worm [On- line]. Available: http://www.cert.org/advisories/CA-2001-26.html (March/2007 accessed).
[84] Distributed Intrusion Detection System (DShield) [Online]. Available: http://www.dshield.org/ (March/2007 accessed).
[85] eEye Digital Security, “ANALYSIS: Blaster worm,” [Online]. Available: http://research.eeye.com/html/advisories/published/AL20030811.html
(March/2007 accessed).
[86] F-Secure Virus Descriptions : Slapper [Online]. Available: http://www.f- secure.com/v-descs/slapper.shtml (March/2007 accessed).
[87] Internet Protocol V4 Address Space [Online]. Available: http://www.iana.org/assignments/ipv4-address-space (March/2007 accessed). [88] Malware Website [Online]. Available: http://www.malware.com/ (March/2007
accessed).
[89] NLANR Routing Raw Data [Online]. Available:
http://moat.nlanr.net/Routing/rawdata (March/2007 accessed).
[90] PanetMath.org, “Rearrangement inequality,” [Online]. Available: http://planetmath.org/encyclopedia/RearrangementInequality.html
(March/2007 accessed).
[91] University of Oregon Route Views Project [Online]. Available: http://routeviews.org/ (March/2007 accessed).
[92] The CAIDA Dataset on the Witty Worm - March 19-24, 2004, Colleen Shannon and David Moore, http://www.caida.org/data/passive/witty worm dataset.xml (March/2007 accessed). Support for the Witty Worm Dataset and the UCSD Net- work Telescope are provided by Cisco Systems, Limelight Networks, the US De- partment of Homeland Security, the National Science Foundation, and CAIDA, DARPA, Digital Envoy, and CAIDA Members.
VITA
Zesheng Chen was born in Quanzhou, Fujian, P. R. China in September 1975. He received the Bachelor of Engineering degree and the Master of Engineering degree in Electronic Engineering from Shanghai Jiao Tong University, Shanghai, China, in 1998 and 2001, respectively. He attended the doctoral program in the School of Electrical and Computer Engineering at the Georgia Institute of Technology, Atlanta, GA, from August 2002 to May 2007. At the same time, he was a graduate research assistant in the Communication Networks and Machine Learning Laboratory at the Georgia Institute of Technology. He received the Master of Science degree and the Doctor of Philosophy degree in May 2005 and May 2007, respectively, in Electrical and Computer Engineering from the Georgia Institute of Technology.