Abstract
In this paper, we address issues related to defending against wide-spreading worms on the Internet. We study a new class of worms called the self-adaptive worms. These worms dynamically adapt their propagation patterns to defensive countermeasures, in order to avoid or postpone detection, and to eventually infect more computers. We show that existing worm detection schemes cannot effectively defend against these self-adaptive worms. To counteract these worms, we introduce a game-theoretic formulation to model the interaction between worm propagator and defender. We show that the effective integration of multiple defensive schemes (e.g., worm detection, forensics analysis) is critical for defending against self-adaptive worms. We propose different combinations of defensive schemes for different kinds of self-adaptive worms, and evaluate the performance of defensive schemes based on real-world traffic traces.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
US-Cert: W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalerts/TA04-028A.html
Moore, D., Shannon, C., Brown, J.: Code-red: a case study on the spread and victims of an internet worm. In: Proceedings of the 2nd Internet Measurement Workshop (IMW), Marseille, France (November 2002)
Zdnet: Smart worm lies low to evade detection, http://news.zdnet.co.uk/internet/security/0,39020375,39160285,00.html
Voelker, G.M., Ma, J., Savage, S.: Self-stopping worms. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM), Washington, D.C (November 2005)
Wu, J., Vangala, S., Gao, L.X.: An effective architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the 11th IEEE Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2004)
Venkataraman, S., Song, D., Gibbons, P., Blum, A.: New streaming algorithms for superspreader detection. In: Proceedings of the 12th IEEE Network and Distributed Systems Security Symposium (NDSS), San Diego, CA (February 2005)
Sekar, V., Xie, Y., Maltz, D., Reiter, M., Zhang, H.: Toward a framework for internet forensic analysis. In: Proceeding of the 3rd Workshop on Hot Topics in Networks (HotNets-III), San Diego, CA (November 2004)
Xie, Y., Sekar, V., Maltz, D.A., Reiter, M.K., Zhang, H.: Worm origin identification using random moonwalks. In: Proceeding of the IEEE Symposium on Security and Privacy, Oakland, CA (May 2005)
Chen, Z.S., Gao, L.X., Kwiat, K.: Modeling the spread of active worms. In: Proceedings of the IEEE Conference on Computer Communications (INFOCOM), San Francisco, CA (March 2003)
Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the 11-th USENIX Security Symposium, San Francisco, CA (August 2002)
Staniford, S.: Containment of scanning worms in enterprise networks. Journal of Computer Security (2003)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 25-th IEEE Symposium on Security and Privacy, Oakland, CA (May 2004)
Kim, H., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of the 13-th USENIX Security Symposium, San Diego, CA (August 2004)
SANS: Internet Storm Center, http://isc.sans.org/
Yegneswaran, V., Barford, P., Plonka, D.: On the design and utility of internet sinks for network abuse monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)
Spitzner, L.: Know Your Enemy: Honeynets, Honeynet Project, http://project.honeynet.org/papers/honeynet
Zou, C., Gong, W.B., Towsley, D., Gao, L.X.: Monitoring and early detection for internet worms. In: Proceedings of the 10-th ACM Conference on Computer and Communication Security (CCS), Washington DC (October 2003)
Sanders, T.: Turk and Moroccan arrested for Zotob worm author caught within two weeks, http://www.vnunet.com/vnunet/news/2141584/turk-moroccan-arrested-zotob
Yu, W., Zhang, N., Zhao, W.: Self-adaptive worm and countermeasures. Technical Report 2006-8-2, Computer Science Dept., Texas A&M Univ. (August 2006)
Allen, R.L., Mills, D.W.: Signal Analysis: Time, Frequency, Scale, and Structure. Wiley and Sons, Chichester (2004)
Jayant, N.S., Noll, P.: Digital Coding of Waveforms. Prentice-Hall, Englewood Cliffs (1984)
DShield.org: Distributed Intrusion Detection System, http://www.dshield.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yu, W., Zhang, N., Zhao, W. (2006). Self-adaptive Worms and Countermeasures. In: Datta, A.K., Gradinariu, M. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2006. Lecture Notes in Computer Science, vol 4280. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-49823-0_38
Download citation
DOI: https://doi.org/10.1007/978-3-540-49823-0_38
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49018-0
Online ISBN: 978-3-540-49823-0
eBook Packages: Computer ScienceComputer Science (R0)