Skip to main content
SpringerLink
Log in

A Virtualized Network Testbed for Zero-Day Worm Analysis and Countermeasure Testing

  • Conference paper
Advances in Security of Information and Communication Networks (SecNet 2013)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 381))

Abstract

Computer network worms are one of the most significant malware threats and have gained wide attention due to their increased virulence, speed and sophistication in successive Internet-wide outbreaks. In order to detect and defend against network worms, a safe and convenient environment is required to closely observe their infection and propagation behaviour. The same facility can also be employed in testing candidate worm countermeasures. This paper presents the design, implementation and commissioning of a novel virtualized malware testing environment, based on virtualization technologies provided by VMware and open source software. The novelty of this environment is its scalability of running virtualised hosts, high fidelity, confinement, realistic traffic generation, and efficient log file creation. This paper also presents the results of an experiment involving the launch of a Slammer-like worm on the testbed to show its propagation behaviour.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of 2003 ACM Workshop on Rapid Malcode, pp. 11–18. ACM Press, New York (2003)

    Chapter  Google Scholar 

  2. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Security and Privacy 1(4), 33–39 (2003)

    Article  Google Scholar 

  3. Langner, R.: Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy 9(3), 49–51 (2011)

    Article  Google Scholar 

  4. White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S.: An integrated experimental environment for distributed systems and networks. In: Proceedings of 5th Symposium on Operating Systems Design and Implementation, Boston, MA, USA, pp. 265–270. USENIX (2002)

    Google Scholar 

  5. Benzel, T., Braden, R., Kim, D., Neuman, C.: Design, deployment and use of the DETER testbed. In: Proceedings of DETER Community Workshop on Cyber Security Experimentation and Test 2007, Berkeley, CA, USA, pp. 1–8. USENIX (2007)

    Google Scholar 

  6. Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX), vol. 2, pp. 12–26. IEEE Press, New York (2000)

    Chapter  Google Scholar 

  7. Rossey, L.M., Cunningham, R.K., Fried, D.J., Rabek, J.C., Lippmann, R.P.: LARIAT: Lincoln Adaptable Real Time Information Assurance Testbed. In: Proceedings of IEEE Aerospace Conference, Big Sky, Montana, USA, vol. 6, pp. 2671–2682. IEEE (2002)

    Google Scholar 

  8. Perumalla, K.S., Sundaragopalan, S.: High fidelity modeling of computer network worms. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC), Tucson, AZ, USA, pp. 126–135. ACSA (2004)

    Google Scholar 

  9. Ediger, B.: Simulating Network Worms, http://www.stratigery.com/nws/

  10. Tidy, L., Woodhead, S.R., Wetherall, J.C.: A Large-scale Zero-day Worm Simulator for Cyber-Epidemiological Analysis. UACEE International Journal of Advances in Computer Networks and Security 3(2), 69–73 (2013)

    Google Scholar 

  11. ns (network simulator), http://www.isi.edu/nsnam/ns

  12. Vahdat, A., Yocum, K., Walsh, K., Mahadevan, P.: Scalability and accuracy in a large-scale network emulator. In: Proceedings of USENIX 5th Symposium on Operating Systems Design and Implementation (OSDI), Boston, MA, USA, pp. 271–284. USENIX (2002)

    Google Scholar 

  13. Peterson, L., Anderson, T., Culler, D., Roscoe, T.: A blue print for introducing disruptive technology into the internet. SIGCOMM Computer Communication Review 33(1), 59–64 (2003)

    Article  Google Scholar 

  14. Provos, N.: A virtual Honeypot framework. In: Proceeding of USENIX 13th Security Symposium, San Diego, USA, pp. 1–14. USENIX (2004)

    Google Scholar 

  15. Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: ReVirt: enabling intrusion analysis through virtual machine logging and replay. In: Proceeding of USENIX 5th Symposium on Operating Systems Design and Implementation (OSDI), Boston, MA, pp. 208–223. USENIX (2002)

    Google Scholar 

  16. Jiang, X., Wang, X.: Stealthy malware detection through VMM-Based “out-of-the-box” semantic view reconstruction. In: Proceedings of 14th ACM Conference on Computer and Communication Society (CCS), Alexandria, VA, USA, pp. 128–138. ACM (2007)

    Google Scholar 

  17. Jenson, J.: A novel testbed for detection of malicious software functionality. In: Proceeding of Third International Conference on Availability, Security and Reliability, Barcelona, Spain, pp. 292–301. IEEE (2008)

    Google Scholar 

  18. Jiang, X., Xu, D., Wang, H.J., Spafford, E.H.: Virtual Playgrounds for Worm Behavior Investigation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 1–21. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  19. Årnes, A., Haas, P., Vigna, G., Kemmerer, R.A.: Digital Forensic Reconstruction and the Virtual Security Testbed ViSe. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 144–163. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  20. Sun, W., Katta, V., Krishna, K., Sekar, R.: V-netlab: an approach for realizing logically isolated networks for security experiments. In: CSET 2008: Proceedings of the Conference on Cyber Security Experimentation and Test, Berkeley, CA, USA, pp. 1–6. USENIX (2008)

    Google Scholar 

  21. Fagen, W., Cangussu, J., Dantu, R.: A virtual environment for network testing. Journal of Network and Computer Applications Archive 32(1), 184–214 (2009)

    Article  Google Scholar 

  22. Nessus Vulnerability Scanner, http://www.tenable.com/products/nessus

  23. Wireshark, http://www.wireshark.org/

  24. Snort, http://www.snort.org/

  25. Windows Sysinternals, http://technet.microsoft.com/en-US/sysinternals

  26. The Bro Network Security Monitor, http://www.bro.org/

  27. Jiang, X., Xu, D., Eigenmann, R.: Protection mechanisms for application service hosting platforms. In: Proceedings of 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid 2004), Chicago, Illinois, USA, pp. 633–639. IEEE Computer Society (2004)

    Google Scholar 

  28. VMware ESXi, http://www.vmware.com/products/vsphere/esxi-and-esx/overview.html

  29. Damn Small Linux (DSL), http://www.damnsmalllinux.org

  30. Quagga Software Routing Suite, http://www.nongnu.org/quagga

  31. VMware vCenter Server, http://www.vmware.com/products/vcenter-server/overview.html

  32. VMware vSphere PowerCLI, http://communities.vmware.com/community/vmtn/server/vsphere/automationtools/powercli?view=overview

Download references

Author information

Authors and Affiliations

  1. Internet Security Research Laboratory, University of Greenwich, Chatham, Kent, UK

    Khurram Shahzad, Steve Woodhead & Panos Bakalis

Authors
  1. Khurram Shahzad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Steve Woodhead
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Panos Bakalis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Engineering, Faculty of Engineering, Al Azhar University, 83513, Qena, Egypt

    Ali Ismail Awad

  2. Department of Information Technology, Cairo University, 5 Dr. Ahmed Zewail Street, 12613, Giza, Cairo, Egypt

    Aboul Ella Hassanien

  3. Library, Kyushu University, 10-1, Hakozaki 6, Higashi-ku, 812-8581, Fukuoka, Japan

    Kensuke Baba

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Shahzad, K., Woodhead, S., Bakalis, P. (2013). A Virtualized Network Testbed for Zero-Day Worm Analysis and Countermeasure Testing. In: Awad, A.I., Hassanien, A.E., Baba, K. (eds) Advances in Security of Information and Communication Networks. SecNet 2013. Communications in Computer and Information Science, vol 381. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40597-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-40597-6_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-40596-9

  • Online ISBN: 978-3-642-40597-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation