Skip to main content
SpringerLink
Log in

On the trade-off between speed and resiliency of Flash worms and similar malcodes

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

We formulate and investigate the problem of finding a fast and resilient propagation topology and propagation schedule for Flash worms and similar malcodes. Resiliency means a very large proportion of infectable targets are still infected no matter which fraction of targets are not infectable. There is an intrinsic tradeoff between speed and resiliency, since resiliency requires transmission redundancy which slows down the malcode. To investigate this problem formally, we need an analytical model. We first show that, under a moderately general analytical model, the problem of optimizing propagation time is NP-hard. This fact justifies the need for a simpler model, which we present next. In this simplified model, we present an optimal propagation topology and schedule, which is then shown by simulation to be even faster than the Flash worm. Moreover, our worm is faster even when the source has much less bandwidth capacity. We also show that for every preemptive schedule there exists a non-preemptive schedule which is just as effective. This fact greatly simplifies the optimization problem. In terms of the aforementioned tradeoff, we give a propagation topology based on extractor graphs which can reduce the infection time linearly while keeping the expected number of infected nodes exponentially close to optimal.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. http://www.f-secure.com/v-descs/mssqlm.shtml

  2. http://www.f-secure.com/v-descs/witty.shtml

  3. http://www.honeynet.org

  4. http://www.icir.org/yoid/

  5. Arce I., Levy E.: An analysis of the slapper worm. IEEE Secur. Priv. 1, 82–87 (2003)

    Article  Google Scholar 

  6. Banerjee, S., Bhattacharjee, B., Kommareddy, C.: Scalable application layer multicast. In: SIGCOMM 2002, New York, NY, USA. ACM Press, pp. 205–217 (2002)

  7. CAIDA, Skitter datasets. http://www.caida.org/tools/measurement/skitter/

  8. Chen, Z., Gao, L., Kwiat, K.: Modeling the spread of active worms, in INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, vol. 3, Mar 30–Apr 3 2003, pp. 1890–1900

  9. Filiol E., Franc E., Gubbioli A., Moquet B., Roblot G.: Combinatorial optimisation of worm propagation on an unknown network. Int. J. Comput. Sci. 2, 124–130 (2007)

    Google Scholar 

  10. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symposium on Security and Privacy. IEEE Computer Society, pp. 211–225 (2004)

  11. Kim H.-A., Karp B. (2004) Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, USENIX, August 2004

  12. Liljenstam, M., Nicol, D.M., Berk, V.H., Gray, R.S.: Simulating realistic network worm traffic for worm warning system design and testing. In: WORM ’03: Proceedings of the 2003 ACM workshop on Rapid malcode, New York, NY, USA. ACM Press, New York, pp. 24–33 (2003)

  13. Lu, C.-J., Reingold, O., Vadhan, S., Wigderson, A.: Extractors: optimal up to constant factors. In: Proceedings of the Thirty-Fifth Annual ACM Symposium on Theory of Computing, New York. ACM, New York, pp. 602–611 (2003) (electronic)

  14. Moore D., Paxson V., Savage S., Shannon C., Staniford S., Weaver N.: Inside the slammer worm. IEEE Secur. Priv. 1, 33–39 (2003)

    Article  Google Scholar 

  15. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The spread of the sapphire/slammer worm. CAIDA, pp. 33–39 (2003)

  16. Moore, D., Shannon, C., Brown, J.: Code-red: a case study on the spread and victims of an internet worm. In: IMW ’02: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, New York, NY, USA. ACM Press, New York, pp. 273–284 (2002)

  17. Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: requirements for containing self-propagating code. In: INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, vol. 3, pp. 1901–1910 (2003)

  18. Odlyzko A.: Data networks are lightly utilized, and will stay that way. Rev. Netw. Econ. 2, 210–237 (2003)

    Google Scholar 

  19. Ratnasamy, S., Francis, P., Handley, M., Karp, R., Schenker, S.: A scalable content-addressable network. In: SIGCOMM 2001, pp. 161–172 (2001)

  20. Shannon C., Moore D.: The spread of the witty worm. IEEE Secur. Priv. Mag. 2, 46–50 (2004)

    Article  Google Scholar 

  21. Staniford, S., Moore, D., Paxson, V., Weaver, N.: The top speed of flash worms. In: WORM ’04: Proceedings of the 2004 ACM workshop on Rapid malcode, New York, NY, USA. ACM Press, New York, pp. 33–42 (2004)

  22. Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, Berkeley, CA, USA. USENIX Association, pp. 149–167 (2002)

  23. Vojnovic, M., Ganesh, A.: On the effectiveness of automatic patching. In: WORM ’05: Proceedings of the 2005 ACM workshop on Rapid malcode, New York, NY, USA. ACM Press, New York, pp. 41–50 (2005)

  24. Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: ACSAC ’02: Proceedings of the 18th Annual Computer Security Applications Conference, Washington, DC, USA. IEEE Computer Society, p. 61 (2002)

  25. Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: CCS ’02: Proceedings of the 9th ACM conference on Computer and communications security, New York, NY, USA. ACM Press, New York, pp. 138–147 (2002)

  26. Zou, C.C., Gong, W., Towsley, D.: Worm propagation modeling and analysis under dynamic quarantine defense. In: WORM ’03: Proceedings of the 2003 ACM workshop on Rapid malcode, New York, NY, USA. ACM Press, New York, pp. 51–60 (2003)

  27. Zou C.C., Gong W., Towsley D., Gao L.: The monitoring and early detection of internet worms. IEEE/ACM Trans. Netw. 13, 961–974 (2005)

    Article  Google Scholar 

  28. Zou, C.C., Towsley, D., Gong, W., Cai, S.: Routing worm: a fast, selective attack worm based on ip address information. In: PADS ’05: Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, Washington, DC, USA. IEEE Computer Society, pp. 199–206 (2005)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, State University of New York at Buffalo, Buffalo, NY, 14260, USA

    Duc T. Ha & Hung Q. Ngo

Authors
  1. Duc T. Ha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hung Q. Ngo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Duc T. Ha.

Additional information

A preliminary version of this paper appeared in the proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM), in association with the 14th ACM Conference on Computer and Communications Security (CCS).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ha, D.T., Ngo, H.Q. On the trade-off between speed and resiliency of Flash worms and similar malcodes. J Comput Virol 5, 309–320 (2009). https://doi.org/10.1007/s11416-009-0124-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0124-6

Keywords

Search

Navigation