Skip to main content
SpringerLink
Log in

Simulating malware with MAlSim

  • Eicar 2008 Extended Version
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

This paper describes MAlSim—Mobile Agent Malware Simulator—a mobile agent framework developed to address one of the most important problems related to the simulation of attacks against information systems, i.e. the lack of adequate tools for reproducing behaviour of malicious software (malware). The framework can be deployed over the network of an arbitrary information system and it aims at simulating behaviour of each instance of malware independently. MAlSim Toolkit provides multiple classes of agents and diverse behavioural and migration/replication patterns (which, taken together, form malware templates), to be used for implementation of various types of malware (viruses, worms, malicious mobile code). The primary application of MAlSim is to support security assessments of information systems based on simulation of attacks against these systems. In this context, the framework was successfully applied to the studies on security of the information system of a power plant. The case study proved the operability, applicability and usefulness of the simulation framework and it led to very interesting conclusions on the security of the evaluated system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Anderson R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, New York (2001)

    Google Scholar 

  2. Bellifemine, F., Caire, G., Trucco, T., Rimassa, G.: Jade—a white paper. Tilab (2003a, September)

  3. Bellifemine, F., Caire, G., Trucco, T., Rimassa, G.: Jade programmers guide. Tilab (2003b, February)

  4. Bishop M.: Computer Security: Art and Science, 1st edn. Addison Wesley Professional, Reading, MA, USA (2003)

    Google Scholar 

  5. Caire, G.: JADE tutorial: application-defined content languages and ontologies. Tilab (2002, June)

  6. Carzaniga, A., Picco, G.P., Vigna, G.: Designing distributed applications with a mobile code paradigm. In: Proceedings of the 19th International Conference on Software Engineering. Boston, MA, USA. http://citeseer.ist.psu.edu/carzaniga97designing.html (1997)

  7. Chess, D., Grosof, B., Harrison, C., Levine, D., Parris, C., Tsudik, G.: Itinerant agents for mobile computing. IEEE Personal Commun. 2(5), 34–49. http://citeseer.ist.psu.edu/article/chess95itinerant.html (1995)

    Google Scholar 

  8. Chess, D., Harrison, C., Kershenbaum, A.: Mobile agents: Are they a good idea? (RC 19887 (December 21, 1994 - Declassified March 16, 1995)). IBM Research, Yorktown Heights, New York. http://citeseer.ist.psu.edu/chess95mobile.html (1994)

  9. Ellis, D.: Worm anatomy and model. In: Worm ’03 Proceedings of the 2003 ACM workshop on rapid malcode, pp. 42–50. ACM, New York, NY, USA (2003)

  10. F-Secure. F-Secure virus description database. (http://www.f-secure.com/v-descs/ (last access: January 18, 2008))

  11. Faistenhammer, T., Klöck, M., Klotz, K., Krüger, T., Reinisch, P., Wagner, J.: October. Virlab 2.1. Internet. http://kklotz.de/html/virlab.html (last access: October 29, 2007)) (1993)

  12. Filiol É.: Computer Viruses: from Theory to Applications. Springer, France (2005)

    MATH  Google Scholar 

  13. Filiol, É., Franc, E., Gubbioli, A., Moquet, B., Roblot, G.: Combinatorial optimisation of worm propagation on an unknown network. Int. J. Comput. Sci. 2(2), 124 – 131. http://vx.netlux.org (last access: March 7, 2008) (2007)

    Google Scholar 

  14. Franklin, S., Graesser, A.: Is it an agent, or just a program?: a taxonomy for autonomous agents. Intelligent agents III. agent theories, architectures and languages (ATAL’96), vol. 1193. Springer, Berlin. http://citeseer.ist.psu.edu/franklin96is.html (1996)

  15. Fuggetta, A., Picco, G.P., Vigna, G.: Understanding code mobility. IEEE Trans. Software Eng. 24(5), 342–361. http://citeseer.ist.psu.edu/fuggetta98understanding.html (1998)

    Google Scholar 

  16. Gilfix, M., Couch, A.L.: Peep (the network auralizer): Monitoring your network with sound. In: Lisa ’00: Proceedings of the 14th USENIX Conference on System Administration, pp. 109–118. USENIX Association, Berkeley, CA, USA (2000)

  17. Gordon S.: Are good virus simulators still a bad idea?. Network Security 1996(9), 7–13 (1996)

    Article  Google Scholar 

  18. Gray, R.S., Kotz, D., Cybenko, G., Rus, D.: Mobile agents: motivations and state-of-the-art systems (TR2000-365). Dartmouth College, Hanover, NH. http://citeseer.ist.psu.edu/gray00mobile.html (2000)

  19. Group, D.U.: A forum for supporters of the distributed network protocol. Internet. http://www.dnp.org/ (last access: March 14, 2008) (2008, December)

  20. Hirst, J.: Virus simulation suite. Internet (1990)

  21. Jansen, W., Karygiannis, T.: NIST special publication 800-19-mobile agent security. http://citeseer.ist.psu.edu/jansen00nist.html (2000)

  22. Leszczyna, R.: Evaluation of agent platforms Ispra, Italy: European Commission, Joint Research Centre, Institute for the Protection and security of the Citizen (2004, June)

  23. Leszczyna, R., Fovino, I.N., Masera, M.: Malsim—mobile agent malware simulator. In: Proceedings of First International Conference on Simulation Tools and Techniques for Communications, Networks and Systems (SIMUTools 2008). Association for Computing Machinery (ACM) Press, New York (2008a, March)

  24. Leszczyna, R., Fovino, I.N., Masera, M.: Security evaluation of IT systems underlying critical networked infrastructures. (Accepted for First International IEEE Conference on Information Technology (IT 2008), Gdansk, Poland, 18–21 May 2008) (2008b)

  25. Liljenstam, M., Nicol, D.M., Berk, V.H., Gray, R.S.: Simulating realistic network worm traffic for worm warning system design and testing. In: Worm ’03: Proceedings of the 2003 ACM workshop on rapid malcode, pp. 24–33 (2003)

  26. Liljenstam, M., Yuan, Y., Premore, B., Nicol, D.: A mixed abstraction level simulation model of large-scale internet worm infestations. In: Mascots ’02: Proceedings of the 10th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems (mascots’02), p. 109. IEEE Computer Society, Washington, DC, USA (2002)

  27. McAfee. McAfee virus information. Website. (http://uk.mcafee.com/virusInfo/ (last access: January 18, 2008))

  28. Milojicic, D.S.: Trend wars: Mobile agent applications. IEEE Concurrency 7(3), 80-90. http://dlib.computer.org/pd/books/pd1999/pdf/p3080.pdf (1999)

    Google Scholar 

  29. Mischel Internet Security. Trojan simulator. Internet. http://www.misec.net/trojansimulator/ (last access: October 29, 2007) (2003)

  30. Modbus-IDA. MODBUS application protocol specification v1.1b. http://www.modbus.org/specs.php (last access: March 14, 2008) (2006)

  31. Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Infocom 2003. Twenty-Second Annual Joint Conference of the Ieee Computer and Communications Societies, vol. 3, pp. 1901–1910 (2003, April)

  32. Perumalla, K.S., Sundaragopalan, S.: High-fidelity modeling of computer network worms. acsac 00, pp. 126–135 (2004)

  33. Rosenthal Engineering. Rosenthal virus simulator. Internet (1997)

  34. SecurityFocus. SecurityFocus vulnerability database. http://www.securityfocus.com/bid (last access: January 17, 2008)

  35. Sharif, M.I., Riley, G.F., Lee, W.: Comparative study between analytical models and packet-level worm simulations. In: Pads ’05: Proceedings of the 19th workshop on principles of advanced and distributed simulation, pp. 88–98. IEEE Computer Society, Washington, DC, USA (2005)

  36. Skoudis, E., Zeltser, L.: Malware: Fighting malicious code. Prentice Hall Professional Technical Reference, Upper Saddle River, New Jersey, USA (2003)

  37. Symantec. Symantec security response. (http://www.symantec.com/security_response/ (last access: January 18, 2008)

  38. Symantec Research Labs 2005. Symantec worm simulator. Internet

  39. Szor, P.: The art of computer virus research and defense, 1st edn. Addison Wesley Professional, Reading, MA, USA (2005)

  40. Telecom Italia Lab. Java Agent DEvelopment Framework. (http://jade.tilab.com/)

  41. Wagner, A., Dübendorfer, T., Plattner, B., Hiestand, R.: Experiences with worm propagation simulations. In: Worm ’03: Proceedings of the 2003 ACM workshop on rapid malcode, pp. 34–41. ACM, New York, NY, USA (2003)

  42. Wei, S., Mirkovic, J., Swany, M.: Distributed worm simulation with a realistic internet model. In: Pads ’05: Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, pp. 71–79. IEEE Computer Society, Washington, DC, USA (2005)

  43. Yee, B.S.: A sanctuary for mobile agents. In: Proceedings of the DARPA Workshop on Foundations for Secure Mobile Code. Monterey, USA. http://citeseer.ist.psu.edu/article/yee97sanctuary.html (last access: May 08, 2006) (1997, March)

  44. Zou, C.C., Gong, W., Towsley, D.: Worm propagation modeling and analysis under dynamic quarantine defense. In: Worm ’03: Proceedings of the 2003 ACM Workshop on Rapid Malcode, pp. 51–60. ACM, New York, NY, USA (2003)

Download references

Author information

Authors and Affiliations

  1. European Commission, Joint Research Centre, Via Enrico Fermi 2749, 21020, Ispra (VA), Italy

    Rafał Leszczyna, Igor Nai Fovino & Marcelo Masera

Authors
  1. Rafał Leszczyna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Igor Nai Fovino
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marcelo Masera
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rafał Leszczyna.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Leszczyna, R., Nai Fovino, I. & Masera, M. Simulating malware with MAlSim. J Comput Virol 6, 65–75 (2010). https://doi.org/10.1007/s11416-008-0088-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0088-y

Keywords

Search

Navigation