Modeling and Analysis of Bifurcation in a Delayed Worm Propagation Model

A delayed worm propagation model with birth and death rates is formulated. The stability of the positive equilibrium is studied. Through theoretical analysis, a critical value τ0 of Hopf bifurcation is derived. The worm propagation system is locally asymptotically stable when time delay is less than τ0. However, Hopf bifurcation appears when time delay τ passes the threshold τ0, which means that the worm propagation system is unstable and out of control. Consequently, time delay should be adjusted to be less than τ0 to ensure the stability of the system stable and better prediction of the scale and speed of Internet worm spreading. Finally, numerical and simulation experiments are presented to simulate the system, which fully support our analysis

Modeling, analysis and defense strategies against Internet attacks.

Third, we have analyzed the tradeoff between delay caused by filtering of worms at routers, and the delay due to worms' excessive amount of network traffic. We have used the optimal control problem, to determine the appropriate tradeoffs between these two delays for a given rate of a worm spreading. Using our technique we can minimize the overall network delay by finding the number of routers that should perform filtering and the time at which they should start the filtering process.Many early Internet protocols were designed without a fundamentally secure infrastructure and hence vulnerable to attacks such as denial of service (DoS) attacks and worms. DoS attacks attempt to consume the resources of a remote host or network, thereby denying or degrading service to legitimate users. Network forensics is an emerging area wherein the source or the cause of the attacker is determined using IDS tools. The problem of finding the source(s) of attack(s) is called the "trace back problem". Lately, Internet worms have become a major problem for the security of computer networks, causing considerable amount of resources and time to be spent recovering from the disruption of systems. In addition to breaking down victims, these worms create large amounts of unnecessary network data traffic that results in network congestion, thereby affecting the entire network.In this dissertation, first we solve the trace back problem more efficiently in terms of the number of routers needed to complete the track back. We provide an efficient algorithm to decompose a network into connected components and construct a terminal network. We show that for a terminal network with n routers, the trace back can be completed in O(log n) steps.Second, we apply two classical epidemic SIS and SIR models to study the spread of Internet Worm. The analytical models that we provide are useful in determining the rate of spread and time required to infect a majority of the nodes in the network. Our simulation results on large Internet like topologies show that in a fairly small amount of time, 80% of the network nodes is infected

Polygraph: Automatically generating signatures for polymorphic worms

It is widely believed that content-signature-based intrusion detection systems (IDSes) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content sub-strings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives. © 2005 IEEE

bifurcation analysis of a delayed worm propagation model with saturated incidence

This paper is concerned with a delayed SVEIR worm propagation model with saturated incidence. The main objective is to investigate the effect of the time delay on the model. Sufficient conditions for local stability of the positive equilibrium and existence of a Hopf bifurcation are obtained by choosing the time delay as the bifurcation parameter. Particularly, explicit formulas determining direction of the Hopf bifurcation and stability of the bifurcating periodic solutions are derived by using the normal form theory and the center manifold theorem. Numerical simulations for a set of parameter values are carried out to illustrate the analytical results

Network Based Malware Defense

This goal of this research was to create a network-based malware quarantine system and test the effectiveness of it on the speed of worm propagation across a virtual network. Worms that spread in epidemic ways cause a large amount of financial and digital damage to the average Internet user while posing threats to the infrastructure of the Internet. This impact on consumers and the Internet as a whole can be significantly reduced through the implementation of a quarantine system at the network level. The quarantine system tested combined a network based vulnerability scanner, a Network Intrusion Detection System (NIDS), and a custom written control system to detect malware behavior on a network, and segregate those potentially compromised hosts from other hosts, with the intention of slowing the propagation of a network worm. A virtual test environment was used to track the propagation of a custom written worm as it spread to virtualized test machines. Before each test, the network was cleared of malware and the speed of propagation was documented. This data was analyzed to determine the most effective configuration that will still maintain network usability. After testing four variants of the custom worm with four different variations on the quarantine system configuration the spread data and quarantine system logs were analyzed to determine that the quarantine was in fact very effective against the spread and was able to slow or stop it in almost all simulations