2,667 research outputs found

    Worm Epidemics in Wireless Adhoc Networks

    Full text link
    A dramatic increase in the number of computing devices with wireless communication capability has resulted in the emergence of a new class of computer worms which specifically target such devices. The most striking feature of these worms is that they do not require Internet connectivity for their propagation but can spread directly from device to device using a short-range radio communication technology, such as WiFi or Bluetooth. In this paper, we develop a new model for epidemic spreading of these worms and investigate their spreading in wireless ad hoc networks via extensive Monte Carlo simulations. Our studies show that the threshold behaviour and dynamics of worm epidemics in these networks are greatly affected by a combination of spatial and temporal correlations which characterize these networks, and are significantly different from the previously studied epidemics in the Internet

    Adaptive Human Behavior in a Two-Worm Interaction Model

    Get PDF
    The complex interactions among internet worms have great impact on the dynamics of worms. To contain the propagation of worms, it is necessary to characterize these interactions. Therefore, a two-worm interaction model is presented in this paper. Different from previous researches, we have considered the influence of adaptive human reaction stirred by one cooperative worm on the other worm in the model. The model’s equilibria and their stability conditions are obtained mathematically and verified by simulations. Results indicate that considering adaptive human behavior significantly changes the prospective propagation course of worms and that this consideration has implications for designing counterworm methods

    Analysis of Routing Worm Infection Rates on an IPV4 Network

    Get PDF
    Malicious logic, specifically worms, has caused monetary expenditure problems to network users in the past. Worms, like Slammer and Code Red, have infected thousands of systems and brought the Internet to a standstill. This research examines the ability of the original Slammer worm, the Slammer based routing worm proposed by Zou et al, and a new Single Slash Eight (SSE) routing worm proposed by this research to infect vulnerable systems within a given address space. This research investigates the Slammer worm\u27s ability to generate a uniform random IP addresses in a given address space. Finally, a comparison of the speed increase from computing systems available today versus those in use during the original Slammer release is performed. This research finds that the both the Slammer based routing worm and the SSE routing worm are faster than the original Slammer. The random number generator of the original Slammer worm does generate a statistically uniform distribution of addresses within the range under test. Further, this research shows that despite the previous research into the speed of worm propagation, there is a large void in testing worms on the systems available today that need to be investigated. The speed of the computing systems that the worms operated on in the past were more than three times slower than today\u27s systems. As the speed of computer systems continue to grow, the speed of worm propagation should increase with it as their scan rates directly relate to their infection rate. As such, the immunity of the future IPv6 network, from scanning worms may need to be reexamined

    Network Based Malware Defense

    Get PDF
    This goal of this research was to create a network-based malware quarantine system and test the effectiveness of it on the speed of worm propagation across a virtual network. Worms that spread in epidemic ways cause a large amount of financial and digital damage to the average Internet user while posing threats to the infrastructure of the Internet. This impact on consumers and the Internet as a whole can be significantly reduced through the implementation of a quarantine system at the network level. The quarantine system tested combined a network based vulnerability scanner, a Network Intrusion Detection System (NIDS), and a custom written control system to detect malware behavior on a network, and segregate those potentially compromised hosts from other hosts, with the intention of slowing the propagation of a network worm. A virtual test environment was used to track the propagation of a custom written worm as it spread to virtualized test machines. Before each test, the network was cleared of malware and the speed of propagation was documented. This data was analyzed to determine the most effective configuration that will still maintain network usability. After testing four variants of the custom worm with four different variations on the quarantine system configuration the spread data and quarantine system logs were analyzed to determine that the quarantine was in fact very effective against the spread and was able to slow or stop it in almost all simulations

    Geometry-based Detection of Flash Worms

    Get PDF
    While it takes traditional internet worms hours to infect all the vulnerable hosts on the Internet, a flash worm takes seconds. Because of the rapid rate with which flash worms spread, the existing worm defense mechanisms cannot respond fast enough to detect and stop the flash worm infections. In this project, we propose a geometric-based detection mechanism that can detect the spread of flash worms in a short period of time. We tested the mechanism on various simulated flash worm traffics consisting of more than 10,000 nodes. In addition to testing on flash worm traffics, we also tested the mechanism on non-flash worm traffics to see if our detection mechanism produces false alarms. In order to efficiently analyze bulks of various network traffics, we implemented an application that can be used to convert the network traffic data into graphical notations. Using the application, the analysis can be done graphically as it displays the large amount of network relationships as tree structures

    DoWitcher: Effective Worm Detection and Containment in the Internet Core

    Get PDF
    Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a longest common subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worm