4,571 research outputs found
Hybrid Epidemics - A Case Study on Computer Worm Conficker
Conficker is a computer worm that erupted on the Internet in 2008. It is
unique in combining three different spreading strategies: local probing,
neighbourhood probing, and global probing. We propose a mathematical model that
combines three modes of spreading, local, neighbourhood and global to capture
the worm's spreading behaviour. The parameters of the model are inferred
directly from network data obtained during the first day of the Conifcker
epidemic. The model is then used to explore the trade-off between spreading
modes in determining the worm's effectiveness. Our results show that the
Conficker epidemic is an example of a critically hybrid epidemic, in which the
different modes of spreading in isolation do not lead to successful epidemics.
Such hybrid spreading strategies may be used beneficially to provide the most
effective strategies for promulgating information across a large population.
When used maliciously, however, they can present a dangerous challenge to
current internet security protocols
DoWitcher: Effective Worm Detection and Containment in the Internet Core
Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a longest common subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worm
Exploiting Temporal Complex Network Metrics in Mobile Malware Containment
Malicious mobile phone worms spread between devices via short-range Bluetooth
contacts, similar to the propagation of human and other biological viruses.
Recent work has employed models from epidemiology and complex networks to
analyse the spread of malware and the effect of patching specific nodes. These
approaches have adopted a static view of the mobile networks, i.e., by
aggregating all the edges that appear over time, which leads to an approximate
representation of the real interactions: instead, these networks are inherently
dynamic and the edge appearance and disappearance is highly influenced by the
ordering of the human contacts, something which is not captured at all by
existing complex network measures. In this paper we first study how the
blocking of malware propagation through immunisation of key nodes (even if
carefully chosen through static or temporal betweenness centrality metrics) is
ineffective: this is due to the richness of alternative paths in these
networks. Then we introduce a time-aware containment strategy that spreads a
patch message starting from nodes with high temporal closeness centrality and
show its effectiveness using three real-world datasets. Temporal closeness
allows the identification of nodes able to reach most nodes quickly: we show
that this scheme can reduce the cellular network resource consumption and
associated costs, achieving, at the same time, a complete containment of the
malware in a limited amount of time.Comment: 9 Pages, 13 Figures, In Proceedings of IEEE 12th International
Symposium on a World of Wireless, Mobile and Multimedia Networks (WOWMOM '11
Mathematical Modeling of worm infection on computer in a Network: Case study in the Computer Laboratory, Mathematics Department, Diponegoro University, Indonesia
Worm infection were an infection that attack a computer, it work by multiplied itself after got into a computer and made it over work and caused a computer to slowing down. Worm spreading infection describe by nonlinear mathematic model form with VEISV (Vulnerable, Exposed, Infected, Secured) as the model. Worm free equilibrium and endemic equilibrium were calculated to obtain the stability analysis, and numeric solution were performed using data from Computer Laboratory, Mathematics Department of Faculty of Sciences and Mathematics, Diponegoro University using Runge-Kutta fourth-order method. From the result of stability analysis we obtained that worm free equilibrium were not stable and endemic equilibrium were locally asymptotically stable, and from the result of numeric solution every class proportion from model were obtained
- âŠ