Modelling the Spread of Botnet Malware in IoT-Based Wireless Sensor Networks

The propagation approach of a botnet largely dictates its formation, establishing a foundation of bots for future exploitation. The chosen propagation method determines the attack surface, and consequently, the degree of network penetration, as well as the overall size and the eventual attack potency. It is therefore essential to understand propagation behaviours and influential factors in order to better secure vulnerable systems. Whilst botnet propagation is generally well-studied, newer technologies like IoT have unique characteristics which are yet to be thoroughly explored. In this paper, we apply the principles of epidemic modelling to IoT networks consisting of wireless sensor nodes. We build IoT-SIS, a novel propagation model which considers the impact of IoT-specific characteristics like limited processing power, energy restrictions, and node density on the formation of a botnet. Focusing on worm-based propagation, this model is used to explore the dynamics of spread using numerical simulations and the Monte Carlo method, and to discuss the real-life implications of our findings

Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6 Network Environment

Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftly

Behavioral analysis on IPV4 Malware in both IPV4 and IPv6 Network Environment

Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftl

Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6 Network Environment

Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftly

Worm propagation strategies in an IPv6 Internet

In recent years, the Internet has been plagued by a number of worms. One popular mechanism that worms use to detect vulnerable targets is random IP address-space probing. This is feasible in the current Internet due to the use of 32-bit addresses, which allow fast-operating worms to scan the entire address space in a matter of a few hours. The question has arisen whether or not their spread will be affected by the deployment of IPv6. In particular, it has been suggested that the 128-bit IPv6 address space (relative to the current 32-bit IPv4 address space) will make life harder for the worm writers: assuming that the total number of hosts on the Internet does not suddenly increase by a similar factor, the work factor for finding a target in an IPv6 Internet will increase by approximately 296, rendering random scanning seemingly prohibitively expensive

Modeling the Spread of Biologically-Inspired Internet Worms

Infections by malicious software, such as Internet worms, spreading on computer networks can have devastating consequences, resulting in loss of information, time, and money. To better understand how these worms spread, and thus how to more effectively limit future infections, we apply the household model from epidemiology to simulate the proliferation of adaptive and non-adaptive preference-scanning worms, which take advantage of biologically-inspired strategies. From scans of the actual distribution of Web servers on the Internet, we find that vulnerable machines seem to be highly clustered in Internet Protocol version 4 (IPv4) address space, and our simulations suggest that this organization fosters the quick and comprehensive proliferation of preference-scanning Internet worms

Entropy/IP: Uncovering Structure in IPv6 Addresses

In this paper, we introduce Entropy/IP: a system that discovers Internet address structure based on analyses of a subset of IPv6 addresses known to be active, i.e., training data, gleaned by readily available passive and active means. The system is completely automated and employs a combination of information-theoretic and machine learning techniques to probabilistically model IPv6 addresses. We present results showing that our system is effective in exposing structural characteristics of portions of the IPv6 Internet address space populated by active client, service, and router addresses. In addition to visualizing the address structure for exploration, the system uses its models to generate candidate target addresses for scanning. For each of 15 evaluated datasets, we train on 1K addresses and generate 1M candidates for scanning. We achieve some success in 14 datasets, finding up to 40% of the generated addresses to be active. In 11 of these datasets, we find active network identifiers (e.g., /64 prefixes or `subnets') not seen in training. Thus, we provide the first evidence that it is practical to discover subnets and hosts by scanning probabilistically selected areas of the IPv6 address space not known to contain active hosts a priori.Comment: Paper presented at the ACM IMC 2016 in Santa Monica, USA (https://dl.acm.org/citation.cfm?id=2987445). Live Demo site available at http://www.entropy-ip.com