|Country:||Antigua & Barbuda|
|Published (Last):||1 January 2008|
|PDF File Size:||17.11 Mb|
|ePub File Size:||13.82 Mb|
|Price:||Free* [*Free Regsitration Required]|
It is conceivable that the cyber-terrorists may use a wide-spread worm to cause major disruption to the Internet economy. Much recent research concentrates on propagation models and early warning, but the defense against worms is largely an open problem.
New defense techniques are developed based on the behavioral difference between normal hosts and worm-infected hosts. Particularly, a worm-infected host has a much higher connection-failure rate when it randomly scans the Internet.
This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial rate-limit algorithm, which makes the speed of worm propagation con? The effectiveness of the new techniques is evaluated analytically and by simulations. Keywords Internet worms, network security, rate-limit algorithms I. Take a few examples. On July 19, , the code-red worm version 2 infected more than , hosts in just 9 hours , .
Soon after, the Nimda worm raged on the Internet . Worms have beaten out viruses to become the top infectors of the Internet. A single worm is capable of automatically infecting millions of hosts in a short period of time, causing enormous damage . It can steal sensitive information, remove? For example, the Morris worm exploited a bug in? It also propagated through. The code-red worm took advantage of a buffer-over?
Typically a worm-infected host scans the Internet for vulnerable systems. It chooses an IP address, attempts a connection to a service port e. The above process repeats with different random addresses.
As more and more machines are compromised, more and more copies of the worm are working together to reproduce themselves. An explosive epidemic is developed across the Internet. There are few answers to the worm threat.
One solution is to patch the software and eliminate the security defects , , . That did not work because 1 software bugs seem always increase as computer systems become more and more complicated, and 2 not all people have the habit of keeping an eye on the patch releases.
The patch for the security hole that led to the SQLSlammer worm was released half a year before the worm appeared, and still tens of thousands of computers were infected. Intrusion detection systems and antivirus software may be upgraded to detect and remove a known worm, routers and? Much recent research on Internet worms concentrates on propagation modeling , , , , ,  and early warning , , , .
The defense against worms is still an open problem. Moore et al. Park et al. Williamson proposed to modify the network stack such that the rate of connection requests to distinct destinations is bounded , . It restricts a normal host in the same way it restricts a worm-infected host.
Moreover, the approach becomes effective only after the majority of all Internet hosts is upgraded with the new network stack. The LaBrea approach  has a similar problem and can be easily circumvented by a worm that employs an early timeout mechanism.
Staniford studied the containment of random scanning worms on a large enterprise network . The model assumes the existence of a containment method that can block out an infected host after it scans around 10 addresses. However, such a method without collateral damage of blocking normal hosts is not given in the paper.
Schechter et al. This algorithm can be circumvented by an infected host that scans while making successful connections at the same rate. The signature-based defense systems require the worm samples to be captured before the attack signature can be generated , , , . In this paper, we propose a distributed anti-worm architecture DAW , which is designed for an Internet service provider ISP to provide anti-worm service to its customers.
It incorporates a number of new techniques that monitor the scanning activity within the ISP network, identify the potential worm threats, restrict the speed of worm propagation, and even halt the worms by blocking out scanning sources.
The proposed defense system separates the worm-infected hosts from the normal hosts based on their behavioral differences. Particularly, a worm-infected host has a much higher connection-failure rate when it randomly scans the Internet, whereas a normal user deals mostly with valid addresses due to the use of DNS Domain Name System. This and other properties allow us to design the entire defense architecture based on the inspection of failed connection requests, which not only reduces the system overhead but also minimizes the disturbance to normal users.
One important contribution of DAW is to make the speed of worm propagation con? While the actual values of the parameters should be set based on the ISP traf?
The parameter settings used in this paper to evaluate the proposed algorithms are chosen based on the experimental data from real networks.
The rest of the paper is organized as follows. Section II describes the worm propagation model. Section III analyzes the differences between normal hosts and worm-infected hosts.
Section IV presents the proposed distributed anti-worm architecture. Section V studies additional issues associated with DAW. Section VII presents the simulation results. Section VIII draws the conclusion. This model was later used to analyze the propagation behavior of Code-Red-like worms by Staniford et al. Some notations are de? N is the size of the address space. V is the total number of vulnerable hosts. For an in? The time it takes? In reality, worms propagate slower due to a number of reasons.
First, once a large number of hosts are infected, the aggressive scanning activities often cause widespread network congestions and consequently many scan messages are dropped. Second, when a worm outbreak is announced, many system administrators shut down vulnerable servers or remove the infected hosts from the Internet. Third, some types of worms enter dormant state after being active for a period of time.
Due to the above reasons, the code red spread much slower than the calculation based on Eq. A more sophisticated model that considers the? An analytical active worm propagation model AAWP based on discrete times was proposed in , which addressed the localized scanning strategy.
Practically it is important to slow down the worm propagation in order to give the Internet community enough time to react when a new worm emerges. In this paper, we use the? The idea is to block out the infected hosts and make sure that the scanning activity of an infected host does not last for more than a period of?
Theorem 1: If? V Proof: Each infected host sends r? T scan messages, and causes r? T N or less due to duplicate hits new V infections. For the worm to stop, we need r?
Our discussion focuses on the worms that spread via TCP, which accounts for the majority of Internet traf? However, the techniques can be easily applied to some 6 Net 1? UDP-based worms as well. We do not claim to handle all worms. Examples of what we do not consider are email worms and hit-list worms. When a source host makes a connection request, a SYN packet is sent to a destination address.
The connection fails if the destination host does not exist or does not listen on the port that the request is sent to. The rate of failed connections made by a host is called the failure rate, which can be measured by monitoring the failure replies that are sent back to the host.
The failure rate of a normal host is likely to be low. For most Internet applications www, telnet, ftp, etc. If DNS can not? Hence, mistyping or stale web links do not result in failed connections. Moreover, a typical user has a list of favorite sites servers to which most connections are made.
Since those sites are known to work most of the time, the failure rate for such a user will be low. We monitored three departmental networks on campus for a week. Table I shows our measured daily failure rates, which are very small. Failed connections made from a host to the same address in the same day is counted only once.
On the other hand, the failure rate of a worm-infected host is likely to be high. Consider the infamous code-red worm, which uses 99 parallel threads to scan the Internet. We emulated its random scan and found that That is, the failure rate is For worms targeting at software less popular than web servers, this?
It is conceivable that the cyber-terrorists may use a wide-spread worm to cause major disruption to the Internet economy. Much recent research concentrates on propagation models and early warning, but the defense against worms is largely an open problem. New defense techniques are developed based on the behavioral difference between normal hosts and worm-infected hosts. Particularly, a worm-infected host has a much higher connection-failure rate when it randomly scans the Internet. This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial rate-limit algorithm, which makes the speed of worm propagation con? The effectiveness of the new techniques is evaluated analytically and by simulations.
DISTRIBUTED ANTIWORM SYSTEM PDF
On Bandwidth-Efficient Overlay Multicast. SonnekAbhishek ChandraJon B. Tong ShanOliver W. Masood AhmedShahid H. BanikSridhar RadhakrishnanChandra N. Ling ZhuoViktor K. A Distributed Antiworm System.
- EL TRIPTOFANITO PDF
- HEALING WORDS LARRY DOSSEY PDF
- BAIT SATAN JOHN BEVERE PDF
- AL BIDAYA WAL NIHAYA ARABIC PDF
- ASTM C611 PDF
- HANDBOOK OF WORKABILITY AND PROCESS DESIGN PDF
- DESCARGAR ELEMENTOS DE INGENIERIA DE LAS REACCIONES QUIMICAS FOGLER PDF
- EARTH STRUCTURE PLUIJM PDF
- DIAGNOSTICO CLINICO Y TRATAMIENTO TIERNEY MCPHEE Y PAPADAKIS PDF