<%BANNER%>

Detection, Propagation Modeling, and Designing of Advanced Internet Worms

Permanent Link: http://ufdc.ufl.edu/UFE0023687/00001

Material Information

Title: Detection, Propagation Modeling, and Designing of Advanced Internet Worms
Physical Description: 1 online resource (130 p.)
Language: english
Creator: Manna, Parbati
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2008

Subjects

Subjects / Keywords: ids, malware, modeling, security, worm
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Malware, or malicious software such as viruses, worms, trojan horses or rootkits, pose a grave challenge to the computer user community by obtaining unauthorized access to computer resources. Among various malware, worms interest computer security researchers immensely due to their ability to infect millions of computers in a short period of time and cause hundreds of millions of dollars in damage. Unlike other malware, worms can replicate themselves over the Internet without requiring any human involvement, which makes their damage potential very high. Security researchers strive to prevent, detect and contain worms, as well as model their propagation patterns over the Internet. Our study is primarily directed at effective detection, propagation modeling and design of worms. First, we work towards devising a detection mechanism for an advanced worm called ASCII worm which has a very high damage potential due to its ability to compromise servers that are otherwise not vulnerable to common worms. Second, we derive an exact analytical model for the propagation of permutation-scanning worms, a class of worms that employ a sophisticated propagation strategy called permutation scanning. Finally, we re-examine the classical worm propagation models in light of the pseudo-random nature of the output generated by the random number generators used by the worms, and design a worm that exploits the pseudo-randomness to achieve an optimal scanning strategy with high speed of infection, fault tolerance and low detectability. Our work focuses on highlighting the damage potential of worms, and shows novel ways to detect them. It also provides accurate analytical propagation model for worms. This can help network security personnel to better understand the worms' spreading behavior, and design containment techniques and other countermeasures.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Parbati Manna.
Thesis: Thesis (Ph.D.)--University of Florida, 2008.
Local: Adviser: Ranka, Sanjay.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2008
System ID: UFE0023687:00001

Permanent Link: http://ufdc.ufl.edu/UFE0023687/00001

Material Information

Title: Detection, Propagation Modeling, and Designing of Advanced Internet Worms
Physical Description: 1 online resource (130 p.)
Language: english
Creator: Manna, Parbati
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2008

Subjects

Subjects / Keywords: ids, malware, modeling, security, worm
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Malware, or malicious software such as viruses, worms, trojan horses or rootkits, pose a grave challenge to the computer user community by obtaining unauthorized access to computer resources. Among various malware, worms interest computer security researchers immensely due to their ability to infect millions of computers in a short period of time and cause hundreds of millions of dollars in damage. Unlike other malware, worms can replicate themselves over the Internet without requiring any human involvement, which makes their damage potential very high. Security researchers strive to prevent, detect and contain worms, as well as model their propagation patterns over the Internet. Our study is primarily directed at effective detection, propagation modeling and design of worms. First, we work towards devising a detection mechanism for an advanced worm called ASCII worm which has a very high damage potential due to its ability to compromise servers that are otherwise not vulnerable to common worms. Second, we derive an exact analytical model for the propagation of permutation-scanning worms, a class of worms that employ a sophisticated propagation strategy called permutation scanning. Finally, we re-examine the classical worm propagation models in light of the pseudo-random nature of the output generated by the random number generators used by the worms, and design a worm that exploits the pseudo-randomness to achieve an optimal scanning strategy with high speed of infection, fault tolerance and low detectability. Our work focuses on highlighting the damage potential of worms, and shows novel ways to detect them. It also provides accurate analytical propagation model for worms. This can help network security personnel to better understand the worms' spreading behavior, and design containment techniques and other countermeasures.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Parbati Manna.
Thesis: Thesis (Ph.D.)--University of Florida, 2008.
Local: Adviser: Ranka, Sanjay.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2008
System ID: UFE0023687:00001


This item has the following downloads:


Full Text

PAGE 1

1

PAGE 2

2

PAGE 3

3

PAGE 4

Iwanttotakethisopportunitytothankallthepeoplewhohelpedmeduringmydoctoralsojourn.Iunderstandthatitisratherlatetoacknowledgetheircontributions,butasthesayinggoes,betterlatethannever!First,Iwanttothankmycommittee,startingwithmyadvisorandChair,Dr.SanjayRanka.HeexpressedhisintentiontoworkwithmeduringmyveryrstweekofclassatUniversityofFlorida,andhasbeenatrueguidetomeineveryaspectsincethen.HeoeredmecompletefreedominpursuingmyresearchinanyareathatIfeltpassionateabout,andprovidedampleresearchdirectionfromtimetotime.Iamtrulythankfulandhonoredtoworkashisstudentforthepastsixyears.IthasalsobeenapleasuretoworkwithDr.ShigangChen,whoservedasmyco-chair.Astalwartinthenetworkresearchcommunity,hehasbeeninstrumentalinprovidinghisdomainexpertisetomyresearchareainaverybigway.Withouthishelp,IcanbarelyimaginemyselftobewhereIamnow.IwouldalsoliketothankDr.AlinDobra,Dr.ChristopherGermaine,Dr.SartajSahniandDr.MalayGhoshwhohelpedmeinvariousacademicaswellasnon-academicmattersthroughoutmystayatGainesville.Finally,Iwanttothankmyfriendsandfamily,withoutwhosesupportIcouldhaveneverlivedthroughtheordealofPhD.SpecialthanksgotomywifeMadhuparna,whohasbeenthementaldrivingpowerbehindmyeorts. 4

PAGE 5

page ACKNOWLEDGMENTS ................................. 4 LISTOFTABLES ..................................... 8 LISTOFFIGURES .................................... 9 ABSTRACT ........................................ 11 CHAPTER 1INTRODUCTION .................................. 13 1.1TheComputerWorm:ABriefHistory .................... 14 1.2PropagationMethodsofaWorm ....................... 15 1.2.1Host-LevelBehavior ........................... 15 1.2.2Network-LevelBehavior ......................... 16 1.3RecentTrendsAmongWorms ......................... 18 1.3.1AdventofZero-DayWorms ....................... 18 1.3.2EmergenceofPolymorphicWorms ................... 19 1.3.3ArrivalofScriptKiddies 19 1.3.4ShiftinHackers'Mindset ........................ 20 1.4KeyChallengesintheWormResearchArea ................. 20 1.4.1WormDetection ............................. 21 1.4.2WormPropagationModeling ...................... 22 1.4.3WormDesign .............................. 22 2RELATEDWORK .................................. 24 2.1Prevention .................................... 24 2.2Detection .................................... 25 2.3Containment .................................. 28 2.4PropagationModeling ............................. 29 2.5Contributions .................................. 32 2.5.1DetectionofASCIIWorm ....................... 32 2.5.2ExactModelingofthePropagationofPermutation-ScanningWorm 33 2.5.3WormDesign:ExploitingPseudo-RandomnessforOptimizingScanningStrategy ................................. 34 3DETECTIONOFTHETEXTMALWARE .................... 35 3.1InsidetheTextMalware ............................ 38 3.1.1DenitionsandTerminologies ..................... 38 3.1.2OpcodeAvailabilityforTextMalwareinIntelArchitecture ..... 39 3.1.3ConstructionofText-basedMalware .................. 39 5

PAGE 6

..................... 41 3.2.1LimitationofExistingBinaryDetectors ................ 41 3.2.2Text-BasedMalwareHasHighMEL .................. 42 3.2.3BenignTextTendtoHaveSmallerMEL ............... 43 3.2.4UsingMELasDetectionStrategy ................... 44 3.3ProbabilisticAnalysisofMEL ......................... 46 3.3.1DescriptionoftheModelforMEL ................... 46 3.3.2AutomaticDerivationofThreshold 48 3.3.3VericationoftheMELModel ..................... 49 3.3.4HandlingJumpInstructionsintheModel ............... 50 3.4ImplementationofDAWN ........................... 53 3.4.1Step1:InstructionDisassembly .................... 53 3.4.2Step2:InstructionSequenceAnalysis ................. 54 3.5Evaluation .................................... 56 3.5.1CreationoftheTestData ....................... 56 3.5.2DeterminingMELThreshold 56 3.5.3ExperimentalResults .......................... 58 3.6ComparingOurWorkwithOthers ...................... 59 3.6.1ContrastingwithAPE ......................... 59 3.6.2ContrastingwithSigFree ........................ 61 3.7TextMalwareinOtherArchitectures ..................... 62 3.7.1MIPSArchitecture ........................... 62 3.7.2SPARCArchitecture .......................... 64 3.8LimitationsandConclusions .......................... 64 3.9Contributions .................................. 66 4PROPAGATIONMODELINGOFTHEPERMUTATION-SCANNINGWORM 67 4.1AnatomyofPermutation-ScanningWorms .................. 70 4.1.1Divide-and-Conquer ........................... 70 4.1.2Permutation ............................... 71 4.1.3Stealth .................................. 71 4.1.4Hitlist .................................. 72 4.2ScanzoneandClassicationofVulnerableHosts ............... 72 4.2.1TerminologyandNotations ....................... 72 4.2.2ScanzoneofanActiveInfectedHost .................. 73 4.2.3ClassicationofVulnerableHosts ................... 75 4.3ModelingthePropagationof0-JumpWorms ................. 77 4.3.1ImportantQuantitiesinModeling ................... 77 4.3.2DeterminingtheQuantitiesUsingProbabilisticApproach ...... 78 4.3.3PropagationModel ........................... 79 4.3.4VericationofOurModel ........................ 81 6

PAGE 7

................... 83 4.4.1FurtherClassicationofActiveHostsfork-JumpWorms ...... 83 4.4.2InteractionamongScanningHostsatDierentLayers ........ 84 4.4.3PropagationModelfork-JumpWorms ................ 85 4.4.4VericationoftheCorrectnessoftheModel .............. 87 4.5Closed-FormSolutionforthe0-JumpWorm ................. 87 4.6UsageoftheAnalyticalModel ......................... 89 4.6.1AnalyticalModelingorSimulation? .................. 90 4.6.2ImpactoftheWorm/NetworkParametersonaWorm'sPropagation 90 4.7PracticalConsiderations ............................ 92 4.7.1CongestionandBandwidthVariability ................ 92 4.7.2PatchingandHostCrash ........................ 93 4.7.3InternetDelay .............................. 95 4.8Contributions .................................. 96 5WORMDESIGN:THEIMPACTOFPSEUDO-RANDOMNESSANDTHEOPTIMALSCANNINGSTRATEGY ........................ 98 5.1PseudoRandomnessandFull-CycleWorms .................. 101 5.1.1IstheClassicalWormModelCorrect? ................. 101 5.1.2WillPseudoRandomnessMakeWormsMorePowerful? ....... 103 5.2PropagationSpeedandStealthiness ...................... 105 5.3PropagationModelofFull-CycleWorms ................... 106 5.3.1Modeling ................................. 106 5.3.2Explanation ............................... 110 5.3.3SimulationVerication ......................... 111 5.3.4EquivalencetoPermutationWorm ................... 112 5.4StealthinessofFull-CycleWorms ....................... 113 5.4.1NumberofEectiveHostsoverTime ................. 113 5.4.2NumberofActiveHosts ........................ 114 5.4.3MaximumInstantaneousFootprint(PeakScanningTrac) ..... 116 5.4.4GrossFootprint ............................. 118 5.5QuestfortheOptimalStrategy ........................ 119 5.6Contributions .................................. 120 6CONCLUSIONS ................................... 121 REFERENCES ....................................... 123 BIOGRAPHICALSKETCH ................................ 130 7

PAGE 8

Table page 3-1ComparisonofDAWNandAPE-Lfordetectionsensitivity ............ 60 3-2Comparisonofperformance(runtime)forDAWNandAPE-L .......... 61 4-1Basicnotationsusedforpropagationmodeling. .................. 78 5-1Eectofhitlistsizeonthescanningpeak. ..................... 117 8

PAGE 9

Figure page 2-1Classicepidemicmodelofpropagationofcontagion ................ 30 3-1Creationofabinarywormonstackfromtextcode ................ 40 3-2JuxtapositionofthePMFsfortheMELfromtheprobabilisticmodelandfromtheMonte-Carlosimulationbyvaryingnandp 50 3-3Eectofjumpinstructions .............................. 51 3-4HowDAWNworks .................................. 54 3-5Correlationbetweenandpformaintainingsameerror(falsepositive)rate 57 3-6ComparisonofMELfrequencychartsforbenignandmalicioustexttracforDAWN ......................................... 59 3-7ComparisonofMELfrequencychartsforbenignandmalicioustexttracforAPE-L ......................................... 59 3-8DecodingMIPSInstructionsintodierentelds(witheldlengths),alongwithtextconstraintsandbyteboundaries. ........................ 63 3-9EncryptiondicultiesinusingXORfortext .................... 66 4-1Scanzonesfora0-jumpwormovertime ....................... 74 4-2Classicationofvulnerablehostsforapermutation-scanningworm ....... 74 4-3Classtransitiondiagramofa0-jumpworm ..................... 75 4-4Propagationcurvesfora0-jumpworm(modelvs.simulated) ........... 82 4-5Statediagramofak-jumpwormwithk=2 ..................... 84 4-6Propagationcurvesfork-jumpworms(modelvs.simulated) ........... 86 4-7Comparisonoftheinfectionratesandthetotalscanningvolumesfordierentk-jumpworms ..................................... 89 4-8Comparisonofpropagationcurvesforwormswithvariable-rateandxed-rateofscanning ...................................... 93 4-9Comparisonofpropagationcurvesfora0-Jumpwormwithremovalofhosts(duetopatching,quarantining,disconnection,crash,etc.) ............ 95 5-1Infectedhostsscanningduringthepropagationofafull-cycleworm ....... 104 5-2Dierentstagesofaninfectedhostforafull-cycleworm ............. 107 9

PAGE 10

................. 108 5-4Comparisonofinfectioncurvesbetweenrandom-scanning,permutation-scanningandfull-cycleworms ................................. 111 5-5Simulationresultsonfull-cyclewormpropagation ................. 114 5-6Propagationpatternsforthefull-cyclewormwithdierent 118 10

PAGE 11

Malware,ormalicioussoftwaresuchasviruses,worms,trojanhorsesorrootkits,poseagravechallengetothecomputerusercommunitybyobtainingunauthorizedaccesstocomputerresources.Amongvariousmalware,wormsinterestcomputersecurityresearchersimmenselyduetotheirabilitytoinfectmillionsofcomputersinashortperiodoftimeandcausehundredsofmillionsofdollarsindamage.Unlikeothermalware,wormscanreplicatethemselvesovertheInternetwithoutrequiringanyhumaninvolvement,whichmakestheirdamagepotentialveryhigh.Securityresearchersstrivetoprevent,detectandcontainworms,aswellasmodeltheirpropagationpatternsovertheInternet. Ourstudyisprimarilydirectedateectivedetection,propagationmodelinganddesignofworms.First,weworktowardsdevisingadetectionmechanismforanadvancedwormcalledASCIIwormwhichhasaveryhighdamagepotentialduetoitsabilitytocompromiseserversthatareotherwisenotvulnerabletocommonworms.Second,wederiveanexactanalyticalmodelforthepropagationofpermutation-scanningworms,aclassofwormsthatemployasophisticatedpropagationstrategycalledpermutationscanning.Finally,were-examinetheclassicalwormpropagationmodelsinlightofthepseudo-randomnatureoftheoutputgeneratedbytherandomnumbergeneratorsusedbytheworms,anddesignawormthatexploitsthepseudo-randomnesstoachieveanoptimalscanningstrategywithhighspeedofinfection,faulttoleranceandlowdetectability. 11

PAGE 12

12

PAGE 13

Securityhasbeenoneoftheprimaryconcernssincetheadventofcomputers.Infact,oneoftherstgenerationoftheknowncomputervirusesemergedinasearlyas1970overtheARPANET[ 36 ].Inthatera,becausenotallthecomputersintheworldwereconnectedliketoday,theoutbreaksofviruseswerenotpandemic.However,withthearrivalofInternet,thecomputersallovertheworldwerenownetworkedandthuscommunicable.Whilethisubiquitousconnectivityresultedinagreatnumberofbenecialeectsinthecomputerindustryaswellasineverydaylife,italsohadanunfortunateside-eect{nowtheproblemofcomputersecurityhadanewdimensioncallednetworksecuritythatneededtobeaddressed. Inabroadsense,networksecuritycomprisesoftheprovisionsandpoliciesundertakenbynetworkadministratorstoprotecttheunderlyingnetwork(alongwithalltheresourcesaccessiblewithinthatnetwork)bypreventingunauthorizedaccess,andthestudyoftheeectivenessofsuchmeasures.Networksecurityissubtlydierentfromcomputersecurity,andwedemonstratethedierencebetweenthetwousingthefollowingexamplefrommedievalhistory.Supposeourgoalistoprotectalltheinhabitants(hosts)insideafortress.Networksecurityisakintoguardingalltheentrypointsofthefortress,whilecomputersecurityiscomparabletoprovidingarmorstoindividualsoldiersinsidethefortress.Itisevidentthattheformermethodismorepowerful,becausewithoutit,wewillhavetorelyuponthesecurenessofeachindividualhosts,whichmaynotbeaverygoodideaconsideringtheheterogeneityofthehostsandtheirindividualcapabilityofdefendingthemselves. Anetworkisunderattackeveryday,andthwartingtheattacksisthebasicchallengeofnetworksecurityresearchers.Examplesofsuchattacksincludeobtainingunauthorizedentrybyfoolingtheauthenticationsystem,eavesdropping,andmodicationofthedatatonameafew.Mostofthevulnerabilitiesthatareexploitedinsuchanattackareeither 13

PAGE 14

42 ].Itisdierentfromacomputervirusinthesensethatavirusrequireshumanactiontoactivateandpopagate,whileawormisabletopropagatebyitself.However,itmustalsobenotedthatwithasignicantamountofmalwarebeingdistributedviaemailnowadays,thedistinctionbetweenthetwoisgettingsomewhatblurred.Infact,theveryrstcaseofreplicatedmalware,theChristmasTreeEXECTrojanhorse[ 23 ]thatbroughtdownmanyIBMmainframecomputersin1987spreadusingmass-mailingmechanismonly,thoughitrequiredhumanactionforspreading.Thetruerstcaseofaself-replicatingwormcausingsignicantdamagesisattributedtotheMorriswormin1988[ 57 ].Sincethen,bothsophisticationanddamagepotentialofwormshaveincreasedtremendously,infectingmillionsofcomputerandcausinghundredsofmillionsofdollarsindamage.NotablementionsincludeMelissa(1999)[ 12 ],ILOVEYOU(2000)[ 10 ],CodeRed(2001)[ 80 ],Nimda(2001)[ 11 ],Sapphire/Slammer(2003)[ 42 ],SoBig(2003)[ 14 ],MyDoom(2004)[ 15 ]andZotob(2005)[ 54 ].Symantecstatedintheir2008globalinternetsecuritythreatreport[ 64 ],\Ofthetop10newmaliciouscodefamiliesdetectedinthelastsixmonthsof2007,vewereTrojans,twowereworms,twowerewormswithabackdoorcomponent,andonewasawormwithaviruscomponent." 14

PAGE 15

3 ]describesingreatdetailhowitcanbeachieved.Averybriefoverviewoftheprocessisasfollows.UnlikeJava,inherentlyunsafelanguageslikeCandC++donotconsiderarraystoberst-classobjectsandhencedonotprovideautomaticboundchecksforthematruntime.Thisallowsabuertobeoverownwithastringlongerthanthebuerlength,therebyoverwritingtheadjoiningmemorylocations.Insidetheruntimestack,thereturnaddressforthecalledprocedureislocatednearthelocationsforthelocalvariablesofthecalledprocedure(includingthebuer),andisthusvulnerabletobeoverwrittenbyanoverowingbuer.Ifthereturn 15

PAGE 16

20 ].Ineithercase,theimmediateeectistheexecutionoftheattackcode,withthenalresultofspawningashell.Also,ifthecompromisedapplicationwasrunningwithrootprivilege,asmanyWindowsserverapplicationsdo,theattackerwillnowhaveaccesstoarootshell. 16

PAGE 17

Oneinterestingobservationisthatthepropagationeciencyofawormdependsnotonlyonhowfastitisscanning,butalsohowintelligentlyeachactivelyscanninghostischoosingitsscantargetaddresses.Scanningstrategy,i.e.themechanismusingwhichawormchoosesitstargetaddressestobescanned,hasasignicantimpactonitsnetworklevelbehavior.Itmayselectthoseaddressescompletelyrandomly(randomscanningmethod),oritmaychoosetoscansomeportionsoftheInternetwithabias,e.g.,onceavulnerablehostisfound,hostsbelongingtothesamesubnetarescannedrst(localsubnetscanning).Or,thewormmayalsondalistofothercommunicablehostsfromcertainlesoftheinfectedhost(likerhostsleinUNIX)andscanthoseaddressesrst(topologicalscanning).Althoughhistoricallymostwormschoosetherandomscanningmethodoritsvariant,wormsoftendeployothermethodsofscanningaswell,oramixtureofdierentscanningstrategies.Wewouldpayparticularattentiontoonestrategycalled\permutationscanning"later. Whilethenetworklevelbehaviorofawormisdependentonthescanningstrategychosenbythewormauthor,italsodependsonthepropertiesofthenetworkitself,i.e.thebandwidth,thelinkcapacity,computationalpoweroftheroutersetc.,parametersthatarenotcontrolledbythewormauthor.Awormscanningataveryfastpacemayputexcessiveburdenonarouterandthuscauseittogodownorreboot,causingapartitionednetwork.Whilethisdoesnothelpthewormspropagation,itcausestremendousamountofdamagebydisconnectingmultitudeofhostsfromtheInternet,essentiallyperformingadenialofserviceattacknotonlyone-commerceandpersonalactivitiesbutalsoonlife-savingcommunicationinfrastructures.Theslammerworm,whichdidnotcauseanydamagetotheindividualhostsitinfected,nonethelesscausedhundredsofmillionsof 17

PAGE 18

42 ].Therefore,dependingonthepropagationstrategyused,awormcantargeteitherthehostsontheInternet,orthenetworkitself.Thismakesthepropagationstrategyofawormveryimportant. 42 ].However,sincethenthegaphasbeendecreasing,andstartingfrom2004wehavebeenseeingzero-dayworms[ 60 ].ConsideringtheamountofdamageSlammerwasabletodoinspiteofitssix-monthlag,zero-dayworms,whichliterallygivenotimeforxingthevulnerablesystems,cancauseveryseriousdamage.Thisisalsoexacerbatedbythefactthatevenwhenthevendorreleasesthesoftwareupdate(i.e.the\patch")thateliminatesthevulnerability,alotofcomputersdonotgetpatchedimmediatelyduetovariousreasons,someofwhicharelistedasfollows.First,theusermaybesimplyinactive,lazyorlackingthenecessarybandwidthtodownloadandinstallthepatch.Second,manysystemadministratorsarewarytoinstallapatchtothecomputerstheymanagebeforetestingitadequately,asthepatchmightbreakexistingapplications,androllbackisoftendicult,timeconsuming,orsimplynotpossible.Third,thepatchmightonlybeavailableforthegenuinecopiesofthesoftware,aswasthecaseforWindowsXPservicepacks, 18

PAGE 19

57 ]deployedencryptiontechniquesinordertohideitscode.Oflate,wehavebeenseeingmoreandmoreinstancesofpolymorphicworms,wherethewormchangesitscodeeverytimeitinfectsahost.Alsowormswithself-mutatingcode,wheretheoriginalcodemodiesitselfduringexecutiontogenerateacompletelynewcodebody,arebecomingmorecommonplace[ 24 1 ].Thesekindofwormsareveryhardtodetect,sincedierentinstancesofthesamewormsharefewsimilarities.Commercialmalwaredetectors,whichinmostofthecasesrelyuponsubstringmatchingtodetectamalware,areoftenineectiveagainstsuchkindofattacks.Inthisstudy,wewilldevelopdetectionstrategiesforonesuchworm,viz.theASCIIworm. 24 1 ].Withtheseframeworks,itisnowpossibleforacommonpersonwithverylimitedknowledge(calledthescriptkiddy)tocreateandreleaseaworminthewild.Also,thewormauthorsnowusemodularizationtechniquesintheirprogramssothatattackcomponentscanbereadilyaddedorsubstituted.Thishasexacerbatedtheproblemofcreatingnewwormsandtheirvariants. 19

PAGE 20

64 ]. 20

PAGE 21

2 ,are: Sincedierentwormsdeploydierentinfectionstrategies,itisdiculttoenvisionauniversalcountermeasurethatwillbeequallyapplicable,andeective,againstallkindsofworms.Similarly,becauseoftheheterogeneityintheespousedscanningstrategies,asinglepropagationmodelcannotdescribethetracpatterngeneratedbyallpossibleworms.Therefore,thedetectionmethodsandpropagationmodelingsmustbedoneforeachclassofwormonanindividualbasis.Inthisstudy,weaddressthefollowingspecicproblemsintheareaofdetection,propagationmodeling,anddesign,respectively: 21

PAGE 22

63 ],aclassofwormsthatarefastyetstealthy,hasbeenachallengetodate.Weattempttosolvethisproblemhere. 22

PAGE 23

2 ,theundertakenworkwillbepresentedingreaterdetailinSection 2.5 23

PAGE 24

Sinceawormhasaveryhighdamagepotential,themainchallengesfacingwormresearchersarehowtodetect,stallandpreventtheirspread.Correctmodelingoftheirpropagationisalsoveryimportantsinceitgivesanideaofhowfastthewormcanspreadandhowquicklyadefensemustreacttomitigatethedamagebystallingitsadvancements.Thus,correctpropagationmodelingmaynotbeadirectlineofdefenseinthwartingaworm,butitisaveryimportanttoolinaidingothercountermeasuresandhelpingtomakepolicydecisions.Thewormresearchistraditionallyfocusedmostlyonthefollowingcountermeasures:prevention,detectionandcontainment,alongwithpropagationmodeling.Asurveyoftherelatedworkineachoftheresearchareasispresentedbelow. StackGuard[ 19 ]proposedusingacanarybesidethereturnaddressonthestacktodetectifthereturnaddresshasbeenoverwrittenbycheckingifthatcanaryhasbeenchanged.However,itstillfailedtoprotectotherfunctionpointersandheapcorruption.Pointguard[ 18 ]wentonestepfurtherbykeepingtrackofeachpointer.However,itcouldstillbebrokenusingbruteforceapproachinsomecases.TheAddressSpace 24

PAGE 25

4 ]suggestedrandomizationoftheaddressofthestackandvariousotherlibraries,thusmakingthejobofguessingthereturnaddressmuchharderfortheattacker.Therehavebeenotherhardware-basedapproacheslikeReturnAddressStack[ 49 25 ]thatattemptedtodetectifthereturnaddresshasbeenoverwritten.Also,asmostoftheoverowshappenonthestack(heapisalsoanotheralternative),makingthestacknon-executablealsoappearstobeanimmediatesolution,sinceveryfewapplicationsactuallyrequirethestacktobeexecutablebydesign.ThisapproachwasproposedbySolarDesignerandimplementedastheNXpatchintheLinuxkernelsinRedHatFedoraCore2asofbuild2.6.6-1.427[ 5 ].SimilarpreventionmethodhasbeenoeredbyWindowsXPSP2asanoptionalfeatureasDEP(DataExecutionProtection)inbothhardwareandsoftwarelevel(iftheaddedNXbitinthepagetableisnotyetavailablebytheprocessor).ThesamefeatureiscalledEVP(EnhancedVirusProtection)inAMD64architecture[ 79 ].Wenotethatmostofthesepreventiontechniquesarehost-basedandhencedependentontheproperimplementationontheuser'spartforittofunctionproperly.Therefore,thesekindofpreventiontechniquescanbethoughtofasthelastlineofdefenseagainstthecomputerworms,wherethewormisthwartedjustwhenitisabouttocompromiseitsvictim. 25

PAGE 26

Westartwithvulnerability-specicdetectionmethods.Itisafactthatforawormtospread,anexploitablevulnerabilitymustexist.Usually,thisvulnerabilityliesonaspecicbranchofcontrolowwhichislesstraversed,asotherwisethechancesofthevulnerabilitygettingdetectedduringthesoftwaretestingphaseishigher.Therefore,toensurethatthecontroltraversesthroughthatspecicroute,thewormmusthavevulnerability-specicinputdata.Forexample,fortheLSASSexploit,onemusthavethe\nPIPEnlsarpc"stringandaparticulareldofaloggedrecordlongenoughforthebueroverowtooccur[ 20 ].Shield[ 71 ],whichmodelsvulnerabilitysignaturesconsistingofallpossiblesequencesofapplicationmessagesandpayloadcharacteristicsthatwouldleadtoanyremoteexploitofthatvulnerability,isbasedonthisidea.AnotherdetectionmethodisVigilante[ 17 ],whichuponinformationofanattackgeneratesvulnerability-specicself-certifyingalertsthatcanbedistributedamonghoststowarnaboutthedangerandexpectingthemtousevulnerability-speciclter. ExaminingthecontentandunderlyingstructuralpropertiesofthemaliciouspayloadisthekeyindetectionofwormsformanyIDSs.Forexample,manydetectionmechanismsincludingEarlybird[ 61 ],Autograph[ 30 ]andPolygraph[ 44 ]arebasedonthepremisethatdierentinstancesofazero-daywormwouldcontaincommonsubstringsorngerprints,whichwouldpotentiallyhavevulnerability-specicpatterns.Buttercup[ 50 ]triestondtherangeofReturnAddresses,whichusuallyformspartofthestringwhichisusedtooverowthebuer.Unfortunately,sinceitmustknowtherangeoftheReturnAddressesapriori,itonlyworksforknownworms.AbstractPayloadExecution[ 67 ]hypothesizesthatthepresenceofaNOPsledwouldleadtoalongsequenceofvalidinstructionstream,whichisuncharacteristicofarandomdata.However,sinceNOPsledsarehardlyused 26

PAGE 27

20 ].STRIDE[ 2 ]alsoemployssimilartechniquetondtheexistenceofNOPsledsinpolymorphicworms.Therearealsootherdetectionstrategiesthatinvolveinspectingthestructureofthepayloadandndinganythinganomalous.Chinchanietal.[ 9 ]makethefollowingobservationthatnormal(benign)dataisdierentfromaprogramcodefragment,whichhasgotadenitecontrolanddataow.Styxtriestodetectthewormsbyidentifyingthoseprogramstructures,bycreatingCFGs(ControlFlowGraphs),whichwererstintroducedbyKruegeletal.[ 34 ]fordesigningthengerprintofpolymorphicworms.SigFree[ 73 ],azero-daywormblockeralsodoesnotrelyonanysignaturebutdependsonthepresenceofexecutablecodeinsidenetworkdataow.ItclaimstohavethecapabilitytodetectASCIIworms;however,itusuallybypassestheASCIItracsinceprocessingitwoulddegradetheperformancesignicantly.Emulationmethod[ 51 ]contendsthatwithadvancedpolymorphicengines,dierentinstancesofthesamewormwillhardlyhaveanycommonstrings,andnetwork-levelemulationistheonlywaytocatchaworm.PADS[ 65 ]usesexpectationmaximizationtechniquestodetectthepresenceofdecrypterinapolymorphicwormbygeneratingastatisticalsignatureoftheworm. Therehavebeenotherdetectiontechniquesthatfocusmoreontheanomalousbehaviorofaninfectedhosttodetectwormactivity.Forexample,sincearandom-scanningwormhaslittleknowledgewhetheritstargethostactuallyexistsornot,Honeycomb[ 33 ]exploitsthisbydeployinghoneypots,i.e.decoycomputers,togeneratesignaturesbydetectingpatternsinthetracseenonthehoneypots,withtheassumptionthatanytracdestinedtowardsnon-existenthostsismalicious.Thesignaturegenerationinvolvesbothbehavior(protocol)analysisandsubstringmatchingofthepayload,oftenrequiringhumanintervention.Oneshortcomingofthismethodisthatnon-malicioustracmayaccidentallyhitthehoneypots,creatingnoiseinsignaturegeneration.Otherdrawbackofthismethodisthatcreationofagoodsignatureoftenrequiresalargenumberofsamples, 27

PAGE 28

55 ]assumesthatanydynamicallygeneratedorobfuscatedcodeismalicious,andproceedstostaticallypreprocesstheWindowsexecutabletoidentifythelocationoftheWin32APIcallsrelativetotheexecutable,andraisesalarmiftheAPIcallismadefromadierentlocationatruntime. Mooreetal.[ 43 ]investigatedtheeectivenessofwormcontainmenttechnologies(addressblacklistingandcontentltering)andshowedthatnotonlymustthosemechanismsreactveryfast,butalsonearlyallISPsmustemploythecontentlteringforittobesuccessful.Parketal.[ 47 ]studiedwormcontainmentmethodsinpower-lawInternettopologiesandwithpartialdeployment.Williamsonetal.[ 77 68 ]proposedamodicationofthenetworkstacktoboundtherateofconnectionrequeststodistinctdestinations.Thismethodhasthedisadvantagethatitrestrictsanormalhostthesamewayasaworm-infectedhost.Also,inordertosucceed,thisapproachmustbeadopteduniversally,whichisaveryunrealisticrequirement.Weaveretal.[ 76 ]showedthatfastcontainmentofrandomscanningwormsonalargescalenetworkispossibleusingtheThresholdRandomWalk(TRW)algorithmrstintroducedbyBalakrishnanetal.[ 29 ].Schechteretal.[ 58 ]proposedacredit-basedalgorithmtolimitthescanrateofahost,whosecredit(i.e.,allowanceofmakingconnections)isincreasedbyoneforeachsuccessful 28

PAGE 29

6 ]inspectsthefailedconnectionstatisticsforthehostsinsideanISPandemploysspatialandtemporalrate-limitalgorithm(limitingthenumberoffailedconnectionattempts)toslowdownthewormbasedontheDAWparameters,notthewormparameters. 28 ].Theclassicalsimpleepidemicmodelforanitepopulationis 29

PAGE 30

Classicepidemicmodelofpropagationofcontagion DividingbothsidesbyV,weobtain whereI(t)andI(t)arethenumberandthefractionofinfectedhostsattimetrespectively;Visthesizeofvulnerablehostpopulation;andisthepairwiseinfectionrate.Atbeginning,t=0,I(0)hostsareinfectiousandtheotherVI(0)hostsareallsusceptible.SolvingthedierentialequationsforV=213,I(0)=1,and=1 210,weobtainasigmoidcurveasintheFigure 2-1 .Thebeginningofmostofthewormepidemicsmatchestheearlypartofthiscurve,untiltheeectsofbandwidthlimitationandnetworkcongestionsetin.ThiswasdemonstratedbyStanifordetal.[ 63 ]forCodeRedworm. 28 ].Inthisextendedmodel,itassumesthatduringanepidemic,someinfectioushostseitherrecoverordie;however,onceahostrecoversfromthedisease,itattainsperpetualimmunitytothedisease.Thehoststhatrecoverordiefromthediseaseareputinthe\removed"state(whichisanadditiontothesimplemodel).Thuseachhostcanbeinonlyoneoffollowingthreestatesatanytime:susceptible,infectious,orremoved.Anyhostinthesystemeitherundergoesthestatetransition\Susceptible(S)!Infectious(I)!Removed(R)"orstaysin\susceptible"stateforever.Inthismodel,A(t)andR(t)denote 30

PAGE 31

(2{3) (2{4) (2{5) whereVisthevulnerablehostpopulationsize,isthepairwiseinfectionrateandistherateofremovalofinfectioushosts. Onecanseethatfromthemodelthatinorderforanepidemictohappen,thenumberofinfectioushostsmustriseinitially.Thus,atthebeginning,wemusthavedI dt>0,whichimpliesI(t)S(t)>I(t),orS(t)> I(t).ThisI(t) Wedonotpursuethedetailsofthismodelanyfurtherasthegoalofthismodelistoobtainthepropagationcurvesinpresenceofpracticalconstraintslikecongestionandrecovery.However,theseconditionsdonotnecessarilyapply,orhinder,theprogressofasmartwormthatscansataratherslowerrateandisthusabletoreduceitsnetworkfootprintdrastically. 31

PAGE 32

Thebroadobjectiveofthisresearchistoanalyzethehost-levelandnetwork-levelbehavioroftoday'sworms,whichareequippedwithlatestevasionandobfuscationtoolsandintelligentscanningstrategies,anddevisepossiblecountermeasures.Sincedierentwormsusedierentstrategies,evidentlyitwillbeimplausibletodeviseageneralizeddefensestrategythatwillbeeectiveforallpossiblekindsofworms.Therefore,insteadofproposingacure-allsolution,weattempttosolvethefollowingspecicproblemsthathighlightsomeoftheprevalentthreatsposedbywormstoday: 56 ](bybinary,wemeancontainingbothprintableandnon-printablecharacters).Theyareveryappealingsincesuchawormcanobtainaccesstoplaceswhereawormisnotexpectedtobeabletogetinundernormalcircumstances.Forexample,therearecaseswhereaserverexpectscertainkindoftractobestrictlytext,whichisinfactquitecommonasmanyimportantapplicationsworkwithprotocolsthat,orpartsthereof,aretext-based.Examplesofsuchtext-onlytracincludetheURLinaHTTPrequest,ortheemailtrac.Toensurethatonlythetextcharactersgetinattimeswhentextisexpected,theseserversusuallyemployASCIIlters[ 26 ]whichdropanybinaryinput.Thislteringresultsinabenecialsideeectofeliminatingwormsthatexploitanypossiblevulnerabilityintheexecutionpathsforprocessingtheinput,sincewormsareusuallybinary.However,usingtheASCIIlteraloneasthesoledefenseagainstmalwareisdangerous,sincethemalwaremayverywellbetext-based.Thus,webelievethatthe 32

PAGE 33

63 ]featuresasoneofthemostinterestingstrategies.Inthatstrategy,theinfectedhostusespermutationtomaptherealaddressspaceintoavirtualone,whicheectivelycausesthevulnerablehoststobedispersedevenlyinthevirtualaddressspace,eveniftheywerepresentinclustersintheoriginaladdressspace.Initiallyasmallnumberofinfectedhostsstartscanningtheaddressessequentiallyaftertheirownaddressesonthisvirtualaddressspace.Wheneveranyoftheminfectsanewvulnerablehost,itcontinuestoscansequentially,whilethefreshlyinfectedhostchoosesarandomlocationonthepermutedaddressspaceandstartsscanningsequentiallyfromthereinthesamedirection.Afterhittinganalreadyinfectedhost,thescanninghostmayeitherchoosetoretireorselectyetanotherrandomlocationonthepermutedspacetoresumeitsscanning.Simulationsshowthatwhilethispropagationstrategyhasahighinfectionspeed,italsocausessignicantlylessnetworktraccomparedtoarandomly-scanningworm,andhenceismuchstealthier.Therefore,modelingthepropagationofthiswormisveryimportant,sincewithouttheknowledgeofitsexactpropagationcharacteristics,ithasthepotentialofpassingundetected. 33

PAGE 34

34

PAGE 35

Inthepastdecade,theInternethaswitnessedtherapidevolutionofvariousmalware(virus,worm,Trojan,tonameafew)[ 64 ].Whileaconsiderableamountofresearchhasbeendevotedtothedetectionoftheclassicalbinarymalware,thepossibilityofusingpurelytextstream(keyboard-enterable,Hex0x20through0x7E)asthecarrierofmalwarehasremainedunder-researchedandoftenunderestimated.Rix[ 56 ]andEller[ 26 ]showedafewyearsagothatanybinarycodecanbeturnedintofunctionallyequivalenttext(orevenalphanumeric)code.Havingamalwarethatiscompletelytext-basedisveryappealingtothemalwareauthorssinceitcanopennewattackchannelsthatwereearlierassumedtobemalware-resistantsimplybyvirtueofacceptingtext-onlyinput.Today,manypopularprotocolsortheircomponentsaretext-based,e.g.,HTTPrequests,HTML,XML,oremailtrac.Toensuretext-onlyinput,theseserversoftenemployanASCIIltertodiscardormanglethebinaryinput[ 26 ].However,ifthelteristheonlydefense,thentheseserversremainvulnerable,astheassumptionthatallmalwarearebinaryisfalse.Worseyet,evensomemalwaredetectorsdeliberatelybypasstextstreams.Forexample,SigFreeusuallydoesnotprocessthetext-onlyinputtoavoidperformancedegradation[ 73 ].Thus,thenotionofregardingthetextdataasbenignandnotsubjectingittomalwaredetectionisdangerous,andwebelievetextshouldundergothesamescrutinyasbinary. Evenwhenthetextinputisexamined,today'smalwaredetectorsarenotadequatelysuitedforecientlydetectingtext-basedmalwareduetothestructuralpropertiesoftext.Weconsidertwopopulardetectionschemes:1)disassemblingtheinputintoinstructionsandthencheckingforthevalidityandexecutabilityoftheinstructionsequence(e.g.APE[ 67 ]),and2)examiningthefrequencydistributionandotherstatisticalpropertiesofthepayload(e.g.PAYL[ 72 ]).Therstschemehastwoproblems.First,almostanytextstringtranslatesintoasyntacticallycorrectsequenceofinstructions,whichmeans 35

PAGE 36

32 ]showedawaytocreateatextmalwarethatfollowsnormaltracpatterntotheextentthatitcanevadeevenarobustpayload-baseddetectorlikePAYL[ 32 ].Finally,wehaveperformedexperimentsusingacommercialmalwaredetectortoscanvariousbinarymalwareandtheirtextcounterparts.Althoughthedetectorsuccessfullycatchesallbinarymalware,noalarmwasraisedforthetext.Therefore,weconcludethatthethreatoftextmalwareisreal,andwecanignorethemonlyatourownperil. ASCIIworm,awormwhosebodyconsistsofentirelytextdata,isanexampleofatextmalware.WhilewefocusondetectionofASCIIworms,wenotethatthedetectiontechniquesdevelopedbyuswillbeequallyapplicableforanytextmalware,notjustASCIIworms.Therefore,throughoutthischapter,wewillmostlybeusingtheterm\textmalware"ratherthanjustASCIIworm. Inthischapter,weanalyzethepotentialsandlimitationsoftextmalware,andformulatedetectiontechniquesthatexploitthoseinherentlimitations.Weintroduceanoveltext-malwaredetectionmethodthatexaminesthemaximumexecutablelength(MEL)ofthebytestreamarrivingataserverwhichrunsprotocolsexpectingtextinput.MELmeasuresthenumberofinstructionsonthelongesterror-freeexecutionpathinthedisassembledinput.Becauseoftheinherentrandomnessinthedisassembledinstructions, 36

PAGE 37

TheconceptofMELwasoriginallyintroducedinAbstractPayloadExecution(APE)[ 67 ]fordetectingbinaryworms.ItraisesanalarmwhentheMELmeasuredfromtheinputstreamisgreaterthanathresholdvalue.However,wewilldemonstratethroughanalysisandexperimentsthatAPE,aswellasotherbinarydetectors,arenotsuitablefordetectingtextmalware.Notonlyisitextremelyslowduetoanexcessiveamountofbranchinstructionsintextinput,butalsoitsMELmeasurementisincorrectwithouttakingthetext-specicpropertiesintoconsideration.Wefurthershowthat,evenforbinaryworms,APEmaynolongerbeeectivebecausemaliciousbinarycodecanbemadeverycompactwithsuchasmallMELthatwilloverlapwiththeMELrangeofbenigninput.Ontheotherhand,asoneofourcontributions,weobservethatitisveryhardtomaketextmalwarecompactduetotheunavailabilityofcriticalinstructionsinthetextdomain. Wemaketwomajorcontributionsinthischapter.First,astheexistingMEL-baseddetectors,intheircurrentform,areunsuitablefortextmalware,wemustexplorenewtext-specicpropertiesthatcharacterizemorepreciselythestructurallimitationsoftheinstructionsinthetextdomain,whichwillinturnconstrainhowthetextmalwarecanbeconstructed.Byexploitingthelimitationsandconstraintsofthetextmalware,wedesignDAWN(DetectingASCIIWormsinNetworks),anovelMEL-basedmethodfordetectingnotonlyASCIIwormsbutanytextmalware.Itisfast,reliableandaccurate.Second,howbigshouldtheMELthresholdbeforraisingalarms?Inthepast,theMELthresholdusedtoseparatebenigndataandwormsisobtainedempirically.Itdoesnotexplainwhetherthereisamathematicalfoundationbehindthemethod,i.e.whetheritispossibleforabenigninstructionstreamtohaveanMELhigherthanagiventhreshold,andifso,withwhatprobability.WedevelopaprobabilisticmodeloftheMELtheory.WeshowhowtheMELthresholdcanbecalculatedfromtheinputcharacterfrequencies(insteadoffrom 37

PAGE 38

67 2 ]thatmaybebiased),andhowwecancontrolthedetectionsensitivity. Therestofthechapterisorganizedasfollows.Section 3.1 givesanoverviewofthetextmalware.Section 3.2 looksintothelimitationsoftextmalwareanddevisesanMEL-baseddetectionmethodexploitingthoselimitations.Section 3.3 derivestheunderlyingprobabilisticmodelfortheMELmethod.Section 3.4 describesthedesignandimplementationofourtextmalwaredetector.Section 3.5 evaluatesourdetectorthroughexperiments.Section 3.6 providesacomparisonofourworkwithothers.Section 3.7 explorestextmalwareinnon-Intelarchitectures.Section 3.8 concludeswithdiscussionsonthelimitationsandrobustnessofourdetector. 3.7 38

PAGE 39

39

PAGE 40

Creationofabinarywormonstackfromtextcode essentialforapotentworm,areabsentinthetextdomain,theonlywaytomakethemavailableisforthetextwormtocreatethemonthey,preferablyonthestackwherethebuer-overowattackhasjusttransferredtheCPUexecutionfromtheexploitedprogramtotheworm. Themethod[ 56 ]forthetextwormtogeneratebinaryinstructionsisillustratedinFigure 3-1 .DenotethebinaryinstructionstobegeneratedasB=b1b2:::bn.Letaibethetextcodesegmentthatcreatesthebinarywordbi.Togiveanexample,startingwithawordoffourarbitrarytextcharacters,asequenceofincordecinstructionscanproduceawordofanyvalue,thoughoccasionallywecanusexorandsubtodoitmoreintelligently.WeexploitthepropertythattheInstructionPointerIPandStackPointerSPmoveinoppositedirectionsduringtheexecutionofstack-growth(push)instructions{IPincreaseswhileSPdecreases,asshowninFigure 3-1 .Thecodeofthetextwormisarrangedintheorderofan,an1,...,a1.Duringexecution,angeneratesbnandpushesitonthestack,thenan1generatesbn1andpushesitonthestack,...,andnallya1generatesb1andpushesitonthestack.Thestackpointermustbeappropriatelysetsuchthatb1locatesrightnexttoa1,whichmeansthatafterexecutinga1,thecontrolwillautomaticallypassontothecreatedbinaryinstructionsthatbeginfromb1.Hence,typicaltextmalware 40

PAGE 41

Inthisdissertation,werefertotheprocessofturningtextmalwareintobinarycodeasdecryption.Themalwareitselfmustcarryadecrypter,acleartextASCIIinstructionsequencethatperformsthedecryption.Inmanycases,thewholemalwareisadecrypter,asshowninFigure 3-1 .Thereasonforhavingsuchalong\hardcoded"O(n)-sizedecrypterforgeneratingann-wordbinarycodewillbeapparentinSection 3.2.2 73 ],whichusesdisassembly-basedtechniques,reportedthatitusuallydoesnotprocesstextinputduetoperformancedegradation.Thisndingiscorroboratedbytheobservationthatwhenweemulated 41

PAGE 42

67 ]fortextinput(seetable 3-2 inSection 3.6 ),theruntimewashoursinmanycases,clearlyunacceptableforamalwaredetector. 32 ]showedhowanASCIIwormcouldeasilyevadeapowerfulandrobustdetectorlikePAYL[ 72 ]. Summarizingtheabovediscussion,weneedanewdetectionstrategythatcanbeecientlyappliedtotextinputandwilldierentiatemalicioustextfrombenigntext.Ourstrategyisbasedonthefollowingobservation:textmalwarehasahighprobabilityofhavingahighMEL,whilebenigntexttendstohavelowMEL. 42

PAGE 43

3.8 45 ],correspondtoprivilegedI/Oinstructionsthatcannotbeinvokedfromanyuser-levelapplicationwithoutgeneratinganerror.Benigntextdatamayhavetheseinstructions,whereasmalwarewillneverhavetheminitsexecutionpath. 43

PAGE 44

4 ],andsuchexplicitmemoryaddressesmightbeout-of-boundfortheprogram. Thus,inarandom(benign)textstream,suchmemory-accessing-erroreventsarefrequent. 67 2 ]forclassicalbinaryworms),butrather1)thediscovery 44

PAGE 45

WealsoshowthattheMELmethod,thoughusedfordetectingbinarywormspreviously,cannotbeusedanymore.Thisisbecausebinarymalwaredoesnotsuerfromthesameencryptiondicultiesasthetextmalwaredoes.Withoutanyconstraintonencryption,itisfairlyeasyforthebinarymalwaretouseaveryshortdecrypter,whichwillresultinalowMELsimilartorandom(benign)binarystream,therebymakingthemalicioustracvirtuallyindistinguishablefromthebenign,fromanMEL-baseddetectionpurpose.Therefore,itisrathersurprisingthattheMELmethodwaseversuccessfullyusedfordetectingbinaryworm,asinAPE[ 67 ]andStride[ 2 ].Thereasonthosedetectionmethodssucceededisbecausethoseschemesexploitedaspecialpropertyofthebinaryworms,viz.thefactthatbinarywormswereaccompaniedbyaNOPsled.Thoseschemesweredirectednottowardsdetectingtheactualpayload(whichcouldbeencryptedandthushaveasmallMEL)buttowardsdetectingtheworm'ssled(alongsequenceofunencryptedvalidinstructions,andthushavingahighMEL).Unfortunately,accordingarecentsurvey[ 20 ],NOPsledsarealmostneverusednowadays,probablybecausethestackaddressestodaycanvarybymillionsofbytes,andhavingasledthatlongisimprobable.Nowadays,mostofthewormsratherusethe\registerspring"methodthatinvolvesnosled[ 20 ].Thus,MEL-basedmethods(includingAPEorStride)arenotsuitablefortoday'sbinarywormsanymore. 45

PAGE 46

Weusethedetectionstrategythat,ifanincominginstructionstreamcontainsacontiguouslyvalidinstructionsequencelongerthanacertainthreshold,thenitcontainsamalwarewithacertainfalse-positiveprobability(whichisthechanceforabenignstreamtohaveacontiguouslyvalidinstructionstreamoflengthmorethanpurelybyaccident).Itisintuitivetoseethatthelargerthevalueofis,thesmallerthevalueofwillbe.Unfortunately,ifweaimatdrivingcloseto0inordertoavoidfalsealarmsaltogether,willbeverylarge,whichmayleadtofalsenegatives(thecasethatrealmalwareisnotdetected).Therefore,itisimportanttocharacterizethetrade-obetweenfalsepositiveandfalsenegativebyderivingthemathematicalrelationshipbetweenand.Suchaformulawillallowtheusertoselectaspeciccombinationofthetwovaluesinordertoachievecertaindesirableperformance.Whileitispossibletoestimatetherelationshipbetweenandexperimentallythroughatrainingdataset,suchdatacanbebiased,notrepresentingthegeneralcase.Inthissectionwetakeaprobabilisticapproachthatcorrelateswithusingthecharacterfrequencydistributionoftextinput. 3.3.3 ).LetIvdenoteavalidinstruction,Iinvaninvalidinstruction,andptheprobabilityforanarbitraryinstructiondisassembledfromanormalstreamtobeinvalid.Consequently,theprobabilityforaninstructiontobevalidis(1p).LetnbethenumberofinstructionsinaninputstreamandNbethenumberofinvalidinstructionsinthestream.Itiseasytoseethatthere 46

PAGE 47

3.3.3 ).BelowwederiveProb[Xmaxx],8x2[0::n],whichisthecumulativedensityfunctionofXmax(ortheMEL). First,wederivetheconditionalprobabilitywhenthenumberofinvalidinstructionsisxedatN=k,foraspecicnumberk(wewouldgeneralizeitlater).Prob[XmaxxjN=k]=Prob[max(X1;X2;X3;::::;Xk+1)x]=Prob[(X1x)and(X2x):::and(Xk+1x)]=Prob(X1x):::Prob(Xk+1x)=[1(1p)x][1(1p)x]:::[1(1p)x]=[1(1p)x]k+1 47

PAGE 48

FalsepositivehappenswhenXmaxisgreaterthantheMELthreshold.Thus,thefalse-positiveprobabilitymustbe=Prob[Xmax>]=1Prob[Xmax]=1(1(1p))[1p(1p)]n.Wecanapproximateitas=1[1p(1p)]nsince(1(1p))1.Thus,weobtain=log(1(1)1 3.5.2 Toverifythattheaboveapproximationhasinsignicantimpactonthevalueof,wecomparethevaluesofobtainedusingtheformulawithorwithouttheapproximation.Forexample,when=1%,n=1540andp=0:227(theparametersusedinourexperiments),=40:61withtheapproximationand40:62without(dierenceof0.02%).Otherreasonableparametersettingsalsoshowthattheapproximationinducesonlysmallerrorinthecomputation. 48

PAGE 49

Observed Expected ValidI2 2797 8922 2835 InvalidI1 938 2835 900 TheotherassumptioninourmodelisthatwedonotenforcetheconditionthatPN+10Xi=nandratherassumeXisoccurindependently.Isitevidentthatasnincreases,theeectofthisconstraintbecomeslesspronounced.Toverifythis,werunMonte-CarlosimulationforthePMF(Xmax)fordierentvaluesofnandp.There,wetossacoin(withprobabilityofheadp)ntimesandcalculatetheMELbytakingthemaximumdistancesbetweentwoheadsthatareseparatedbyonlytailsandnoheadsinbetween.Asheadsareequivalentofinvalidinstructions,themaximuminter-head 49

PAGE 50

3-2 .Weobserveanear-perfectmatchinallcases(especiallywithlargern),whichvindicatesourprobabilisticmodel. JuxtapositionofthePMFsfortheMELfromtheprobabilisticmodelandfromtheMonte-Carlosimulationbyvaryingnandp.Anear-perfectmatchcanbeobservedinalmostallthecases. WealsogetoneveryimportantintuitionfromFigure 3-2 .Weseethatifpdecreases,itwillrequireahigherthresholdtokeepthesamefalsepositiverateof.However,higherthresholdwillmeanthatalotofmalwarewillalsonotgetdetected.Thus,tohavealowvalueoffalsenegative(inadditiontoaxedlowvalueoffalsepositive),wemustndwaystoincreasep.Thisiswhyndingmorewaystoinvalidateinstructionsintextstreamsisimportant. Inourmodel,wehadimplicitlyassumedthatifinstructionibisexecutedrightafterinstructionia,theniaandibmustbecontiguousintheoriginalinstructionstream. 50

PAGE 51

Eectofjumpinstructions However,ifiahappenstobeajumpinstructionwithibbeingthejumptarget,thenwecanbefairlycertainthatiaandibwillnotbeimmediateneighborsinthedisassembledinstructionstream.ThisphenomenonisillustratedinFig. 3-3 ,wheresoliddotsrepresentsinvalidinstructions(i1,i2,i3andi4),andthestraightlinesegmentsbetweenthesoliddotsindicatestreamofvalidinstructions.Thelengthofalinesegment(l12andl34inFig. 3-3 )indicatesthenumberofvalidinstructionswithinthatsegment.Sincewehaveobservedthatinvalidinstructionscanbeassumedtooccurindependentlywithprobabilityofp,thelengthoftheindividuallinesegmentsisarandomvariablefollowingGeometricdistribution,withmeanof1 51

PAGE 52

Weinvestigatethisprobleminthefollowingway.Giventhatajumpinstructionoccursduringtheexecutionofavalidinstructionstream,thelocationforthejumpinstructionisrandom,i.e.itcanhappenanywhereinthatinstructionstream.Pictorially,thelocationofjumpinstructioniaisrandombetweeni1andi2inFig. 3-3 .Extendingthesamelogicforthelocationofthejumptarget,wendthatthelocationofibisalsorandombetweeni3andi4.Therefore,xandycanbeperceivedastworandomvariables,havingtherangesofvaluesbetween1andl12forxandbetween1andl34fory.Therefore,eachoftherandomvariablesxandywillfollowadiscreteuniformdistribution,withthefollowingprobabilitydistribution(conditionalonl12andl34): Prob[x=k]=1 Prob[y=k]=1 Thus,conditionalonthegivenvaluesofl12andl34, Sincethedisplacementinajumpinstructioniscompletelyarbitrary,thepositionofiawithintherange[i1;i2]doesnotaectthepositionofibwithintherange[i3;i4].Thus,therandomvariablesxandyareindependentlydistributed.Therefore,theexpectednumberofconsecutively-executedvalidinstructionsinvolvingajumpinstruction=E[x+y]=E[x]+E[y]=l12 Therefore,weobservethathavingajumpinstructionamongastreamofvalidinstructionsdoesnotaectthedistancebetweentheinvalidinstructionsinaprobabilisticsense.ThisimpliesthattheMELfromourmodel,whichoriginallydidnotaccountforthe 52

PAGE 53

9 ]thatduetotheself-adjustingnatureoftheIntelinstructions,ifonestartsinterpretingthesameinstructionstreamfromtwoadjoiningbytes,theinstruction 53

PAGE 54

HowDAWNworks boundariesofthetwoinstructionsequencestendtogetalignedwithin6instructions(max78bytes)withaveryhighprobability.Thus,foreveryentrypointweneedtodisassembleonlyanaverageof6instructionbeforewecanre-usetheinstructionsequencethathasalreadybeendisassembled.Therefore,althoughthedisassemblyistechnicallyaO(n2)process,itislinearfromapracticalstandpoint. Thesketchofthedetectionalgorithmimplementingtheaboveideasisgivenbelow. 54

PAGE 56

41 ])withthethresholddeterminedinthepreviousstep,andobservingthefalsepositiveandfalsenegativerates.ThetestswererunonanIntel(R)Pentium-IV2.40GHzCPUwith1GBofRAMinaLinuxmachine. 56 ]andEller[ 26 ]wereusedtoconvertmultiplebinarybueroverowprograms(from[ 3 ])intotheirtextcounterpartsandmorethanonehundredtextwormswerecreatedinthatway.Theeectivenessofeachtextmalwarewastestedbyactuallyrunningthevulnerableprogramandthenbyobservingthespawningoftheshell.Tocheckwhetheratextmalwaredetectorisatallneeded,McAfeeantivirusprogramwasrunonboththebinaryandtextshellcodesanditraisedalarmsforthebinarycasesonly.Forcreatingthebenigndataset,approximately500KBofrealwebtracfromourdepartmentalnetworkwerecollectedusingEthereal.Afterstrippingotheheaders,100cases,eachcontainingapproximately4Ktextcharacters,wereselectedtoserveasthebenigndata. 56

PAGE 57

Correlationbetweenandpformaintainingsameerror(falsepositive)rate=1%. 2:61540. 57

PAGE 58

20 ]forsomecases.Thus,pturnsouttobe0.185+0.042=0.227inourcase. 1540)log0:227 log(10:227)=40forourcalculatedexperimentalparametersn=1540andp=0:227. 3-6 .Forthebenigndata,theaverageMELisnear20,andmaxMELis40(sameas),whichmatchesourexpectationsverywell.Ontheotherhand,forthemaliciousdata,theminimumMELis120,therebymarkingacleardierentiator.Also,ifweconnectthefrequencypointsforbenign,weobservethatitformsintoashapesomewhatsimilartothePMFcurvesinFigure 3-2 ,whichshowsthatourmodelisindeedmimickingtheactualbehavior.Also,weobservefromFigure 3-5 thatthegapbetweenthefalsepositiveboundary(pvalueof0.227correspondingtoMELof40)andfalsenegativeboundary(pvalueof0.073correspondingtoMELof120)isquitelarge,whichmeanseveniftheestimatedpchangedbyasmallmargin,wewouldstillhavebeenabletodistinguishthemalwarefromthebenigndata.Also,theaverageinstructionlengthfromouractualexperiment(2.65)wasfoundtobeveryclosetoourexpectedvalue(2.6)assumingcharacterandinstructionindependence. 58

PAGE 59

ComparisonofMELfrequencychartsforbenignandmalicioustexttracforDAWN ComparisonofMELfrequencychartsforbenignandmalicioustexttracforAPE-L 67 ]),and2)SigFree[ 73 ]. 67 ]thatintroducedtheconceptofMEL,thereareanumberofsignicantdierences: 20 ].Asaresult,APE'seectivenessisseverelydwindledtoday. 59

PAGE 60

67 ]didnotpresentspecicmethodstodeterminewhichinstructionsarevalidandwhichareinvalid. Toelaboratethelastpoint,weimplementedanAPE-mimickingalgorithm(callingitAPE-L)thatdidnotexploitthetext-specicconstraintsdiscoveredbyus,andcompareditsdetectionsensitivityandruntimewithDAWN's.ThereasonforusimplementingitistheunavailabilityofanupdatedandworkingimplementationofAPE.Asseenfromthedetectionsensitivitycomparisonchartsintable 3-1 andingures 3-6 and 3-7 ,therangeofMELformaliciousandbenignisdistinctforDAWNbutoverlappingforAPE-L,whichmeanstheAPEwouldnotbesuitablefordierentiatingmalicioustextfrombenign.TheresultsofthecomparisonshowedclearlythatAPEisineectivefortext.Also,asmentionedearlier,thehighfrequencyofjumpinstructionsinASCIIdatacausesthenumberofpossibleexecutionpathstoincreaseexponentially.So,unlesstheASCII-speciccriteriaisusedtoinvalidateinstructionstoprunethissearchspace,detectorsmaytakeverylargetimetorunforASCIIdata.ThisndingiscorroboratedbytheobservationthatcomparedtoDAWN,APE-LrunsmuchslowerforASCII(table 3-2 ),totheextentthatforsomecasesAPE-Ldoesnoteventerminateforhours. Table3-1. ComparisonofDAWNandAPE-Lfordetectionsensitivity Sensitivity MELAvg MELRange DAWN APE-L DAWN APE-L Benign 22.5 73.7 1346 25359 Malicious 138.1 152.9 117327 132353 60

PAGE 61

Comparisonofperformance(runtime)forDAWNandAPE-L Performance RuntimeAvg RuntimeRange DAWN APE-L DAWN APE-L Benign 0.58s 22.0s 01s 03hr Malicious 0.23s 0.3s 01s 02s 73 ]isazero-daybuer-overowdetectorthatdetectsthewormbycountingthelengthofonlytheusefulinstructionsinaninstructionsequence,whileourapproachcountsallexecutableinstructions,irrespectiveofwhethertheyareusefulornot.WhileSigFreeclaimstohavethecapabilitytocatchASCIIworms,itincurssignicantcomputationaloverheadinordertoexaminetheASCIItrac,asaresultofwhichitusuallybypassestheASCIItractoenhanceperformance.Ontheotherhand,inourcase,processingtheASCIIstreamisveryfast.Finally,oneofthecriteriaformeasuringtheusefulnessofaninstructioninSigFreeisthatitmustnothaveanydataanomaly,asforexamplebycheckingifthesourceshavebeenproperlypopulatedornot.However,weshowinthefollowingexamplethatitmaybepossibletomakeSigFreethinkthatthedataanomalieshavehappenedwhileactuallynonehappened.OneofthedataanomaliesthatSigFreereportsareundene-reference,whichhappenswhenavariable,whichisnotyetdened(i.e.,notpopulatedproperly),isreferenced(usedassource)again.SigFreepositsthatthestateofanundenedvariableremainsundenedwhenitsvalueisresetwithanundenedvalue.However,weshowthatevenbyusingtheundenedvariableasasource,onecanproperlydene,i.e.,initializeavariable.Thefollowingexamplewouldmakeitclear.Supposetheregistervariableeaxinitiallycontainsjunkvalue,whichimplieseaxisinundenedstate.Nowifwedoandeax,0x20202020,followedbyandeax,0x40404040,accordingtoSigFreeeaxwillstillremaininundened-referencestatesincethesourceregisterreferencedinthiscase,eax,wasinundenedstate.However,thetwoinstructionsmentionedaboveactuallysetseaxtozeroirrespectiveofitspreviouscontent,whichmeansitispossibletoreachadened(initialized)stateevenwithanundened 61

PAGE 62

3.1 ,wediscussedtheconstraintsandconstructionofatextmalwareinIntel32-bitarchitecture(IA-32).Weobservedthatoneoftherequirementsforhavingtextinstructionsisthatthemostsignicantbit(bit7)ofeverybyteintheinstructionstreammustbe0,usingthenotationthattheeightbitsofabytearelabeledasbit0throughbit7(fromtheleastsignicanttothemostsignicant).Also,sincetheASCIIcharacters0x00through0x1Earealsounprintable,aprintablecharacterbytemusthavethebit5and/orbit6set.Wegetoneimportantinsightfromtheseconstraints:theshorterthesizeoftheinstruction,themorethepossibilityofndinginstructionsthatarecompletelytext.Thisisbecauseifaninstructionisxbyteslong,theneachofthexbytesmustindividuallybetextinordertomakethewholeinstructiontext,arequirementwhichisoftendiculttomeet.TheadvantageofIA-32beingaCISC(complexinstructionsetcomputers)architectureisthatasignicantnumberofinstructionsareonlyabyteorafewbyteslong,anditiseasytondtextinstructionsamongthoseshortinstructions.However,whenweinvestigatetheRISC(reducedinstructionsetcomputers)architectures,weobservethateachinstructiontherehasaxed,relativelylongerwidth(mostly4bytesfor32-bitarchitectures).Wesuspectthatwithsuchcomparativelylongerinstructions,itmightbediculttohaveadequatenumberoftextinstructionsrequiredtocreateatextmalware.Inthissection,weexploretwosuchRISCarchitectures(MIPSandSPARC)anddiscoverevidencesthatcorroborateoursuspicion. 52 ]).Fig. 3-8 depictsthe3dierentfamiliesofinstructionsinMIPS(Registertype,ImmediatetypeandJumptype). 62

PAGE 63

DecodingMIPSInstructionsintodierentelds(witheldlengths),alongwithtextconstraintsandbyteboundaries. Italsoshowstherequirementsfortheinstructiontobetext.Theimplicationsofthisconstraintareasfollows: Aftereliminatingthoseinstructionsthatdonotsatisfythetextconstraintsmentionedabove,theonlyinstructionsthatremainareADDI,ADDIU,SLT,SLTIU,ANDI,ORI,XORI,LUI,BEQL,BNEL,BLEZL,BGTZL,COPzandJALX.NotablyabsentisSYSCALL,whichisamustforanymalware.Whileanybinarybytecanberecreated 63

PAGE 64

74 ],thereareprimarily4formatsofinstructions,basedonthevalueofthe\op"eld(bits30and31): WerecallthatsimilartoMIPS,inorderforaSPARCinstructiontobetext,bits7,15,23and31mustbeunset,whileatleastoneofthebitsineachofthefollowingbitcombinationsmustbeset:(5,6),(13,14),(21,22)and(29,30).Sincetheeldopspansbits30and31,instructionsbelongingtoFormat3and4categoriesareimmediatelyruledoutsincetherethebit31mustbeset.Thus,eectivelyitleavesuswithonlyCALL,SETHIandbranchinstructions,noneofwhichcanmodifythememory.WhileCALLinstructionscanpotentiallydiverttheexecutionow,wedoubtwhetherthatalonewouldsuceforaneectiveshellcode. 64

PAGE 65

Wehavearguedthattheabsenceofone-to-onecorrespondencebetweentextandbinarymakesthetaskofdecryptionmorecomplexandthuscausesthedecryptertobelargewithhighMEL.However,onemayovercomethisobstaclebyusingmultilevelencryption(Russiandollarchitecture)inthefollowingmanner.First,convertthebinarymalwareintotext,andthenencryptthistextmalwareinsuchawaythattheoutputisyetagaintext.Weobservethatinthesecondstep,wearedoingencryptionwithinthesametextdomain,whichsignalsthepossibilityofhavingaone-to-onecorrespondence.Onthesurface,thisapproachappearstohavemeritsince1)thenalencryptedtextdatawillshowverylittletrendofatextmalware,and2)becauseoftheone-to-onecorrespondence,onemaybeabletousesimpledecryptionschemes,whichmeansashortdecrypter.Whileitisimpossibletoconsiderallpossibleencryptionmethods,weputforthourrebuttaltothisargumentbydemonstratingthecaseofusingxor,whichisusuallyafavoritechoiceforencryption.Firstofall,weobservethatthereisnosingledecryptionkey(atextbyte)withthepropertythatxor-ingitwithanyothertextbytewillstillyieldtextdata.Thisisbecausethetextdata(0x20{0x7E)occupiesasomewhatoddslotintheoriginalASCIItable,andxor-ingtwocharactersfromtextdataoftenyieldsaresultthatisnottext.AsshowninFigure 3-9 ,afterdividingthe95-chartextdomainintothreenearlyequal-sizedparts(viz.0x20{0x3F,0x40{0x5F,and0x60{0x7E),ifwexoranytwobytesfromthesamepart,thentheoutputwillbelongtothenon-textdomain0x00-0x1F. 65

PAGE 66

Weemphasizethatwhileweoeranovelwayto Figure3-9. EncryptiondicultiesinusingXORfortextdierentiatebetweenbenignandmalicioustexttrac,thismeansthatwehavemerelymadethetaskofanattackersignicantlyharder.Asperourlimitedexperiment,thedierencebetweenthemaximumlengthofthevalidinstructionsequencebetweenbenignandmalicioustraciscurrentlysignicantlylarge.Tothebestofourknowledge,notextmalwareemployingencryptiontothisdatehasbeenabletocomeupwithadecryptersmallerthanourcurrentthreshold.However,assecurityisacat-and-mousegame,infuturewewillinvariablyseesuchmalware,andwemuststrivetondmoreexploitstocounterthat. WewouldliketoreiteratethatwhileourapproachissimilartosomeotherexistingMEL-basedschemes[ 67 73 2 ],afundamentaldierenceexists.InourdetectionschemetheMELthresholdisobtainedpurelyfromthestatisticalpropertiesoftexttrac,whilefortherestitisobtainedexperimentallyfromtheMELofthebenigndata. 66

PAGE 67

Wormshavehugedamagepotentialduetotheirabilitytoinfectmillionsofcomputersinaveryshortperiodoftime[ 42 ].Inordertocounterthatthreat,weneedtolookintotheircontent(forsignatures)aswellaspropagationpattern(forInternet-scalebehavior)[ 6 53 58 37 8 38 ].Thepropagationcharacteristicsofawormshowswhatkindofnetworktracwillbegeneratedbythatwormandhowfasttheresponsetimemustbeforcountermeasures.Therefore,inordertounderstand(andpossiblycounter)thedamagepotentialofworms,itisveryimportanttocharacterizetheiroverallpropagationproperties. Althoughmodelingwormpropagationhasbeenanactiveresearcharea[ 63 80 7 75 78 ],onemightquestionthepracticalimportanceofsuchworkifitispossibletoobtainfairlygoodapproximationoftheworm'spropagationcharacteristicsbyrunningasimulatorforasucientnumberoftimesandtakingtheaverage.However,therearereasonswhysimulationsmaynotalwaysbeabletoproducetheintendedresults.First,itoftentakesalongtime,16hoursinourcaseonaIntelXeon2.80GHzprocessorfor400Mhoststhatareestimatedtobeintoday'sIPv4space,tosimulateasinglerunofwormpropagationforonesetofworm/networkparameters.Tolearntheaveragebehavior,manysuchrunsneedtobeperformed,andthewholesimulationprocesshastoberedoneforanyparameterchange,e.g.,foradierentpopulationsizeofvulnerablehostsoradierentscanningspeedofinfectedhosts.Second,thesimulationoverheadcanbeprohibitivelyhighinsomecases.SupposewewanttosimulateawormthatexploitsacommonlyusedWindowsserviceontoday'sInternet.ItmeansthatthevulnerablepopulationsizecouldbeintheorderofseveralhundredmillionsasWindowsmachinespredominateintheInternet.Ifthereare300Msuchcomputers,theywillentail300Mrecordsinthesimulation,oneforeachvulnerablehost.Evenifeachrecordisoneinteger(keepingitsaddressalone),itwillrequireamemoryof1.2GB.Now,ifwewanttostudy 67

PAGE 68

Traditionally,mostmodelingwork[ 63 80 7 75 ]concentratesontherelativelysimplerandom-scanningworms,whichscantheInterneteitherrandomlyorwithbiastowardslocaladdressesinordertoreachallvulnerablehosts.ThisstrategyleavesalargefootprintontheInternet(whichrevealstheworm'spresence),anddierentinfectedhostsmayendupscanningthesameaddressrepeatedly.Inrecentyears,wormtechnologieshaveadvancedrapidlytoaddresstheseproblems.Byenablingclosecoordinationamongallinfectedhosts,thepermutation-scanningworms(introducedintheseminalpaper[ 63 ]byStanifordetal.)minimizetheoveralltracvolumeforscanningtheInternetthroughadivide-and-conquerapproach.There,eachactiveinfectedhostisresponsibleforscanningasubsetofalladdresses,andthissubsetmayvaryovertime.Suchacooperationstrategyempowersthewormwiththeabilitytopropagateeithermuchfaster,oralternatively,muchstealthier(iftheinfectedhostsscanatlowerrates).Warholworms,whicharesimilartopermutation-scanningwormswithlargerhitslists,havebeenshownusingsimulationstobeabletoinfectthewholeInternetinamatterofminutes[ 63 ].However,understandingthesepotentwormsthroughmathematicalmodelinghasremainedachallengetodate. Inthiswork,weproposeamathematicalmodelthatpreciselycharacterizesthepropagationpatternsofthepermutation-scanningworms.Theanalyticalframework 68

PAGE 69

Inthiswork,weproposeamathematicalmodelthatpreciselycharacterizesthepropagationpatternsofthepermutation-scanningworms.Theanalyticalframeworkcapturestheinteractionsamongallinfectedhostsbyaseriesofinter-dependentdierentialequations,whichtogetherdescribetheoverallbehavioroftheworm.Wethenintegratethesedierentialequationstoobtaintheclosed-formsolutionforwormpropagation.Weusesimulationstoverifythenumericalresultsfromthemodel,andshowhowthemodelcanbeusedtoassesstheimpactofvariousworm/networkparametersonthepropagationofpermutation-scanningworms.Wealsoinvestigatetheimpactofdynamicnetworkconditionsonthecorrectnessofthemodel,consideringnetworkcongestion,bandwidthvariability,Internetdelay,hostcrashandpatch. Therestofthischapterisorganizedasfollows.Section 4.1 describesthepermutation-scanningworms.Section 4.2 introducesseveralimportantconceptsunderlyingourmathematicalmodel.Sections 4.3 and 4.4 presenttheexactpropagationmodelsforthebasicpermutation-scanningwormanditsgeneralextension,respectively.Section 4.5 derivestheclosed-formsolution.Section 4.6 andSection 4.7 discusshowdierentworm/networkparametersandreal-lifenetworkconstraintswillaectthewormpropagation,respectively.Section 4.8 drawstheconclusion. 69

PAGE 70

Analternativetotheaboverandom-jumpapproachistoassigneachinfectedhostanexclusivesectionoftheaddressringforscanning.Asahostsequentiallyscansitssection,whenitinfectsanotherhost,itassignshalfoftheremainingunscannedaddressestothelatterandadjustsitssectionboundaryaccordingly.Whenahostreachestheendofitssection,itretires.Theproblemwiththisapproachisthatitisnotfault-tolerant.Ifoneinfectedhostisblockedoutorsomehowcrashes,itmayleavemanyaddressesinitssection 70

PAGE 71

63 ]showsthatawormcanpermutetheIPaddressspaceintoavirtualone(calledthepermutationring)throughencryptionwithakey.Thedivide-and-conquermethodisthenappliedonthispermutationring.Whileeachinfectedhostlogicallygoesthroughcontiguousaddressesonthepermutationring,itactuallyscanstheIPaddressesthatthepermutedaddressesaredecryptedto,whichcannotbeeasilypickedupbyaddress-scandetectorsbecausethoseIPaddressesarepseudo-randomanddistributedallovertheInternet. 53 58 42 ].Tobestealthy,theyhavetoactasnormalaspossiblebyscanningtheInternetatacontrolledlowrate,whichisawormparameterthatcanbesetbeforerelease.Astealthywormcanbemoreharmful.Afastwormgeneratesheadlinenews,suchasSlammer[ 42 ]thatcausedwidespreadnetworkcongestionacrossAsia,EuropeandAmericas.However,suchawormismorelikelytobedetectedquicklyandattractdefenseresourcesforitselimination.Astealthywormpropagatesslowerbutmaystayundetectedforalongtime,potentiallydoingmoreharm. 71

PAGE 72

63 ],whichisapre-compiledlistoftargetaddressesthatareverylikelytobevulnerable,e.g.,alistofhostswithport80openforawormtargetingatacertaintypeofwebservers.Duringthehitlist-infectionphase,theveryrstinfectedhostscanstheIPaddressesinthehitlist,andwheneveritinfectsone,itgivesawayhalfoftheremaininghitlisttothenewlyinfectedhostsothattogethertheycaninfectallhostsintheoriginalhitlistquicker.Thisprocessrepeats,andasaresult,ifvoutoftheSaddressesinthehitlistturnouttobevulnerablehosts,allthosehostswillgetinfectedinO(S vrlog2v)time,whereristhescanningrate.Evenforamodestlybighitlist,thistimeisminisculecomparedtothetimeitwilltaketoinfecttherestofthevulnerablehostsoutsidethehitlist.Toillustratewithanexample,supposethereareabout1MvulnerablehostsinIPv4andawormstartswithahitlistofS=10Khosts,withapproximatelyv=5Kofthemactuallybeingvulnerable.Ifthescanningrateris1000addresses/sec,thenthetimetakentoinfecttheinitial5Khostsinthehitlistwillbeapproximately0.025second,whichcanarguablybeignoredcomparedtothetimethewormwilltaketoinfecttherestofthevulnerablehostsintheInternet.Thus,tokeepthemodelsimple,ifthehitlistcontainsvvulnerablehosts,weassumethatallvofthemareinfectedattimet=0. 72

PAGE 73

73

PAGE 74

Scanzonesfora0-jumpwormovertime.Scanzonesofactivehostsaredepictedasarcsonthepermutationring.Uninfectedandinfectedvulnerablehostsaredepictedaswhiteanddarkdotsonthepermutationring,respectively. Figure4-2. Classicationofvulnerablehostsforapermutation-scanningworm inFig. 4-1 )ofthescanzone.Ascanzonemaynothaveatail(orhead)iftheactiveinfectedhosthasnothitanyvulnerablehost 74

PAGE 75

Classtransitiondiagramofa0-jumpworm.Here,\new"or\old"indicatestheeventofaneworoldinfection.Similarly,\ineective"or\eective"indicateswhetherthenewlyinfectedhost,aftertherandomjump,landsinsideacoveredareaornot. sinceitslastjump,anditmaynothaveanycoveredareaifitdoesnothaveatleasttwoinfectedhostsinit. Ashscansmoreandmoreaddresses,thefrontendadvancestoexpandthescanzone.Butwhenhhitsanoldinfectionhold(whichmustbelongtothescanzoneofsomeactiveinfectedhosth1),hsurrendersitsscanzonebymergingittoh1'sscanzone.Thenhjumpstoarandomlocationtocreateitsnewscanzoneafresh,orretiresifholdisthe(k+1)tholdinfectionthatithits.Therefore,thebackendofascanzonemayalsochangeifthefrontendofanotherscanzonecatchesupitstailandcausesamerge.Mergescreatelargerscanzones.Eventually,allscanzoneswillbemergedintoonewhenallactivehostsretire.Onlyactivehostshavescanzones(uninfectedorretiredhostsdonot).Westressthataninfectedhostdoesnotneedtoknowitsscanzone;itisanabstractconceptusedinourmathematicalmodelingonly.ThescanzonesareshownasarcsonthepermutationringinFig. 4-1 ,whichalsoillustratesotherconceptstobedenedinthissection. 75

PAGE 76

4-2 showsthecontainmentrelationshipamongdierentclasses. Whileotherclassesareself-explaining,wefocusonclassifyingtheactivehosts,classa,intosubcategories,classxandclassy,basedonwhetheranactivenode'sscanningiseectiveornot,i.e.,whetherithasthepotentialtogeneratenewinfectionbeforehittinganoldone(notethatsincethesizeoftheringisnite,everyactivehostwilleventuallyhitanoldinfection). { { Weobservethateveryinfectedhostintheaddressspacebelongstothescanzoneofanon-nascenteectivehost.Thisistrueatthebeginningaseachoftheinitiallyinfectedhostsbelongstoitsownscanzone.Whenanon-eectivehosth1infectsanotherhosthnew,theaddresshnewbecomespartofh1'sscanzone.Whenh1retiresbyhittinghold(tailofanon-eectivehosth2'sscanzone),h1'sscanzonemergeswithh2'sscanzone,andtheinfectionsmadeinh1'sscanzonenowbecomepartofh2'sscanzone.Continuingthisway, 76

PAGE 77

Fig. 4-3 givestheclasstransitiondiagramfora0-jumpworm.Avulnerablehostbecomesinfectedwhenitisscannedbyanotherinfectedhost.Whenitjumps,itmaybeeithereectiveorineective,dependingonwhetheritjumpsintoacoveredareaornot.Aneectivehostbeginsasanascentoneandbecomesnon-nascentonceitinfectsanotherhost.Anactivehostretiresuponhittinganoldinfection.Fig. 4-1 alsoprovidesillustrationfortransitionsamongdierentclasses. 77

PAGE 78

Basicnotationsusedforpropagationmodeling. V,thefractionofvulnerablehoststhatareinitiallyinfected Fractionofvulnerablehoststhatareuninfectedattimet i(t) Fractionofvulnerablehoststhatareinfectedattimet a(t) Fractionofvulnerablehoststhatareactivelyscanningattimet x(t) Fractionofvulnerablehoststhatareactivelyscanningattimetandhaveanon-zeroprobabilityofndingnewinfections Fractionofvulnerablehoststhatareactivelyscanningattimetandhaveazeroprobabilityofndingnewinfections Fractionofvulnerablehoststhatareactivelyscanningattimetwithaanon-zeroprobabilityofndingnewinfectionsbutareyettohitanyinfection Fractionofvulnerablehoststhathaveretiredfromscanning 5 inTable 4-1 forquickreference. AsevidentfromTable 4-1 ,weuseu(t),i(t),a(t),s(t),x(t),y(t)and(t)todenotethefractionsofvulnerablehostpopulationthatareuninfected,infected,active,retired,eective,ineectiveandnascentattimet,respectively.FromFig. 4-2 ,itiseasytoseethatu(t)+i(t)=1,i(t)=a(t)+s(t),anda(t)=x(t)+y(t). Ntobeavulnerablehost.Anactivehostscansrdtaddressesduringdtperiod.Hence,wehavefhit=rdtV N.Notethatthevulnerablehoststhatarehitmayincludebothnewandoldinfections. 78

PAGE 79

(1i(t))+(x(t)(t)),andfold(t)=1fnew=(x(t)(t)) (1i(t))+(x(t)(t)). 79

PAGE 80

Nprobabilityofhittingavulnerablehost.Hence,theprobabilityforanascenthosttobecomenon-nascentoverdtisrdtV N=fhitbecause,asdtapproachestozero,thejointprobabilitiesfortwoormorehitsarenegligible.Thisreducesthenumberofnascenthostsby(t)Vfhit.Ontheotherhand,sinceallneweectivehostscreatedduringdtstartasnascent,wehavex(t)Vfhitfnew(t)feff(t)newnascenthosts.Combiningthesetwonumbersandrepresentingthegrosschangeinfraction,wehaved(t)=x(t)fhitfnew(t)feff(t)(t)fhit. 80

PAGE 81

N 1i(t)+x(t)(t) (4{2) 1i(t)+x(t)(t)=1fold(t) (4{3) (4{4) (4{5) (4{6) (4{7) Theboundaryconditiontothesesetofequationsare:i(0)=a(0)=x(0)=v V,and(0)=s(0)=y(0)=0,wherevisthenumberofvulnerablehostsinthehitlist. 4.1.2 .ThesimulatorisimplementedinC++withproperencapsulation,i.e.,ahostobjectinsidethesimulatorisnotawareofthelargepictureofthenetwork,andinsteaditcanonlyseeitsownprivatevariables,includingitsIPaddress,thestateofitslocalrandom-numbergenerator,thelastaddressscanned,andtheresponsetoascanmessage,i.e.,newinfectionornot.Thecontrollerobjectofthewormsimulatorperformstheinitialinfection,anddoesthehigh-levelcountingofinfected,activeandretiredhostsattheendofeachtimetick.Eachvulnerable-hostobjectusesthesameencryption/decryptionkeybuthasadierentseedfortherandomnumbergeneratorusedforcalculatingtherandomlocationfromwhichthehost,afterbeinginfected,will 81

PAGE 82

Propagationcurvesfora0-jumpworm(modelvs.simulated).The\Model"curvesshowthepercentagesofvulnerablehoststhatareinfected,active,andretiredovertime,respectively.Thesecurvesfori(t),a(t)ands(t)arenumericallycomputedfromtheanalyticalmodelin( 4{1 )-( 4{11 ).The\Simulation"curvesareplottedusingtheaverageddatacollectedfromthepacket-levelsimulator;the99%condenceintervalsarealsoplottedforselecteddatapoints.Asexpected,thecurvesfromthemodelandthecurvesfromthesimulatorcompletelyoverlap,whichveriesthecorrectnessofthemodel. beginitsscanning.Thesimulationstopswhenallinfectedhostsretire.Fig. 4-4 comparesthepropagationcurvesproducedbythesimulatorwiththosegeneratedbytheanalyticalmodelfora0-jumpworm;thetwosetsofcurvesarenearlyindistinguishable. Thesimulationparametersaregivenasfollows:ThesizeofthevulnerablepopulationisV=213.Thehitlistcontainsv=100vulnerablehosts.ThesizeoftheaddressspaceisN=223;itwilltakeprohibitivelylongtimeifNischosentobe232.Toproducepropagationcurvesinanyoftheguresinthedissertation,wesimulatewormpropagationfor1000timesunderdierentrandomseeds,andthentaketheaverage.Wenormalizethetimeticktobe1 4.7 82

PAGE 83

4.7 ,evenwhentheInternetend-to-enddelayislargerthanthetimetick,itsimpactonwormpropagationisstillsmallandquantiable.Wewillalsoaddressotherpracticalconsiderations,suchashostpatchandcrash,networkcongestionandbandwidthvariability,inSection 4.7 63 ].WarholwormsandPermutation-scanningk-jumpwormswithlargehitlistssharesimilarpropagationcharacteristics. 83

PAGE 84

Statediagramofak-jumpwormwithk=2.Inthediagram,weassigneachactivehostalayernumber,whichindicatesthenumberofoldinfectionshitbythehost.Oncethehosthitsitsk+1tholdinfections,itretiresimmediately. Forexample,thetotalnumberofnascenthoststhathavehit2oldinfectionstilltimetaredenotedby2(t). Fig. 4-5 showsthestatediagramthatdepictshowanactivehostmovesfromonesubclasstoanotheruntilitisretired.Eachactivehostisassignedalayernumber,whichindicatesthenumberofoldinfectionshitbythehost.Anactivehosthavingalreadyhitjoldinfectionsarereferredtoasj-layerhosts.Whenaj-layerhosthitsanotheroldinfection,itmovestolayerj+1ortotheretiredclassifj=k. Weobservethatthequantities,fold(t),fnew(t),feff(t)andfineff(t)(denedinSection 4.3.2 ),staythesameforboth0-jumpwormsandk-jumpworms.Theanalysisthatproducestheformulasfortheircalculationcanbeappliedtoboth0-jumpwormsandk-jumpworms. 4-5 betweensubclassesatdierentlayersareexplainedbelow. 84

PAGE 85

4{1 )-( 4{5 ).Thedierentialequationsfork-jumpwormsare (4{12) (4{13) (4{14) 85

PAGE 86

Propagationcurvesfork-jumpworms(modelvs.simulated).The\Model"curvesshowthepercentagesofvulnerablehoststhatareinfected,active,andretiredovertime,respectively.Thesecurvesfori(t),a(t)ands(t)arenumericallycomputedfromtheanalyticalmodelin( 4{12 )-( 4{20 ).The\Simulation"curvesareplottedusingtheaverageddatacollectedfromthepacket-levelsimulator.Asexpected,fork=1,2,4,and8,thecurvesfromthemodelandthecurvesfromthesimulatorcompletelyoverlap,whichveriesthecorrectnessofourmodelfork-jumpworms. (4{15) (4{16) (4{17) (4{18) (4{19) Theboundaryconditionsattimet=0arei(0)=a(0)=x(0)=x0(0)=v V.Alltheotherquantities(s(0),x1(0):::xk(0),(0),0(0):::k(0),y(0),y0(0):::yk(0))arezeroes. 86

PAGE 87

4-6 ,usingthesameexperimentalsetupasdescribedinSection 4.3.4 .Inallcases,themodelandthesimulationproducethesamepropagationcurves. 4{1 )-( 4{11 )tothreesimpledierentialequationsthatcanbefurtherintegratedintotheclosed-formformulasforthenumbersofinfected,activeandretiredhostsovertime. Firstweestablishafunctionalrelationbetweeni(t)andx(t).Recallthati(t)isthefractionofthevulnerablehostpopulationthatisinfectedattimetandx(t)isthefractionofthevulnerablehostpopulationthatisactivelyscanningandcanpotentiallygeneratenewinfections{moreprecisely,theseso-calledeectivehostsarecurrentlyscanningaddressesoutsideofanycoveredarea.Bydenition,i(t)=x(t)+y(t)+s(t).Theinfectedhostsincludeeectivehosts,ineectivehostsandretiredhosts. Wedeneacurrentpositionforeachinfectedhost.Foraneectiveorineectivehost,itscurrentpositionistheaddressitisscanning.Foraretiredhost,itscurrentpositionistheaddressithasscannedlastbeforeretirement.Interestingly,thecurrentpositionsofallinfectedhostsaredistributedalongthepermutationringuniformlyatrandom.Thatisbecause,rightafterinfection,ahostjumpstoalocationthatisindependentlyandrandomlyselected.Aslongasallinfectedhostsbegintheirscanningatindependentlyrandomlocations,theircurrentpositionswillalwaysbeuncorrelatedandstatisticallydistributedalongtheringuniformlyatrandom. Bydenition,thecurrentpositionofaneectivehostwillbeoutsideofanycoveredarea,andthecurrentpositionofanineectiveorretiredhostwillbeinacoveredarea.Duetotherandomdistributionofthecurrentpositionsofallinfectedhosts,thefractionofinfectedhostsbeingeectiveisequaltothefractionofthepermutationringthatis 87

PAGE 88

4.3.2 ,weknowthatfeff(t)=1fineff(t)andfineff(t)equalsthefractionoftheringthatallcoveredareastogetherrepresent.Summarizingtheaboveanalysis,wehave (4{21) Bypluggingtheaboveequationinto( 4{1 )-( 4{11 ),itcanbeeasilyveriedthatthisequationisconsistentwithothersinthemodel. Applying( 4{21 ),( 4{1 ),( 4{3 )and( 4{5 )to( 4{6 ),wehavethefollowingdierentialequation. Ni(t)1i(t) Applying( 4{7 )and( 4{9 )to( 4{11 ),wehaveda(t)=x(t)fhitfnew(t)x(t)fhitfold(t)y(t)fhit 4{21 ),( 4{1 ),( 4{3 )and( 4{5 ),wehave N2i(t)1i(t)a(t)(4{23) Becauses(t)=i(t)a(t)bydenition,ds(t) 4{22 )and( 4{23 ),wehave Na(t)i(t)1i(t)(4{24) Let=v V,whichisthefractionofthevulnerablehostpopulationthatisinitiallyinfectedattimet=0.Integrating( 4{22 ),( 4{23 )and( 4{24 ),wehavethefollowingclose-formsolution. 88

PAGE 89

Comparisonoftheinfectionratesandthetotalscanningvolumesfordierentk-jumpworms.Theleftplotshowstheinfectioncurves,i(t),forak-jumpwormunderdierentkvalues.Therightplotshowstheactivecurves,a(t),forak-jumpwormunderdierentkvalues.Recallthata(t)isthepercentageofvulnerablehoststhatareactivelyscanningattimet.Thetotalamountofscanningtrac,calledthescanningvolume,isdenedastheareaundertheactivecurve.Fromtheleftplot,weseethattheinfectionspeedimproveswhenkincreases.However,therateofimprovementdiminishesquicklywhenkisgreaterthan1.Ontheotherhand,fromtherightplot,thescanningvolumeincreasessignicantlywhenkincreases. Nt Nt Nt1 Nt1++ln(1+erV Nt)+2 Nt Nt2(1) Nt1 Nt1++ln(1+erV Nt)+2 89

PAGE 90

Whileargumentscanbemadefordoingascaled-downsimulationandthenscalinguptheresults,suchsimulationsareoftennotfullyaccurateandsuerfromstochasticuctuationsandotherproblems[ 75 ].Moreover,suchsimulationscannotpredictwithcondencewhatpreciseeecteachworm/networkparameterwillhaveontheoveralloutcome,andforwhatreason.Incomparison,ananalyticalmodelcantellexactlywhyandbyhowmuchwillaparameteraecttheoutcome. Nin( 4{1 ).Sincealltheincrementalterms(suchasdi(t),da(t)andds(t))aredirectmultiplesoffhit,therstderivativesofthepropagationcurvesforinfected,active 90

PAGE 91

N.Againbecausetheincrementalterms(suchasdi(t),da(t)andds(t))aredirectmultiplesoffhit,therstderivativesofthepropagationcurvesforinfected,activeandretiredhostsareproportionaltoV.AsVincreases,awormpropagatesproportionallyfaster.IfVisdoubled,ittakesthewormhalftheamountoftimetoinfectallvulnerablehosts. V.FromtheinfectioncurveinFig. 4-4 ,weseethatthereisaslowstartphasewherei(t)increasesslowlybeforeittransitionsintoarapidgrowthphase.Alargerhitlistwillshortentheinitialslowstartphaseandmaysignicantlyreducetheoverallpropagationtime. N.Sincetheincrementalterms(suchasdi(t),da(t)andds(t))aredirectmultiplesoffhit,therstderivativesofthepropagationcurvesforinfected,activeandretiredhostsareinverselyproportionaltor.Thus,ifthescanningrateisdoubled,thetimeittakesawormtoinfectthevulnerablehostpopulationwillbehalved. 4-7 ,wheretheinfectionspeedandthescanningvolumeofak-jumpwormarepresentedfordierentkvalues.Thescanningvolumeisdenedasthetotalscanningtracgeneratedbyallactivehostssincetimet=0.Weseethat,byincreasingk,theslopeoftheinfectioncurveintheleftplotissomewhatsteeper,butfork>1,theincrementalgainbecomesnegligible.Ontheotherhand,withahigherk,theonsetofretirementforactivehostshappensataincreasinglylatertime,whichmeanslargerscanningvolume,asshownintherightplot.Weobservethat,fork8,almostallinfectedhostsareactiveatthetimewhenallvulnerablehostshavebeeninfected,producingabignetworkfootprintforwormdetection.Therefore,itmakeslittlesensetodeployak-jumpwormwithahighvalueofk. 91

PAGE 92

59 ]). Congestionalsohappensnaturallyinthenetworkwithoutwormactivityduetothebandwidthlimitationandthedemandontherouters.AslongastheInternetisabletodeliverthelowscanningrateofmostinfectedhosts,ourmodelcanpredictthepropagationbehavioroflow-ratestealthyworms.However,werealizethatwhateverbethereason{processingpowerofinfectedhost,availablebandwidthfortheuser,congestionofthenetwork{thenalresultisthatontheInternetscale,dierenthostsareineectscanningatdierentrates.Therefore,ifwecansomehowextendourmodeltoaccommodatevariablescanningratesfromdierenthosts,weareeectivelycapturingtherealnetworksituationarisingoutofthereasonsmentionedabove.Sinceourmodelcanhandleonlyaxedscanningrate,wepositedthatbyusingaveragescanningrate,ourmodelshouldbeabletostillapproximatethevariablescanningratescenario.Withthatgoalinmind,wesimulatedtwoworms,onehavingaxedrate,r=5pertimetickforallinfectedhosts,andtheotherhavingvariablerateswiththeGaussiandistributionandameanvalueof5pertimetick.Fig. 4-8 showsthattheinfectioncurvesofthetwoworms 92

PAGE 93

Comparisonofpropagationcurvesforwormswithvariable-rateandxed-rateofscanning.ThesimulationparametersusedareN=223,V=213andv=100.Thevalueofrisaconstant5scanspertimetickforthexed-ratescanningworm,andtheotherhavingvariablerateswiththeGaussiandistributionandameanvalueof5pertimetick. areveryclose.Similarresultsareobservedforothervariableratedistributions.Therefore,themodelisabletoapproximatethepropagationofwormsbyusingaveragescanningrate.Therefore,wearguethatourmodelisindeedabletoapproximatethepropagationofwormsinreal-lifescenariosbyusingtheaveragescanningrate. Weintroduceafewadditionaltermsinourmodeltoaccountfortheremovalofhosts.Letpqdenotetheprobabilityofahostbeingremovedeachtimeitscans,andq(t)denotethenumberofvulnerablehoststhatareremovedfromthesystembytimet.As 93

PAGE 94

Withthesenewterms,werewritethepropagationequationsofa0-jumpwormbyconsideringhostremoval: 1i(t)+x(t)(t) (4{29) 1i(t)+x(t)(t)=1fold(t) (4{30) (4{31) (4{32) (4{36) (4{37) (4{39) (4{40) (4{41) 94

PAGE 95

Comparisonofpropagationcurvesfora0-Jumpwormwithremovalofhosts(duetopatching,quarantining,disconnection,crash,etc.).Weusethefollowingparameters:N=223,V(0)=213,r=1pertimetick,andpq=0:00005.Theresultfromthemodeldisplaysareasonablematchtotheresultsfromthesimulationforupto90%infection. Theboundaryconditiontothesesetofequationsarei(0)=a(0)=x(0)=v V(0),and(0)=s(0)=y(0)=0. 4{25 )givesanupperboundontheworm'spropagationspeed. IncaseofanewinfectionusingTCP,ittakesoneroundtriptoexchangeSYN(whichisthescanmessage)andSYN/ACK,andthenittakesanumberofroundtripstotransmitACKandattackpackets.Forexample,ifthewormcodeis3klongandeachTCPsegmentis512bytes,thenunderTCP'sslowstartittakesthreeroundtripstocompletetheinfection.Internet'sroundtripdelayrarelyexceedsonesecond[ 16 ].LetDbeatimeperiodthatupper-boundsthedelayofmostinfections.Sincewormcodeistypicallyshort(inordertotinthecallstackwithoutcausingtheprogramtocrashwhenbuer-overowattackisused),Disexpectedtobenomorethanseveralseconds. 95

PAGE 96

4{25 )shiftedtotheleftbyD.Combiningboththelowerboundandtheupperbound,wehavethefollowinginequalityfortheactualvalueofi(t)afterInternetdelayisconsidered.FortD, N(tD) N(tD)i(t)erV Nt Nt(4{42) Ifawormwantstostayundetected,itwillchoosealowscanningrateforbetterstealthiness(smallerfootprintontheInternet)evenwhenthatmeanslowerpropagationspeedandlongerpropagationtime.ManyknownwormstakehoursortensofminutestoinfecttheInternet.Fortheseworms,amaximumdeviationofseveralsecondsbythemodelfromtherealityisrelativelysmallwithrespecttothemuchlongeroverallpropagationtime.NotethatourgoalhereisnottodeterminetheactualvalueofD.Instead,wearguethatthepredictivepowerofourmodelisrelevantinrealitywhentheInternetdelayissmallcomparingwiththewormpropagationtime. 96

PAGE 97

97

PAGE 98

ModelingthepropagationofInternetwormshasbeenaveryinterestingandchallengingresearcharea[ 63 22 80 7 78 40 ].Inthepasttwodecades,wormsevolvednotonlyintheiractionslaunchedupontheirvictimsbutalsointheirpropagationstrategies.Knowingthepropagationstrategyofawormisimportantbecauseitallowsnetworkadministratorsandresearcherstohaveabird's-eyeviewonthedynamicsoftheworm'sspreadacrosstheInternet,whichinturnhelpsthemunderstandhowfastanydefenseprotocolmustreacttocontainoreradicatetheworm. Randomscanninganditsvariants[ 66 13 54 69 27 21 46 70 ]aretheprevalentmethodofwormpropagationontheInternet.Theclassicalepidemicmodelhaslongbeenestablishedasthetoolforcharacterizingthepropagationpropertiesofrandom-scanningworms[ 63 22 ].Borrowedfromtheepidemiologytheory,thismodelassumesthataddressestobescannedareselectedindependentlyatrandomandthateveryrandomaddresshasanequalprobabilityofbeingvulnerabletotheworm.However,theseassumptionsarenottrueinreality.Weobservethatrealwormsusepseudo-randomnumbergeneratorstodecidewhichaddressestobescanned.Forexample,thefollowingrecursiveformula,xn=214013xn1+2531011mod232wasusedbySlammer[ 42 ]andWitty[ 35 ]wormstoproduceaddresses(albeitwithbugsinimplementationandlogic).Itisafull-cyclelinearcongruentialgenerator.Withanarbitraryseedx0,itwillproducenumbersfromadeterministiccyclewhereeachpossiblenumberof32bitswillappearexactlyonce.Pseudorandomness,however,breakstheunderlyingassumptionsoftheepidemicmodel.Thenumbersgeneratedarenotindependent,andouranalysiswillshowthataportionoftheworm'sscanningactivityhaszeroprobabilityofdiscoveringanynewinfection.Moreover,thisportiongrowsovertime.Itraisesaseriousquestion.Istheepidemicmodelcorrectforrealwormsthatperformpseudo-randomscanning?Toanswerthisquestiondecisively, 98

PAGE 99

Pseudorandomnesshasanotherprofoundimpactonwormpropagation.Random-scanningwormshaveaseriousweakness:Theydonotknowwhenthewholeaddressspacehasbeenfullyscanned(sothattheycanstop);eachaddressmaybescannedagainandagain.Thisweaknessleadstounnecessarilyhighvolumeofscanningtrac,hurtingthestealthinessoftheworms.Self-stoppingtechnologieshavebeeninvestigatedfortheinfectedhoststoretirefromscanningbasedonavarietyofheuristics[ 39 ],amongwhichpermutationscanningappearstobethebestcandidateforensuringthatthewholeaddressspaceisscannedandallvulnerablehostsareinfectedbeforethewormstopsscanning[ 63 ].Inthework,weobservethatpseudorandomness(anaturalfeatureofordinaryrandomnumbergenerators)canalsobeexploitedtoenableanorderlyretirementofunproductiveinfectedhosts.Weshowthat,withafull-cyclerandomnumbergeneratorandaterminationcondition,allexistingrandom-scanningwormscanbeeasilyturnedintothenewfull-cyclewormsthatwillterminateaftercoveringtheentireaddressspace.Whatmakesthisworkuniqueisthatwederiveanaccurate,closed-form,andeasy-to-interpretmathematicalmodelthatistherstofitskindtocharacterizethepropagationofaself-stoppingworm.Thedetailedpropagationmodelenablesustogainanumberofinterestinginsightsintothefull-cycleworms(aswellasthepermutationworms). First,tooursurprise,pseudorandomnessdoesnotslowdownaworm'spropagationeventhoughitcausesaportionofthescanningactivitytohavezeroprobabilityofndingnewinfection.Usingaterminationconditiontoretireunproductiveinfectedhostsfromscanning,full-cyclewormsarestealthier,andremarkably,theyachievestealthinessforfreewithoutanysacriceintheirpropagationspeed.Theyshareidenticalinfectioncurveswithidealrandom-scanningworms. Second,thetotalvolumeofscantracbyafull-cyclewormiswithinafactorof1.5fromtheoptimal{whichistoscaneachaddressonceandonlyonce.(Incomparison,a 99

PAGE 100

63 ]).Hence,eventhoughthetotalvolumeofscantracissub-optimal,themaximuminstantaneousscanintensityofafull-cyclewormremains43%thatofaclassicalrandom-scanningworm.Eventhoughthedurationatmaximumscanintensitycanbeverybrief,thisresultstillpointsoutafuturedirectionfordefensesystemstodetectstealthyfull-cycleworms|bymonitoringthedynamicsofinstantaneousscanintensity. Third,basedonthemodel,weconcludethattherate-limittechniques[ 77 62 6 ]designedagainstrandom-scanningwormswillperformjustaswellwhentheyareappliedagainstfull-cycleworms.However,thedefensetechniquestargetingatthescanningvolumewillbelesseective. Fourth,withasimplerdesign,weshowthefunctionalequivalenceoffull-cyclewormsandpermutationworms[ 63 ],whichmeansourmathematicalmodelfortheformerandtheinsightsitbringscanalsobeappliedtothelatter.Thisisasignicantadvanceoverthepriormodelofpermutationworms[ 40 ],whichconsistsofaseriesofinter-dependentdierentialequations(withoutanyclosed-formsolution)thatarehardtointerpretandgaininsightfrom. Weperformsimulationstoverifyouranalyticalresults.Wealsoinvestigatetheapplicabilityofourmodelunderreal-worldconditionsbyconsideringInternetdelayandcongestion.Weshowthatthemodelcanserveasareasonablyaccurateapproximationforthepropagationofrealworms,particularlythestealthyonesthatscanatlowrates. Therestofthischapterisorganizedasfollows.Section 5.1 designsfull-cycleworms.Section 5.2 describesthecriteriaweusetocharacterizethestealthinessofaworm. 100

PAGE 101

5.3 presentsthepropagationmodelforfull-cycleworms.Section 5.4 analyzesthestealthpropertiesoffull-cycleworms.Section 5.6 drawstheconclusion. 63 22 ]becausemostknownInternetwormsarethoughttoperformrandom-scanning(thereareexceptionsthough,likelocalizedsubnetscanning,topologicalscanningetc.).Beforewechallengeitsrandomnessassumption,wegiveabriefreviewbelow. Eachhostinfectedbyarandom-scanningwormscanstheInternetbyrepeatedlypickingarandomaddressandprobingtheaddresstoseeifthehostonthataddressisvulnerabletoacertainattack.Ifso,itcompromisesthehostbyexploitingthevulnerability.Asmorehostsareinfected,theircombinedrateofscanningincreasesuntilallvulnerablehostsareinfected. UsingthesamenotationsdescribedinTable 4-1 ,theclassicalmodelforrandom-scanningwormscanbederivedasfollows.Attimet,thenumberofinfectedhostsisi(t)V,andthenumberofvulnerablebutuninfectedhostsis(1i(t))V.Afteraninnitesimallysmallperioddt,i(t)changesbydi(t).Duringthattime,thenumberofscanmessagesmadebyallinfectedhostsis Theprobabilityforonescanmessagetohitanuninfectedvulnerablehostis 101

PAGE 102

Ni(t)(1i(t))(5{3) Othermoresophisticatedmodelstakenetworkcongestion,dormantstateofinfectedhosts,andlocalizedscanningstrategyintoconsideration[ 80 7 ].However,aswillbediscussedinthenextsection,localizedscanningcanmakeawormmorevulnerabletodetection,especiallywhendonefromoutside. Theepidemicmodelassumesthatrandomaddressesselectedbyinfectedhostsareindependentofeachother.Itfurtherassumesthateachscanmessagehasanequalprobabilityofndinganewinfection.However,realwormsusepseudo-randomnumbergeneratorstoproduceaddressesforscanning.Theseaddressesarenottrulyrandom{theyarerelatedthroughtheformulaofthegenerator.Itleadstoaninterestingconsequence:Somescanmessageswillhavezeroprobabilityofndingnewinfection,whichwewillexplainbelow. Werstreviewtheprevalentmechanismbehindthepopularrandomnumbergenerators[ 48 31 ].Itgeneratesnumbersdeterministicallyfromalargecycleofnumbersarrangedinapseudo-randomorder(whichisdesignedtopassmostofthestatisticaltestsforrandomness).Thecallersuppliesanarbitraryseed,whichdeterminestheinitialpositiononthecycletodrawtherstnumber.Forsubsequentnumbers,thegeneratorsimplywalks(say,clockwise)onthecycle.Ifthecyclecontainsoneandonlyoneoccurrenceforeachnumberinrange[0::N),itiscalledafull-cyclerandomnumbergenerator,whereNshouldbe232togenerateIPaddresses.Oneexampleofafull-cyclegeneratorisxn=214013xn1+2531011mod232,usedbySlammerandWitty.AnotherexampleisgiveninAppendixA. 102

PAGE 103

5-1 ,wherehostsaandbareinfected,abeginsitsscanataddressu,andbbeginsataddressv.Theyscantheaddresses(clockwisealongthecycle)thatarereturnedbyarandomnumbergenerator.Afterareachesv,sinceeachsubsequentaddressonthecyclehasalreadybeenscannedbyb,hosta'sscanmessageswillhavezeroprobabilityofndingnewinfection,violatingtheassumptiononwhichtheclassicalwormmodelisbased. Withabrokenassumption,istheepidemicmodelstillright?Ifthecycleoftherandomnumbergeneratorissohugethatthescanningsegmentsofdierentinfectedhostsdonotoverlap(e.g.,inFig. 5-1 ,ifthewormactivitydiesdownbeforehostareachesv),thenEq( 5{3 )remainsavalidmodelfortheworms.However,theimpactofpseudorandomnessbecomessignicantinmodelingwhenafull-cyclegeneratorofsize232isused.Aswewilldiscussnext,futurewormswillhavegoodreasonstoadoptsuchfull-cyclegenerators(asSlammerdid,thoughwithfaultyimplementation). PseudorandomnessnotonlymakesitharderforustoderivethepropagationmodelofInternetworms,butalsogivesthemthepotentialofbeingfarmoreecientthantheyaretoday.Weshowthat,usingafull-cyclerandomnumbergeneratorandaterminationcondition,allInternetwormsthatperformrandom-scanningcanbeeasilymodiedto 103

PAGE 104

Infectedhostsscanningduringthepropagationofafull-cycleworm.Eachinfectedhost(a,b),scansacontinuoussegmentofaddressesonthecycle.Whena'ssegmentreachesb's,theaddressesthatawillscanhavealreadybeencoveredbyb. solvetheirweakness.Thedesignissimple:Theinitiallyinfectedhoststhatstartthewormpropagationusetheirownaddressesastheseedsforthefull-cyclegenerator,andeachsubsequentlyinfectedhostselectsanarbitraryseed.Aninfectedhostscansthesequenceofaddressesproducedbythegenerator.Itstopsscanning(retires)whenitreachesahostthathasalreadybeeninfected.Aftertheinfectedhoststopsscanning,itiscalledaretiredhost;beforethat,itiscalledanactivehost.Theseimprovedwormsarecalledfull-cycleworms. Theabovedesignisecient:Itallowsaninfectedhosttoretirewhenitsscanningeortwillnotndnewinfection.RefertoFig. 5-1 .Afterareachesv,itscanstheaddressesthathavebeenscannedbyb.Eventhoughitseortisnolongerproductive,ahasnowaytoknowuntilitreachesaninfectedhostc,whichwilltellatoretire.Byretiringattheearliestfeasiblemoment,aavoidssendingscanmessagestoaddressesafterc.Itiseasytoseethateachinfectedhostwilleventuallyretirebecauseitwalksalongthecycleand,intheworstcasewhenthereisnootherinfectedhost,itwillcomebacktoitself(andthusknowthatitshouldretire). Therearemanyquestionstobeanswered.Howecientarefull-cyclewormsexactly?Willtheypropagatefasterorslowerthantoday'srandom-scanningworms?Howhardisittodetectthem?Morespecically,whatistheirfootprintontheInternet,intermsofthetotalscanvolumeandthemaximumcombinedrateofscanningbyallactivehosts? 104

PAGE 105

13 ]in2003causedwidespreadnetworkcongestionacrossAsia,EuropeandtheAmericas.Itsaggressivenessproducedheadlinenews,butwasnotinstrumentaltoitsownsurvivalasenormousresourceswerecommittedimmediatelytocleanuptheworm.Thepotentialharmthatawormcandoisdecidednotbytheheadlinesitgenerates,butbyitslongevity.AslowspreadingwormthattakesamonthtosilentlyinfecttheInternetandstayundetectedforayearcandomuchmoreharmthanawormthatinfectstheInternetinadaybutiswipedoutinthenextfewdays.Foramaliciousworm,generallyspeaking,stealthismoreimportantthanpropagationspeed.Hence,awormmayarticiallycongureitsscanningratetoacertainlowvalueinordertoevadedetection. Propagationspeedcanbemeasuredbasedontheinfectioncurvei(t).StealthinessofawormcanbemeasuredbasedontheimpactofitsscanningtracontheInternet.Threemetricsaregrossfootprint,maximuminstantaneousfootprint,andfootprintconcentration,whichcapturethetotalamount,thetemporalintensity,andthespatialintensityofthescanningtrac,respectively. 105

PAGE 106

63 ]maybeusedtoincreasethevalueofv.Theseinfectedhostsarerandomlylocatedinthefullcycle,wheretheaddressesin[0::2321]arearrangedinapseudo-randomorder.Assumetheybeginfromtheirownlocations(usingtheirlocationsasseeds)andscanalongthefullcycle.Thereare(Vv)vulnerablehostsrandomlyplacedinthefullcycle.Otherthanthevinitiallyinfectedones,theprobabilityforanarbitraryaddresstobevulnerableis Nv(5{4) ItistruethatthevulnerablehostsarenotdistributeduniformlyatrandomintheIPv4addressring.Butweareworkingonthepseudo-randomfullcycleofaddresses,onwhichthevulnerablehostsarerandomlydistributed. 106

PAGE 107

Dierentstagesofaninfectedhostforafull-cycleworm.Anactivehostaiseithereectiveorineective.Itretireswhenreachinganinfectedhost. Bytimet,thecombinedscanningeortofallinfectedhostshasdiscoveredandtheninfectedi(t)Vvvulnerablehosts.Duetorandomplacementofvulnerablehosts,thesameproportionofthe(Nv)addresses(whichexcludethevinitiallyinfectedones)isexpectedtohavebeenscannedinordertodiscoverthosehosts.Hence,thefractionf(t)ofthefullcyclethathasbeenscannedbytimetis Vv(Nv)+v N(5{5) Herewetreattheinitiallyinfectedhostsashavingbeenscanned. AsillustratedinFig. 5-2 ,whenanactivehostaisscanningaddressesthathavenotbeenscannedyet(suchas[u;v]),itiscalledaneectivehost.Whenaisscanningaddressesthathavealreadybeenscanned(suchas[v;c]),itiscalledanineectivehost.Anineectivehostwillbecomearetiredhostonceithitsaninfectedhost(cinthisexample).Letx(t)bethefractionofvulnerablehoststhatareeectiveattimet.ItisworthnotingthatthedetionofeectivehostshereisslightlydierentfromthatinthemodelingofPermutation-scanningworm.ForthePermutation-scanningworms,ahostisineectiveifitsstartingscanningaddressfallswithinacoveredarea.Forfull-cycle,ahostisineectiveifitsscanningaddresshasbeenscannedbefore. Becausetherearex(t)Veectivehostsattimet,alladdressedhavingbeenscannedbythemwillformx(t)Vnon-overlappingsegments.Forexample,inFig. 5-3 ,bandc

PAGE 108

Classicationofactivehostsforafull-cycleworm.Hostsbandcareeective,whereashostaisineectivebecauseitisscanningaddressesthathavebeenscannedbyb.Therearetwonon-overlappingsegments,[u;w]and[y;z]. areeectivehosts,andtherearetwonon-overlapsegments.Hostaisineective;itssegmentismergedwithb'sintoasinglebiggersegment[u;w].Thecombinedsizeofallnon-overlappingsegmentsisf(t)N.Excludingthestartingaddress,allotheraddressesofasegmentformtheinteriorofthesegment.Forexample,theinteriorof[u;w]is(u;w].Thecombinedsizeoftheinteriorofallsegmentsisf(t)Nx(t)V. Itiseasytoseethat,whenevertherstaddressscannedbyaninfectedhostfallsintheinteriorofasegment,theremustbeaneectivehostturnedineective.Forexample,inFig. 5-3 ,ashosta'ssegmentmergeswithhostb'ssegmentintoasinglenon-overlappingone[u;w],therstaddressscannedbyb,whichisv,becomesanaddressintheinteriorofsegment[u;w],andatthemeantimeoneeectivehost(ainthisexample)becomesineective. Now,becausetherstaddressesscannedbyi(t)Vinfectedhostsarerandomlyplacedinthefullcycle,thechanceforeachofthemtobeintheinteriorofsomenon-overlappingsegmentisf(t)Nx(t)V N,whichisthefractionofthefullcyclethattheinteriorofallnon-overlappingsegmentsoccupies.Thenumberofinfectedhostshavingturnedineectiveis(i(t)x(t))V.Hence,wehave (i(t)x(t))V=f(t)Nx(t)V Ni(t)Vx(t)=(1f(t))N Ni(t)Vi(t)(5{6) 108

PAGE 109

Ni(t)Vi(t)Vrdt(5{7) Eachscanmessageextendsasegmentbyoneadditionaladdress.Therearetwopossibilitiesforthisaddress.Case1:itislocatedinthegapbetweentwonon-overlappingsegments;Case2:itisnotlocatedinthegap,i.e.,itistherstaddressofthenextsegmentonthecycle.Thecombinedsizeofallgapsbetweennon-overlappingsegmentsis(1f(t))N,andwehaveknownthatthenumberofnon-overlappingsegmentsisx(t)V.TheprobabilityforCase1is(1f(t))N 5{4 ).TheprobabilityforCase2isx(t)V Combiningtheaboveanalysis,theprobabilityforascanmessagefromaneectivehosttomakeanewinfectionis NvNi(t)V N(5{8) 5{7 ),( 5{8 )and( 5{5 )totheequationVdi(t)=n0(t)p0(t),wehavedi(t)=rV Ni(t)(1i(t))dt Ni(t)(1i(t))(5{9) Itisthesameas( 5{3 ),thepropagationmodelforidealrandom-scanningworms!Becausethepropagationofallthesewormswillrespondtothechangeinrinthesameway,rate-limittechniques[ 77 6 ]thatweredesignedtoslowdownrandom-scanningworms 109

PAGE 110

62 ]basedonworm'sscanningratewillworkequallywellforfull-cycleworms. Solvingtheequation,wehave N(tt0) N(tt0)(5{10) Sincei(0)=v=V,applyingitto( 5{10 ),wehavet0=N rVlnv Vv.Eq.( 5{10 )canbewrittenas N(t+N rVlnv Vv) N(t+N rVlnv Vv)(5{11) From( 5{11 ),thetimeittakesforapercentage(v=V)ofallvulnerablehoststobeinfectedis rV(ln Vv)(5{12) Theinstantaneousincreaseinthenumberofinfections,Vdi(t),istheproductoftwofactors:thenumberofscanmessagesduringdtandtheprobabilityforeachscanmessagetogenerateanewinfection,wheretheformerisn(t)denedin( 5{1 )forrandom-scanningwormsandn0(t)denedin( 5{7 )forfull-cycleworms,whilethelatterisp(t)denedin( 5{2 )forrandom-scanningwormsandp0(t)denedin( 5{8 )forfull-cycleworms. Ononehand,byallowingmoreandmoreinfectedhoststoretire,full-cyclewormsachievestealthattheexpenseoffewerscanmessages,whichcanbeshownbycomparing( 5{7 )and( 5{1 ).Thishasanegativeimpactonitspropagationspeed. Ontheotherhand,random-scanningwormssendscanmessagestoarbitraryaddresses,includingthosethathavealreadybeenscanned,whichleadstolowerprobability 110

PAGE 111

Comparisonofinfectioncurvesbetweenrandom-scanning,permutation-scanningandfull-cycleworms.The\Model"curveiscomputedfrom( 5{11 ).Theotherthreecurvesareplottedusingdatacollectedfrompacket-levelsimulationprogramsthatsimulateworm'sactualscanningbehavior.Thesecurvesfor\RandomScanning"worm,\FullCycle"wormand"Permutation"worm(tobediscussedinSection 5.3.4 )aretheaverageof1,000simulationruns.The99%condenceintervalforthecurveof\FullCycle"isplotted;thecondenceintervalsfor\RandomScanning"and\Permutation"arecomparable.Allfourcurvesinthegurecompletelyoverlap.Westressthatdatapointscalculatedfrom( 5{11 )agreewithdatapointsindependentlycollectedfromprograms. foreachscanmessagetondanewinfection.Full-cyclewormssendscanmessagesmostlytoaddressesthathavenotbeenscanned,whichmeanshigherprobabilityofndingnewinfections.Thisisevidentbycomparing( 5{8 )and( 5{2 ),andithasapositiveimpactonthepropagationspeedoffull-cycleworms. Basedonourmathematicalcalculation,interestingly,thenegativeimpactandthepositiveimpactexactlycancelouteachother.Consequently,thesewormsallhavethesamepropagationmodel. 5-4 ,oursimulationsconrmthatfull-cyclewormspropagateatthesamespeedasidealrandom-scanningworms.Thesimulationparametersaregivenasfollows:ThesizeofthevulnerablepopulationisV=213.ThesizeoftheaddressspaceisN=223(itwilltakeprohibitivelylongtimeifNischosentobe232).Toproducean 111

PAGE 112

4.3.4 63 ]mapstheIPaddressspacetoapermutedspacebyanencryptionalgorithm.ThecorrespondingdecryptionalgorithmwillmapthepermutedspacebacktotheoriginalIPspace.Startingfromarandomlocation,eachinfectedhostscanscontinuousaddressesinthepermutedspace.ApermutedaddressisrstdecryptedtoanaddressintheIPspace,towhichthescanpacketwillbeactuallysent. Full-cyclewormsarefunctionallyequivalenttothepermutationworminthesensethatitpermutestheIPaddressspacedirectlyviatherandomnumbergenerator(whichisneededinmostknownworms),insteadofusingencryption.Suchequivalenceisconrmedbyoursimulation(Fig. 5-4 ).Essentiallyitmeansthatallexistingrandom-scanningwormscanbeeasilymodiedtobeaspowerfulaspermutationwormssimplybyusingafull-cyclerandomnumbergeneratorandincorporatingaterminationcondition.Moreover,theyhavetheadvantageofavoidingtheneedtocarryadecryptionroutinethatwouldincreasethelengthofthewormcodesubstantiallyandmakeitmoresusceptibletodetection[ 67 ]. Whenanactivehostofafull-cyclewormscansanalreadyinfectedhost,insteadoflettingitretireimmediately,wemaymodifythewormandallowthehosttojumptoanewrandomlocationinthecycleforitsnewscantargetandresumeitsscanningfromthere.Thehostwillretireafteracertainnumberofjumps.Weperformedsimulationstoevaluatehowjumpsaectpropagationspeedandscanningtracvolume.OursimulationresultsareidenticaltoresultsshowninFig. 4-7 forpermutationworm,whichshowsthat 112

PAGE 113

Theresultswillhelpusassessthestealthinessoffull-cycleworms.Forexample,welearnthatirrespectiveofv,themaximuminstantaneousfootprintoftheseworms,whichisthelargestinstantaneousscanningratebyallinfectedhosts(i.e.,maxtfa(t)Vrg),isabout43%ofthevalueforrandom-scanningworms.Wealsolearnthatthegrossfootprintoffull-cyclewormsiswithinafactorof1.5fromtheoptimal. 5{5 )and( 5{10 )to( 5{6 ),wehavetheclosed-formsolutionforx(t). Vv(Nv)+v N)N Ni(t)VerV N(t+N rVlnv Vv) N(t+N rVlnv Vv)(5{13)Recallthatthenumberofeectivehostsisx(t)V.Eq( 5{13 )ishardtointerpret.Weperformapproximationbelow.SupposevV(andobviously,vN).Eq( 5{5 )canbesimpliedto Applyingitto( 5{6 ),wehave Ni(t)V)i(t):(5{15) SupposeVN,whichislikelytoholdasthenumberofhostsvulnerabletoaparticularwormnormallyaccountsforasmallportionofthewholeInternetaddressspace.Theaboveequationcanbefurthersimpliedto 113

PAGE 114

Simulationresultsonfull-cyclewormpropagation Itfollowsthat maxtx(t)1 4(5{17) Themaximumvalueofx(t)isreachedatapproximatelythetimewheni(t)=1i(t)=1 2,namely,whenhalfofthevulnerablehostsareinfected,whichisconrmedbyoursimulationresultsinFig. 5-5 (seeSection 5.3.3 forsimulationsetup).By( 5{12 ),thattimeis 2)=N rV(ln(Vv)lnv)NlnV rV(5{18) 5{11 ).Belowweobtaintheclosed-formsolutionfora(t).Oncea(t)isknown,byi(t)=a(t)+s(t),wealsogettheclosed-formsolutionfors(t). Throughoutthisandnextsubsection,weusethenotation=v V=i(0)=a(0)=fractionofvulnerablehostpopulationalreadyinfectedattime0.Usingthisin( 5{11 ),wecanrewritetheclosedformfori(t)as Nt Nt 114

PAGE 115

Nchanceforhittingavulnerablehostforeachscanmessage,intimedttheexpectednumberofhitsonvulnerablehosts,includingbothpreviouslyuninfectedandpreviouslyinfected,isa(t)VrdtV N.Wenotethatwhenanactivehosthitsapreviouslyuninfectedhost,itaddstotheoverallinfectioncounti(t).Sincei(t)changesbydi(t)withintimedt,thetotalnumberofhitsonpreviouslyuninfectedvulnerablehostsmustbedi(t).Ontheotherhand,whenanactivehosthitsanalreadyinfectedhost,itretiresandtherebyaddstothes(t)count.Sinces(t)changesbyds(t)withintimedt,thetotalnumberofhitsonpreviouslyuninfectedvulnerablehostsmustbeds(t).Thus,wegeta(t)VrdtV N=totalnumberofhits=di(t)+ds(t).Inotherwords,ds(t)=a(t)VrdtV Ndi(t).Sinceda(t)=di(t)ds(t),wealsogetda(t)=2di(t)a(t)VrdtV N.Pluggingbackdi(t)=rdtV Ni(t)(1i(t)),wegetthenalpropagationequations: Ni(t)(1i(t)) (5{20) N(2i(t)(1i(t))a(t)) (5{21) N(a(t)i(t)(1i(t))) (5{22) Applying( 5{19 )to( 5{21 ),wehave N2(1)erV Nt Nt)2a(t)! Solvingtheaboveequationfora(t)usingtheboundaryconditionofa(0)=,andbasedoni(t)=a(t)+s(t),wehavethefollowingclosedformsforinfected,activeandretired 115

PAGE 116

Nt Nt Nt1 Nt1++ln(1+erV Nt)+2 Nt Nt2(1) Nt1 Nt1++ln(1+erV Nt)+2 Weobservethatthedierentialequations 5{20 through 5{22 arethesameasequations 4{22 through 4{24 ,respectively.Therefore,itcomesasnosurprisethatclosed-formsolutions(equations 5{24 through 5{26 )arethesameasequations 4{25 through 4{27 ,respectively. 5{21 )tozero,wehave maxta(t)=2i(t)(1i(t)) (5{27) Applying( 4{25 ),wehave maxta(t)=2(1)erV Nt Nt)2 116

PAGE 117

4{26 ),weobservethat,attimetwherethemaximumvalueofa(t)isreached,thefollowingistrue,maxta(t)=2RY YnR R+YR+ln(R+Y)+2 Ntforsimplication.Letg=Y R=erV Nt 1+gR+ln(R)+ln(1+g)+2 (5{29) where()=+ln(1)+2 5{29 )weretobeaconstant,thenitwouldbeseenimmediatelythatonlyaconstantvalueofgcansatisfythatequation.Inthatcase,maxta(t)=2g Table5-1. Eectofhitlistsizeonthescanningpeak. 0.01% 0.000000 2.162580 43.2% 0.1% 0.000000 2.162580 43.2% 1% 0.000000 2.162580 43.2% 2% 0.000001 2.162570 43.2% 5% 0.000022 2.162300 43.2% 10% 0.000195 2.160130 43.2% 20% 0.001856 2.139130 43.4% 30% 0.007611 2.064960 43.9% 117

PAGE 118

Propagationpatternsforthefull-cyclewormwithdierent.Inallthecases,thepeakscanningvolumeisreachedwhenaround43%ofthevulnerablepopulationareactivelyscanning.Also,inallcases,theresultsfromourwormsimulatormatchestheresultfromthemodelwithamazingprecision(thetwosetsofcurvescannotbedistinguishedunlessviewedataveryhighmagnication(around64X). Inallcases()isalmost0,whichisunderstandablesince()=(3)asseenabove.Therefore,wecansaythatforreasonablevaluesofinitiallyinfectedhostratio,maxta(t)isreachedaround43%.WeverifythisfactbybothsimulationandmodeloutputinFigure 5-6 2N.Hence,eachaddressisscanned1.5 118

PAGE 119

Weshowthatthescanningstrategyusedbythefull-cyclewormmeetsallthreeofthecriteriaabove.First,weobservethatithastheidenticalinfectionspeedastherandom-scanningworm.However,forarandom-scanningworm,alltheinfectedhostsarescanningatthesametime,whichmeansthattheinfectioncurveandtheactivecurveareoneandthesame.Ontheotherhand,forafull-cycleworm,irrespectiveofthehitlistsize,theactivecurvereachesascanningpeakaround43%ofthevulnerablepopulationsizeandthendropstowardszero.Incomparisonwiththerandom-scanningworm,thisensuresamuchsmallernetworkfootprint,whichhasbeenestimatedas3 2N.Whilea 119

PAGE 120

120

PAGE 121

Ourstudyundertookthreeimportantproblems:wormdetection,wormpropagationmodeling,andwormdesign.First,wedevisedafastandreliabledetectionmechanismfortheASCIIwormsandverieditseciencythroughexperiments.Wealsoderivedthestatisticalmodelofthemaximumexecutablelength(MEL)schemeunderlyingourdetectionmechanism,whichservesasthefoundationofnotonlyourdetectionmechanismbutalsoseveralothersimilarMEL-baseddetectionmechanismsthatsettheMELthresholdexperimentally.OurmathematicalmodelalsoestablishedtherelationbetweentheMELthresholdandthefalsepositiveerrorprobability,whichmeansouranalysismakesitpossibletotunethedetectionsensitivityofanyMEL-basedscheme. Wealsoderivedthepropagationmodelforthepermutation-scanningworm,andthroughextensivesimulations,haveshownthattheanalyticalmodelisaccurate.Wehaveextendedourmodelforpermutation-scanningwormsemployingmultiplejumps,andobtainedperfectmatchbetweentheoutputofthemathematicalmodelandthewormsimulations. Finally,weexaminedtheroleofpseudo-randomnessinthepropagationforwormsusingarandomnumbergeneratoranddiscoveredtheawsinthederivationoftheclassicalepidemicmodel,whichtilldatehasservedastheuniversallyacceptedmodelforpropagationofrandom-scanningworms.Atthesametime,wehavealsodiscoveredthatwecanexploitthispseudo-randomnesstoourfavor.Byusingaspecicpseudo-randomnumbergeneratorandincorporatingaterminationcriterion,wehaveshownthatexistingrandomscanningwormscanbemadesignicantlystealthierwithoutlosinganyinfectionspeed,therebymakingthisparticularscanningstrategyaveryecientone. Overall,ourworkfocusedonhighlightingthedamagepotentialofworms,andshowednovelwaystodetectthem.Italsoprovidedaccurateanalyticalpropagationmodel 121

PAGE 122

122

PAGE 123

[1] TheMetasploitProject.OnlineText. [2] P.Akritidis,E.P.Markatos,M.Polychronakis,andK.Anagnostakis.Stride:PolymorphicSledDetectionthroughInstructionSequenceAnalysis.InProc.ofthe20thIFIPInternationalInformationSecurityConference,May2005. [3] AlephOne.SmashingtheStackforFunandProt.Phrack,7(49),November1996. [4] S.Bhatkar,R.Sekar,andD.C.DuVarney.EcientTechniquesforComprehensiveProtectionfromMemoryErrorExploits.InProc.ofthe14thUSENIXSecuritySymposium,July2005. [5] ByteEnable.LinuxKernelNowWithAMD64x86NX(NoeXecute)BitSupport.OnlineText. [6] S.ChenandY.Tang.SlowingDownInternetWorms.InProc.ofthe24thInter-nationalConferenceonDistributedComputingSystems(ICDCS'04),Tokyo,Japan,March2004. [7] Z.Chen,L.Gao,andK.Kwiat.ModelingtheSpreadofActiveWorms.InProc.ofthe22ndAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'03),pages1890{1900,SanFrancisco,California,USA,March2003. [8] Z.ChenandC.Ji.MeasuringNetwork-AwareWormSpreadingAbility.InProc.ofthe26thAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'07),May2007. [9] R.ChinchaniandE.V.D.Berg.AFastStaticAnalysisApproachtoDetectExploitCodeInsideNetworkFlows.InProc.ofthe8thInternationalSymposiumonRecentAdvancesinIntrusionDetection(RAID'05),September2005. [10] ComputerEmergencyResponseTeam.CERTRAdvisoryCA-2000-04LoveLetterWorm.OnlineText. [11] ComputerEmergencyResponseTeam.CERTRAdvisoryCA-2001-26NimdaWorm.OnlineText. [12] ComputerEmergencyResponseTeam.CERTRAdvisoryCA-1999-04MelissaMacroVirus.OnlineText. 123

PAGE 124

ComputerEmergencyResponseTeam.CERTRAdvisoryCA-2001-04:MS-SQLServerWorm.OnlineText. [14] ComputerEmergencyResponseTeam.CERTRIncidentNoteIN-2003-03W32/Sobig.FWorm.OnlineText. [15] ComputerEmergencyResponseTeam.TechnicalCyberSecurityAlertTA04-028AW32/MyDoom.BVirus.OnlineText. [16] A.Corlett,D.I.Pullin,andS.Sargood.StatisticsofOne-WayInternetPacketDelays.InProc.ofIETF2002,March2002. [17] M.Costa,J.Crowcroft,M.Castro,A.Rowstron,L.Zhou,L.Zhang,andP.Barham.Vigilante:End-to-endContainmentofInternetWorms.InProc.ofthe20thACMSOSP,October2005. [18] C.Cowan,S.Beattie,J.Johansen,andP.Wagle.Pointguard:ProtectingPointersfromBuerOverowVulnerabilities.InProc.ofthe12thconferenceonUSENIXSecuritySymposium(SSYM'03),pages91{104,Berkeley,California,USA,2003.USENIXAssociation. [19] C.Cowan,C.Pu,D.Maier,J.Walpole,P.Bakke,S.Beattie,A.Grier,P.Wagle,Q.Zhang,andH.Hinton.Stackguard:Automaticadaptivedetectionandpreventionofbuer-overowattacks.InProc.ofthe7thUSENIXSecurityConference(Security'98),pages63{78,January1998. [20] J.R.Crandall,S.F.Wu,andF.T.Chong.ExperiencesUsingMinosasaToolforCapturingandAnalyzingNovelWormsforUnknownVulnerabilities.InProc.ofDetectionofIntrusionsandMalwareandVulnerabilityAssessment(DIMVA),July2005. [21] D.KnowlesandF.Perriott,SymantecSecurityResponse.W32.blaster.worm.OnlineText. [22] D.MooreandC.ShannonandK.Clay.Code-Red:ACaseStudyontheSpreadandVictimsofanInternetWorm.InProc.ofthe2ndInternetMeasurementWork-shop(IMW'02),November2002. [23] P.J.Denning.ComputersunderAttack:Intruders,Worms,andViruses.ACMPress,NewYork,NY,USA,1990. 124

PAGE 125

T.Detristan,T.Ulenspiegel,Y.Malcom,andM.S.V.Underduk.PolymorphicShellcodeEngineusingSpectrumAnalysis.Phrack,11(61),August2003. [25] Y.DongandK.David.ReliableReturnAddressStack:MicroarchitecturalFeaturestoDefeatStackSmashing.InProc.ofACMSIGARCHComputerArchitectureNews,volume33-1,pages73{80,March2005. [26] R.Eller.BypassingMSBDataFiltersforBuerOverowExploitsonIntelplatforms.OnlineText. [27] F.Perriot,SymantecSecurityResponse.W32.welchia.worm.OnlineText. [28] J.C.Frauenthal.MathematicalModelinginEpidemiology.Springer-Verlag,NewYork,1980. [29] J.Jung,V.Paxson,A.W.Berger,andH.Balakrishnan.Fastportscandetectionusingsequentialhypothesistesting.InProc.ofIEEESymposiumonSecurityandPrivacy,2004,pages211{225,May2004. [30] H.KimandB.Karp.Autograph:TowardAutomated,DistributedWormSignatureDetection.InProc.ofthe13thUSENIXSecuritySymposium(Security'04),pages271{286,SanDiego,California,USA,August2004. [31] D.E.Knuth.TheArtofComputerProgramming,volume2.Addison-Wesley,thirdedition,1997. [32] O.KolesnikovandW.Lee.AdvancedPolymorphicWorms:EvadingIDSbyBlendinginwithNormalTrac.Technicalreport,CollegeofComputing,GeorgiaInstituteofTechnology,2004. [33] C.KreibichandJ.Crowcroft.Honeycomb{CreatingIntrusionDetectionSignaturesusingHoneypots.InProc.ofthe2ndWorkshoponHotTopicsinNetworks(HotNets-II),Cambridge,Massachusetts,USA,November2003. [34] C.Kruegel,E.Kirda,D.MutzW.Robertson,andG.Vigna.Polymorphicwormdetectionusingstructuralinformationofexecutables.InProc.ofthe8thInternationalSymposiumonRecentAdvancesinIntrusionDetection(RAID'05),September2005. [35] A.Kumar,V.Paxson,andN.Weaver.ExploitingUnderlyingStructureforDetailedReconstructionofanInternet-scaleEvent.InProc.ofInternetMeasurementConference,October2005. [36] KasperskyLab.VirusEncyclopedia.OnlineText. 125

PAGE 126

Z.Li,M.Sanghi,Y.Chen,M.Kao,andB.Chavez.Hamsa:FastSignatureGenerationforZero-dayPolymorphicWormswithProvableAttackResilience.InProc.ofIEEESymposiumonSecurityandPrivacy,May2006. [38] Z.Li,L.Wang,Y.Chen,andZ.Fu.Network-basedandAttack-resilientLengthSignatureGenerationforZero-dayPolymorphicWorms.InProc.ofthe15thIEEEInternationalConferenceonNetworkProtocols(ICNP),October2007. [39] J.Ma,G.M.Voelker,andS.Savage.Self-StoppingWorms.InProc.ofthe2005ACMworkshoponRapidmalcode(WORM'05),pages12{21,NewYork,NY,USA,November2005.ACM. [40] P.K.Manna,S.Chen,andS.Ranka.ExactModelingofPropagationforPermutation-ScanningWorms.InProc.ofthe27thAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'08),April2008. [41] P.K.Manna,S.Ranka,andS.Chen.DAWN:ANovelStrategyforDetectingASCIIWormsinNetworks.InProc.ofthe27thAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'08)mini-conference,April2008. [42] D.Moore,V.Paxson,S.Savage,C.Shannon,S.Staniford,andN.Weaver.Insidetheslammerworm.IEEESecurityandPrivacy,1(4):33{39,July2003. [43] D.Moore,C.Shannon,G.M.Voelker,andS.Savage.InternetQuarantine:RequirementsforContainingSelf-PropagatingCode.InProc.ofthe22ndAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'03),pages1901{1910,SanFrancisco,California,USA,March2003. [44] J.Newsome,B.Karp,andD.Song.Polygraph:AutomaticSignatureGenerationforPolymorphicWorms.InProc.ofIEEESecurityandPrivacySymposium,Oakland,California,USA,May2005. [45] OxfordUniversityPress.FAQ:AskOxford.OnlineText. [46] P.Szor,SymantecSecurityResponse.Freebsd.scalper.worm.OnlineText. [47] K.Park,H.Kim,B.Bethala,andA.Selcuk.ScalableProtectionagainstDDoSandWormAttacks.DARPAATOFTN,TechnicalReportAFRL-IF-RS-TR-2004-100,Dept.ofComputerScience,PurdueUniversity,2004. [48] S.K.ParkandK.W.Miller.RandomNumberGenerators:GoodOnesAreHardtoFind.CommunicationsoftheACM,31(10),March1988. 126

PAGE 127

Y.J.ParkandG.Lee.RepairingReturnAddressStackforBuerOverowProtection.InProc.ofACMFrontiersofComputing,pages335{342,April2004. [50] A.Pasupulati,J.Coit,K.Levitt,andF.Wu.Buttercup:OnNetwork-basedDetectionofPolymorphicBuerOverowVulnerabilities.InProc.ofIEEE/IFIPNetworkOperationandManagementSymposium,May2004. [51] M.Polychronakis,K.G.Anagnostakis,andE.P.Markatos.Network-LevelPolymorphicShellcodeDetectionUsingEmulation.InProc.oftheGI/IEEESIGSIDARConferenceonDetectionofIntrusionsandMalwareandVulnerabilityAssessment(DIMVA),pages54{73.Springer,2006. [52] CharlesPrice.MIPSIVInstructionSet,Revision3.2.OnlineText. [53] X.Qin,D.Dagon,G.Gu,andaLee.WormDetectionUsingLocalNetworks.InProc.of20thAnnualComputerSecurityApplicationsConf.(ACSAC2004),December2004. [54] R.X.Wang,SymantecSecurityResponse.W32.zotob.a.OnlineText. [55] J.C.Rabek,R.I.Khazan,S.M.Lewandowski,andR.K.Cunningham.DetectionofInjected,DynamicallyGenerated,andObfuscatedMaliciousCode.InProc.ofthe2003ACMWorkshoponRapidMalcode,October2003. [56] RIX.WritingIA32AlphanumericShellcodes.Phrack,11(57),November2001. [57] J.A.RochlisandM.W.Eichin.WithMicroscopeandTweezers:TheWormfromMIT'sPerspective.Commun.ACM,32(6):689{698,1989. [58] S.Schechter,J.Jung,andA.W.Berger.FastDetectionofScanningWormInfections.InProc.ofthe7thInternationalSymposiumonRecentAdvancesinIntrusionDetec-tion(RAID'04),SophiaAntipolis,FrenchRiviera,France,September2004. [59] E.E.Schultz.WhereHavetheWormsandVirusesGone?NewTrendsinMalware.ComputerFraud&Security,2006(7):4{8,August2006. [60] SecurityFocus.AZero-dayWorminIE.OnlineText. [61] S.Singh,C.Estan,G.Varghese,andS.Savage.TheEarlyBirdSystemforReal-timeDetectionofUnknownWorms.InProc.ofthe6thACM/USENIXSymposiumon

PAGE 128

[62] S.Staniford.ContainmentofScanningWormsinEnterpriseNetworks.JournalofComputerSecurity,2004. [63] S.Staniford,V.Paxson,andN.Weaver.Howto0wntheInternetinYourSpareTime.InProc.ofthe11thUSENIXSecuritySymposium(Security'02),SanFrancisco,California,USA,August2002. [64] SymantecEnterpriseSecurity.SymantecInternetSecurityThreatReport,TrendsforJuly{December07.OnlineText. [65] Y.TangandS.Chen.DefendingagainstInternetWorms:ASignature-BasedApproach.InProc.ofthe24thAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'04),March2005. [66] ComputerEmergencyResponseTeam.CERTRAdvisoryCA-2001-23ContinuedThreatofthe\CodeRed"Worm.OnlineText. [67] T.TothandC.Kruegel.AccurateBuerOverowDetectionviaAbstractPayloadExecution.InProc.ofthe5thInternationalSymposiumonRecentAdvancesinIntrusionDetection(RAID'02),October2002. [68] J.TwycrossandM.M.Williamson.ImplementingandTestingaVirusThrottle.InProc.ofthe12thUSENIXSecuritySymposium(Security'03),pages285{294,WashingtonD.C.,USA,August2003. [69] Y.UkaiandD.Soeder.Analysis:SasserWorm.OnlineText. [70] M.Vojnovic,V.Gupta,T.Karagiannis,andC.Gkantsidis.SamplingStrategiesforEpidemic-StyleInformationDissemination.InProc.ofthe27thAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties(INFOCOM'08),April2008. [71] H.J.Wang,C.Guo,D.R.Simon,andA.Zugenmaier.Shield:Vulnerability-DrivenNetworkFiltersforPreventingKnownVulnerabilityExploits.InProc.ofthe2004ConferenceonApplications,Technologies,Architectures,andProtocolsforComputerCommunications(SIGCOMM'04),pages193{204,Portland,Oregon,USA,August2004.ACMPress. 128

PAGE 129

K.WangandS.Stolfo.AnomalousPayload-basedNetworkIntrusionDetection.InProc.ofthe7thInternationalSymposiumonRecentAdvancesinIntrusionDetection(RAID'04),September2004. [73] X.Wang,C.Pan,P.P.Liu,andS.Zhu.ASignature-freeBuerOverowAttackBlocker.InProc.ofthe15thUSENIXSecuritySymposium,July2006. [74] D.L.WeaverandT.Germond,editors.SPARCRArchitectureManualv9.PTRPrenticeHall,AParamountCommunicationsCompany,EnglewoodClis,NewJersey07632,USA,1992. [75] N.Weaver,I.Hamadeh,G.Kesidis,andV.Paxson.PreliminaryResultsUsingScale-downtoExploreWormDynamics.InProc.ofthe2004ACMWorkshoponRapidMalcode(WORM'04),pages65{72,WashingtonDC,USA,March2004.ACMPress. [76] N.Weaver,S.Staniford,andV.Paxson.VeryFastContainmentofScanningWorms.InProc.ofthe13thUSENIXSecuritySymposium(Security'04),pages29{44,SanDiego,California,USA,August2004. [77] M.M.Williamson.ThrottlingViruses:RestrictingPropagationtoDefeatMaliciousMobileCode.InProc.ofthe18thAnnualComputerSecurityApplicationsConference(ACSAC'02),pages61{68,LasVegas,Nevada,USA,December2002. [78] G.YanandS.Eidenbenz.ModelingPropagationDynamicsofBluetoothWorms.InProc.ofICDCS'07,June2007. [79] A.Zeichick.SecurityAhoy!FlyingtheNXFlagonWindowsandAMD64ToStopAttacks.AMDDeveloperCentral,March2005. [80] C.C.Zou,W.Gong,andD.Towsley.CodeRedWormPropagationModelingandAnalysis.InProc.ofthe9thACMConferenceonComputerandCommunicationsSecurity(CCS'02),pages138{147,Washington,DC,USA,November2002.ACMPress. 129

PAGE 130

ParbatireceivedhisB.TechdegreefromIndianInstituteofTechnology,Kharagpurin1997.HeobtainedhisM.S.incomputerandinformationscienceandengineeringfromtheUniversityofFloridain2007,afterwhichhecontinuedpursuinghisPh.D.fromthesameuniversity.Between1997and2002,heworkedintherenownedIndiansoftwarecompanyInfosysTechnologiesLtd.HeheldprestigiousNTSE(NationalTalentSearchExamination)scholarshipandMeritScholarshipendowedbytheGovernmentofIndia.Hisresearchareaincludesmalwarepropagationanddetection,designingmalwareofthefuture,andintrusiondetection. 130