Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exact Propagation Modeling of Permutation-Scanning Worms Parbati Kumar Manna Dr. Shigang Chen Dr. Sanjay Ranka University of Florida.

Published byRonald Davidson Modified over 9 years ago

Similar presentations

Presentation on theme: "Exact Propagation Modeling of Permutation-Scanning Worms Parbati Kumar Manna Dr. Shigang Chen Dr. Sanjay Ranka University of Florida."— Presentation transcript:

1 Exact Propagation Modeling of Permutation-Scanning Worms Parbati Kumar Manna Dr. Shigang Chen Dr. Sanjay Ranka University of Florida

2 2 Internet Worm Huge damage potential Propagation is automatic (mostly) Characterized by its behavior at  Host Level  How it compromises the host  What it does on the compromised host  Network Level  How it covers the whole of the target population

3 3 Motivation for Hacker Achieve desirable goals of scanning  Infection speed  Stealth  Fault tolerance Bad Good Time  V = size of Vulnerable host population % V # Infected = # active + # retired

4 4 Random-Scanning (RCS) Worm  Wastes scanning power  No idea about when to stop  Easy to detect Simple Divide scheme  Not fault tolerant  Unequal load Optimal Scanning Strategy 1,100 61,100 21,60 91,100 51,5556,60 98,100 20 50 80 8594 81,90 86,87

5 5 Random divide scheme  Fault tolerant  Starting point of scan is random  Sequential scan - easy to detect Permutation-Scanning scheme  Fault tolerant, Stealthy, Fast Optimal Scanning Strategy

6 6 Permutation-Scanning Randomizes the real address space into a Permutation Ring Each freshly infected host starts scanning from a random location Retires upon hitting an already infected host Real address space Permutation ring new host jumps about to infect active retired Gets infected, jumps

7 7 Why Model? Simulation takes long time  16 hrs / run for 400M hosts Simulation overhead could be prohibitively high  Impossible to scan full IPv6 Simulation does not always provide mathematical insight

8 8 Find # (active hosts) scanning – effectively (X) – ineffectively (Y) Among the scans from the effective hosts (X), calculate how many are hitting uninfected hosts. Find how many X and Y hosts hit a pre-infected host (and retire). Solution Outline X1X1 X2X2 Y covered area

9 9 Vulnerable Host Classification

10 10 State Diagram

11 11 Interaction among Infected Hosts while scanning

12 12 Final Propagation Model for Permutation Worm Y X X  (effective) (ineffective) Fraction (covered area)

13 13 Final Propagation Model for Permutation Worm infected Retired Active

14 14 Closed-Form Solution infected Active Retired Same as Random Scanning worm

15 15 Model Vs. Simulation N = 2 23 V = 2 13 hitlist size = 100

16 16 Extending Model to k-jump Permutation-Scanning Worm Instead of retiring, jump another time and restart scanning Will retire only after hitting more than k old infections Higher infection speed and network footprint

17 17 State Diagram for k-jump Permutation-Scanning Worm

18 18 Propagation Model for k-jump Permutation Worm Similar equations for d  ( t ), dy(t)

19 19 Propagation Results for k-jump permutation worm N=2 23 V=2 13 v =100

20 20 Designing Fault-Tolerant, Fast, yet Stealthy Worm Convert the existing RCS worm –Use a full-period PRNG –Impart a termination condition of retiring only after hitting its first old infection Same infection speed, less network footprint

21 21 Scanning Peak Independent of the Hitlist Size

22 22 Contributions Obtained propagation model for Permutation-Scanning worms Extended modeling for multiple-jump Obtained the effect of various worm/network parameters:  Bigger hitlist (v)  Larger V (more vulnerable computers)  Bigger N (IPv4  IPv6)  Increased k (more jumps allowed)

23 23 Questions

24 24 Thank you

Download ppt "Exact Propagation Modeling of Permutation-Scanning Worms Parbati Kumar Manna Dr. Shigang Chen Dr. Sanjay Ranka University of Florida."

Similar presentations

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Parallel Programming Laboratory1 Fault Tolerance in Charm++ Sayantan Chakravorty.

Parallel Programming Laboratory1 Fault Tolerance in Charm++ Sayantan Chakravorty.
Analysis of frequency counts with Chi square

Analysis of frequency counts with Chi square
Technical Advisor : Mr. Roni Stern Academic Advisor : Dr. Meir Kalech Team members :  Amit Ofer  Liron Katav Project Homepage :

Technical Advisor : Mr. Roni Stern Academic Advisor : Dr. Meir Kalech Team members :  Amit Ofer  Liron Katav Project Homepage :
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
CSC1016 Coursework Clarification Derek Mortimer March 2010.

CSC1016 Coursework Clarification Derek Mortimer March 2010.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Mobility Improves Coverage of Sensor Networks Benyuan Liu*, Peter Brass, Olivier Dousse, Philippe Nain, Don Towsley * Department of Computer Science University.

Mobility Improves Coverage of Sensor Networks Benyuan Liu*, Peter Brass, Olivier Dousse, Philippe Nain, Don Towsley * Department of Computer Science University.
The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.

The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.
Sérgio Pequito Phd Student

Sérgio Pequito Phd Student
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Fault-tolerant Adaptive Divisible Load Scheduling Xuan Lin, Sumanth J. V. Acknowledge: a few slides of DLT are from Thomas Robertazzi ’ s presentation.

Fault-tolerant Adaptive Divisible Load Scheduling Xuan Lin, Sumanth J. V. Acknowledge: a few slides of DLT are from Thomas Robertazzi ’ s presentation.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Jan 6-10th, 2007VLSI Design 20071 A Reduced Complexity Algorithm for Minimizing N-Detect Tests Kalyana R. Kantipudi Vishwani D. Agrawal Department of Electrical.

Jan 6-10th, 2007VLSI Design A Reduced Complexity Algorithm for Minimizing N-Detect Tests Kalyana R. Kantipudi Vishwani D. Agrawal Department of Electrical.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Similar presentations

Ads by Google