Title

Characterizing and Defending Against Divide-Conquer-Scanning Worms

Document Type

Article

Publication Date

2010

Publication Source

Computer Networks

Volume

54

Issue

18

Inclusive pages

3210-3222

DOI

http://dx.doi.org/10.1016/j.comnet.2010.06.010

Publisher

Elsevier BV * North-Holland

Place of Publication

Netherlands

ISBN/ISSN

1389-1286

Peer Reviewed

yes

Abstract

Internet worms are a significant security threat. Divide-conquer scanning is a simple yet effective technique that can potentially be exploited for future Internet epidemics. Therefore, it is imperative that defenders understand the characteristics of divide-conquer-scanning worms and study the effective countermeasures. In this work, we first examine the divide-conquer-scanning worm and its potential to spread faster and stealthier than a traditional random-scanning worm. We then characterize the relationship between the propagation speed of divide-conquer-scanning worms and the distribution of vulnerable hosts through mathematical analysis and simulations. Specifically, we find that if vulnerable hosts follow a non-uniform distribution such as the Witty-worm victim distribution, divide-conquer scanning can spread a worm much faster than random scanning. We also empirically study the effect of important parameters on the spread of divide-conquer-scanning worms and a worm variant that can potentially enhance the infection ability at the late stage of worm propagation. Furthermore, to counteract such attacks, we discuss the weaknesses of divide-conquer scanning and study two defense mechanisms: infected-host removal and active honeynets. We find that although the infected-host removal strategy can greatly reduce the number of final infected hosts, active honeynets (especially uniformly distributed active honeynets) are more practical and effective to defend against divide-conquer-scanning worms.

Keywords

Security; Worm attacks; Divide-conquer scanning; Modeling; Simulations, Defense

Disciplines

Engineering

This document is currently not available here.

  Contact Author

Share

COinS