[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

Deterministic and stochastic models for the detection of random constant scanning worms

Published: 28 April 2008 Publication History

Abstract

This article discusses modeling and detection properties associated with the stochastic behavior of Random Constant Scanning (RCS) worms. Although these worms propagate by randomly scanning network addresses to find hosts that are susceptible to infection, traditional RCS worm models are fundamentally deterministic. A density-dependent Markov jump process model for RCS worms is presented and analyzed herein. Conditions are shown for when some stochastic properties of RCS worm propagation can be ignored and when deterministic RCS worm models can be used. A computationally simple hybrid deterministic/stochastic point-process model for locally observed scanning behavior due to the global propagation of an RCS scanning worm epidemic is presented. An optimal hypothesis-testing approach is presented to detect epidemics of these under idealized conditions based on the cumulative sums of log-likelihood ratios using the hybrid RCS worm model. This article presents in a mathematically rigorous fashion why detection techniques that are only based on passively monitoring local IP addresses cannot quickly detect the global propagation of an RCS worm epidemic with a low false alarm rate, even under idealized conditions.

References

[1]
Andersson, H. and Britton, T. 2000. Stochastic Epidemic Models and Their Statistical Analysis. Lecture Notes in Statistics, vol. 151. Springer-Verlag, New York, NY.
[2]
Basseville, M. and Nikiforov, I. 1993. Detection of Abrupt Changes: Theory and Applications. Prentice-Hall, Englewood Cliffs, NJ.
[3]
Daley, D. and Gani, J. 1999. Epidemic Modelling: An Introduction. Cambridge University Press, Cambridge, U.K.
[4]
Ethier, S. and Kurtz, T. 1986. Markov Processes, Characterization and Convergence. Wiley Series in Probability and Mathematical Statistics. John Wiley and Sons, New York, N.Y.
[5]
Gradshteyn, I. and Ryzhik, I. 1994. Table of Integrals, Series and Products, 5th ed. A. Jeffery, Ed. Academic Press, San Diego, CA.
[6]
Hoel, P. G., Port, S. C., and Stone, C. J. 1971. Introduction to Probability Theory. Houghton Mifflin Co., Boston, MA.
[7]
Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. 2004. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy, (Oakland, CA).
[8]
Kermack, W. and McKendrick, A. 1927. A contribution to the mathematical theory of epidemics. Royal Soc. London Proc. Series A 115, 700--721.
[9]
Mode, C. and Sleeman, C. 2000. Stochastic Processes in Epidemiology. World Scientific, Singapore.
[10]
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003b. Inside the Slammer worm. IEEE Sec. Priv. 1, 4, 33--39.
[11]
Moore, D., Shannon, C., and Brown, J. 2002. Code-Red: A case study on the spread and victims of an Internet worm. In Proceedings of the Internet Measurement Workshop (IMW, Marseille, France).
[12]
Moore, D., Shannon, C., Voelker, G., and Savage, S. 2003b. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of the INFOCOM. San Francisco.
[13]
Nicol, D. 2006. The impact of stochastic variance on worm propagation and detection. In WORM '06: Proceedings of the 2006 ACM Workshop on Rapid Malcode (Fairfax, VA).
[14]
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., and Peterson, L. 2004. Characteristics of Internet background radiation. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (Taormina, Sicily, Italy).
[15]
Poor, H. 1994. An Introduction to Signal Detection and Estimation. Springer Texts in Electrical Engineering. Springer-Verlag, New York, NY.
[16]
Rohloff, K. and Başar, T. 2005a. The detection of RCS worm epidemics. In WORM '05: Proceedings of the 2005 ACM Workshop on Rapid Malcode. (Fairfax, VA). 81--86.
[17]
Rohloff, K. and Başar, T. 2005b. Stochastic behavior of random constant scanning worms. In Proceedings of the 14th ICCCN (San Diego, CA). 339--344.
[18]
Schechter, S. E., Jung, J., and Berger, A. W. 2004. Fast detection of scanning worm infections. In Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection (RAID, Sophia Antipolis, France).
[19]
Staniford, S. 2003. Containment of scanning worms in enterprise networks. Unpublished article.
[20]
Staniford, S., Paxson, V., and Weaver, N. 2002. How to own the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Security '02, San Francisco, CA).
[21]
Stark, H. and Woods, J. W. 1994. Probability, Random Processes and Estimation Theory for Engineers, 2nd ed. Prentice Hall, Upper Saddle River, NJ.
[22]
Wald, A. 1947. Sequential Analysis. Dover, New York, NY.
[23]
Weaver, N., Staniford, S., and Paxson, V. 2004. Very fast containment of scanning worms. In Proceedings of the 13th USENIX Security Symposium (Security '04, San Diego, CA).
[24]
Wong, C., Wang, C., Song, D., Bielski, S., and Granger, G. 2004. Dynamic quarantine of Internet worms. In Proceedings of the International Conference on Dependable Systems and Networks (DSN-2004) Florence, Italy).
[25]
Zou, C., Gao, L., Gong, W., and Towsley, D. 2003a. Monitoring and early warning for Internet worms. In Proceedings of the 10th ACM Conference on Computer and Communications Security (Washington D.C.). 190--199.
[26]
Zou, C., Gong, W., and Towsley, D. 2003a. Worm propagation modeling and analysis under dynamic quarantine defense. In Proceedings of the 2003 ACM Workshop on Rapid Malcode, (Washington, D.C.). 51--60.
[27]
Zou, C., Towsley, D., and Gong, W. 2004. A firewall network system for worm defense in enterprise networks. Tech. rep. TR-04-CSE-01, Department of Computer Science and Engineering, University of Massachusetts, Amherst, MA.

Cited By

View all

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Modeling and Computer Simulation
ACM Transactions on Modeling and Computer Simulation  Volume 18, Issue 2
April 2008
97 pages
ISSN:1049-3301
EISSN:1558-1195
DOI:10.1145/1346325
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 April 2008
Accepted: 01 May 2007
Revised: 01 December 2006
Received: 01 April 2006
Published in TOMACS Volume 18, Issue 2

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Worms
  2. epidemic modeling
  3. hypothesis testing
  4. stochastic analysis

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)1
Reflects downloads up to 03 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2022)Hidden-Markov-Model-Enabled Prediction and Visualization of Cyber Agility in IoT EraIEEE Internet of Things Journal10.1109/JIOT.2021.30561189:12(9117-9127)Online publication date: 15-Jun-2022
  • (2021)Building epidemic models for living populations and computer networksScience Progress10.1177/00368504211017800104:2Online publication date: 3-Jun-2021
  • (2020)Modeling, estimation, and analysis of epidemics over networks: An overviewAnnual Reviews in Control10.1016/j.arcontrol.2020.09.003Online publication date: Nov-2020
  • (2018)Optimal Control of Heterogeneous Mutating VirusesGames10.3390/g90401039:4(103)Online publication date: 13-Dec-2018
  • (2018)A stochastic model for the size of worm originSecurity and Communication Networks10.1002/sec.14039:10(1103-1118)Online publication date: 20-Dec-2018
  • (2017)Epidemic Protection Over Heterogeneous Networks Using Evolutionary Poisson GamesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2017.268788312:8(1786-1800)Online publication date: 1-Aug-2017
  • (2017)Worm infectious probability distribution with back-to-origin modelIET Communications10.1049/iet-com.2016.083511:13(2101-2109)Online publication date: 7-Sep-2017
  • (2016)Optimization of protection of computer networks against malicious software2016 International Conference Stability and Oscillations of Nonlinear Control Systems (Pyatnitskiy's Conference)10.1109/STAB.2016.7541231(1-4)Online publication date: Jun-2016
  • (2015)Analysis of information security reliability: A tutorialReliability Engineering & System Safety10.1016/j.ress.2014.09.021133(275-299)Online publication date: Jan-2015
  • (2012)Optimal Quarantining of Wireless Malware Through Reception Gain ControlIEEE Transactions on Automatic Control10.1109/TAC.2011.215035057:1(49-61)Online publication date: Jan-2012
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media