Self-Disciplinary Worms and Countermeasures: Modeling and Analysis

  title={Self-Disciplinary Worms and Countermeasures: Modeling and Analysis},
  author={Wei Yu and Nan Zhang and Xinwen Fu and Wei Zhao},
  journal={IEEE Transactions on Parallel and Distributed Systems},
  • Wei Yu, Nan Zhang, Wei Zhao
  • Published 1 October 2010
  • Computer Science
  • IEEE Transactions on Parallel and Distributed Systems
In this paper, we address issues related to the modeling, analysis, and countermeasures of worm attacks on the Internet. Most previous work assumed that a worm always propagates itself at the highest possible speed. Some newly developed worms (e.g., “Atak” worm) contradict this assumption by deliberately reducing the propagation speed in order to avoid detection. As such, we study a new class of worms, referred to as self-disciplinary worms. These worms adapt their propagation patterns in order… 

Figures and Tables from this paper

Exploring Worm Behaviors using DTW
A dynamic host--based worm categorization approach to segregate worms that indicates that worm samples constitute different behavior according to their infection and anti--detection vectors is proposed.
Computer Network Worms Propagation and its Defence Mechanisms: A Survey
The classification of worms is surveyed and several existing defence mechanism and metrics to detect those worm attacks in the network are surveyed.
A stochastic worm model
A (stochastic) continuous-time Markov chain model for characterizing the propagation of Internet worms is presented and the underlying similarity and relationship between uniform scanning and local preference scanning worms is revealed.
Game theory and network security: Economic incentives and barriers
A game theoretic scenario to study the strategic behavior of two Internet Service Providers who have to decide whether to invest in deploying security technologies that detect and prevent malicious cyber-attacks and the need for government regulations and incentives in order to better guide the role of ISPs in enhancing the global security of the Internet.
Modeling and analysis of gradual hybrid anti-worm
Simulation experiments show that GHAW has dynamical adaptability to changes of network conditions and offers the same level of effectiveness on confronting internet worms as the divide-and-rule hybrid anti-worm, with significantly less cost to network resources.
Detection of traditional and new types of Malware using Host-based detection scheme
Many traditional and new types of worms including c- worms also-worms stands for camouflaging worms because of its nature of self propagating and hiding nature are discussed.
Analysis of Signature-Based and Behavior-Based Anti-Malware Approaches
This paper studies and analyzes Signature-based approach and behavior-based technique that applied dynamic approach to determine the best and optimal anti-malware approach.
The Spatial–Temporal Perspective: The Study of the Propagation of Modern Social Worms
A novel social worm simulation model is presented, which adopts “social network-based sharing” and “sorting and attenuation” methods, and the results show that the model is more suitable for modeling the complicated propagation behaviors of modern social worms in hierarchical networks.
Security and Discoverability of Spread Dynamics in Cyber-Physical Networks
This paper builds on the proposed framework to put forth concrete definitions for security and discoverability, for a class of models that can represent dynamics of numerous cyber-physical networks of interest: namely, dynamical network spread models.


Worm propagation modeling and analysis under dynamic quarantine defense
The analysis shows that the dynamic quarantine can reduce a worm's propagation speed, which can give precious time to fight against a worm before it is too late, and will raise aworm's epidemic threshold, thus it will reduce the chance for a worm to spread out.
Understanding Divide-Conquer-Scanning Worms
It is found that if vulnerable hosts follow a non-uniform distribution such as the Witty-worm victim distribution, divide-conquer scanning can spread a worm much faster than random scanning.
Modeling the spread of active worms
  • Zesheng ChenLixin GaoK. Kwiat
  • Computer Science
    IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428)
  • 2003
This paper presents a mathematical model, referred to as the Analytical Active Worm Propagation (AAWP) model, which characterizes the propagation of worms that employ random scanning, and extends the AAWP model to understand the spread ofworms that employ local subnet scanning.
Worm origin identification using random moonwalks
We propose a novel technique that can determine both the host responsible for originating a propagating worm attack and the set of attack flows that make up the initial stages of the attack tree via
Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
This paper presents an approach to (distributed) DoS attack prevention that is based on the observation that coordinated automated activity by many hosts needs a mechanism to remotely control them and shows that this method can be realized in the Internet by describing how it infiltrated and tracked IRC-based botnets.
Worm detection, early warning and response based on local victim information
A simple two-phase local worm victim detection algorithm, DSC (Destination-Source Correlation), is proposed based on worm behavior in terms of both infection pattern and scanning pattern, which can detect zero-day scanning worms with a high detection rate and very low false positive rate.
Code-Red: a case study on the spread and victims of an internet worm
The experience of the Code-Red worm demonstrates that wide-spread vulnerabilities in Internet hosts can be exploited quickly and dramatically, and that techniques other than host patching are required to mitigate Internet worms.
The monitoring and early detection of Internet worms
This paper presents an Internet worm monitoring system, and presents a "trend detection" methodology to detect a worm at its early propagation stage by using Kalman filter estimation, which is robust to background noise in the monitored data.
Distributed Evasive Scan Techniques and Countermeasures
Scan detection and suppression methods are an important means for preventing the disclosure of network information to attackers. However, despite the importance of limiting the information obtained
An Effective Architecture and Algorithm for Detecting Worms with Various Scan
This paper analyzes various scan techniques and proposes and evaluates an algorithm to detect the spread of worms using real time traces and simulations and finds that the solution can detect worm activities when only 4% of the vulnerable machines are infected.