1 / 19

Self-Stopping Worms

Self-Stopping Worms. Justin Ma, Geoffrey M. Voelker, and Stefan Savage Presented: Khanh Nguyen. Self-Stopping Worms. Another type of spreading worm The goal is to infected as many hosts as possible until it reach a target population then stop.

felice
Download Presentation

Self-Stopping Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, and Stefan Savage Presented: Khanh Nguyen

  2. Self-Stopping Worms • Another type of spreading worm • The goal is to infected as many hosts as possible until it reach a target population then stop. • This would make it harder to identify the presence of infected hosts. • PROBLEM: how do these independent worms know when to stop?

  3. Overview • Self-Stopping Worms Algorithms • Random Scanning Strategy • Permutation Scanning Strategy • Evaluation

  4. Self-Stopping Worms Algorithms(Random scanning) • Greedy: An infected node infects as many hosts as possible without stopping • Blind-k: An infected node deactivates w/ probability 1/k at the end of each timestep • Non-Exchange, Non-Estimating Strategies • Based on The Distributed systems literature • dI/dt = γ/A(N-I)a and da/dt = γ/A(N-I)a – (1/k)a • a(I) = I + (1/k)(A/γ)log(1-I/N), ex: A=232, N= 217, γ=4,000, resulted: 97.8% infected • PROBLEM: known A, N, γ prior to infection to get a good k value

  5. Self-Stopping Worms Algo. (cont.)(Random scanning) • Stop-k: Stop with probability 1/k after redundant hit. • Infection-status feedback • da/dt = γ/A(N-I)a – (1/k)(γI/A)a • A(I) = (k+1)/k*I + (N/k)log(1-I/N). Ex: k=3, N=2^17, infected population = 98% • Tree: Stop after infecting k new hits on vulnerable

  6. Self-Stopping Worms Algo. (cont.)(Random Scanning) • Sum-Count: • An infected host keeps 2 counters: one for the number of vulnerable hosts it has contacted H, one for the number of scans it has produced S. • Nest = HA/S

  7. Self-Stopping Algorithms (cont.)(Random Scanning) • Bitmap: • Uses 2 bitmaps, each w/ size of A bits • Bitv records the vulnerable hosts it has attempted to infect. • Bits records the hosts it has scanned. • Nest = bitsset(Bitv)*A/bitsset(Bits) • Disadvantage: large amount of memory required

  8. Self-Stopping Algorithms (cont.)(Random Scanning) • Sum-Count-X: Operates like Sum-Count, except that when node A contacts w/ node B, then the HA + HB and SA + SB • Bitmap-X: Operates like Bitmap, except that when node A contacts w/ node B, Bitsv,A U Bitsv,B and Bitss,A U Bitss,B

  9. Self-Stopping Worms Algor. (cont.)(Permutation scanning) • Greedy Permutation: If the host achieves a redundant hit, it will randomly choose a new seed and continue. • Stop-k Permutation: same as Stop-k • Sum-Count-X Permutation: Same as Sum-Count-X, except with the reseed-upon-redundant-hit policy • Partitioned Permutation: Kind of like divide and conquer. Give up half of the unscanned spaces to the newly infected descendant. Stops when reaching its interval (found a redundant hit)

  10. Self-stopping Worms Summary

  11. Evaluation • Basic Heuristics • Blind-k (k=32), Stop-k (k=3) and Tree (k=50) • A=2^32, N=2^17, γ =4,000 • Would infect about 98% of the vulnerable hosts • Dynamic Heuristics • Sum-Count and Sum-Count-X • Compared them against Greedy, Blind-32, and the ideal heuristics: Know-NI, Know-N, and Know-I

  12. Basic Heuristics

  13. Dynamic Heuristics

  14. Scan Rates

  15. Important-Scanning Worm

  16. IANA Assignments

  17. Web Servers Distribution

  18. CodeRed With IS

  19. Slammer With IS

More Related