TY - JOUR
T1 - Self-disciplinary worms and countermeasures
T2 - Modeling and analysis
AU - Yu, Wei
AU - Zhang, Nan
AU - Fu, Xinwen
AU - Zhao, Wei
N1 - Funding Information:
The authors thank the anonymous reviewers for their invaluable feedback. This work was supported in part by the US National Science Foundation (NSF) under grants 0808419, 0324988, 0721571, 0329181, 0907964, 0943479, 0852673, 0852674, 0845644, and 0915834. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF. The authors would like to acknowledge Ms. Larisa Archer for her dedicated help to improve the paper.
PY - 2010
Y1 - 2010
N2 - In this paper, we address issues related to the modeling, analysis, and countermeasures of worm attacks on the Internet. Most previous work assumed that a worm always propagates itself at the highest possible speed. Some newly developed worms (e.g., "Atak" worm) contradict this assumption by deliberately reducing the propagation speed in order to avoid detection. As such, we study a new class of worms, referred to as self-disciplinary worms. These worms adapt their propagation patterns in order to reduce the probability of detection, and eventually, to infect more computers. We demonstrate that existing worm detection schemes based on traffic volume and variance cannot effectively defend against these self-disciplinary worms. To develop proper countermeasures, we introduce a game-theoretic formulation to model the interaction between the worm propagator and the defender. We show that an effective integration of multiple countermeasure schemes (e.g., worm detection and forensics analysis) is critical for defending against self-disciplinary worms. We propose different integrated schemes for fighting different self-disciplinary worms, and evaluate their performance via real-world traffic data.
AB - In this paper, we address issues related to the modeling, analysis, and countermeasures of worm attacks on the Internet. Most previous work assumed that a worm always propagates itself at the highest possible speed. Some newly developed worms (e.g., "Atak" worm) contradict this assumption by deliberately reducing the propagation speed in order to avoid detection. As such, we study a new class of worms, referred to as self-disciplinary worms. These worms adapt their propagation patterns in order to reduce the probability of detection, and eventually, to infect more computers. We demonstrate that existing worm detection schemes based on traffic volume and variance cannot effectively defend against these self-disciplinary worms. To develop proper countermeasures, we introduce a game-theoretic formulation to model the interaction between the worm propagator and the defender. We show that an effective integration of multiple countermeasure schemes (e.g., worm detection and forensics analysis) is critical for defending against self-disciplinary worms. We propose different integrated schemes for fighting different self-disciplinary worms, and evaluate their performance via real-world traffic data.
UR - http://www.scopus.com/inward/record.url?scp=77956179239&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77956179239&partnerID=8YFLogxK
U2 - 10.1109/TPDS.2009.161
DO - 10.1109/TPDS.2009.161
M3 - Article
AN - SCOPUS:77956179239
SN - 1045-9219
VL - 21
SP - 1501
EP - 1514
JO - IEEE Transactions on Parallel and Distributed Systems
JF - IEEE Transactions on Parallel and Distributed Systems
IS - 10
M1 - 5313807
ER -