Topology-aware vulnerability mitigation worms

Al-Salloum, Ziyad

January 2011

In very dynamic Information and Communication Technology (ICT) infrastructures, with rapidly growing applications, malicious intrusions have become very sophisticated, effective, and fast. Industries have suffered billions of US dollars losses due only to malicious worm outbreaks. Several calls have been issued by governments and industries to the research community to propose innovative solutions that would help prevent malicious breaches, especially with enterprise networks becoming more complex, large, and volatile. In this thesis we approach self-replicating, self-propagating, and self-contained network programs (i.e. worms) as vulnerability mitigation mechanisms to eliminate threats to networks. These programs provide distinctive features, including: Short distance communication with network nodes, intermittent network node vulnerability probing, and network topology discovery. Such features become necessary, especially for networks with frequent node association and disassociation, dynamically connected links, and where hosts concurrently run multiple operating systems. We propose -- to the best of our knowledge -- the first computer worm that utilize the second layer of the OSI model (Data Link Layer) as its main propagation medium. We name our defensive worm Seawave, a controlled interactive, self-replicating, self-propagating, and self-contained vulnerability mitigation mechanism. We develop, experiment, and evaluate Seawave under different simulation environments that mimic to a large extent enterprise networks. We also propose a threat analysis model to help identify weaknesses, strengths, and threats within and towards our vulnerability mitigation mechanism, followed by a mathematical propagation model to observe Seawave's performance under large scale enterprise networks. We also preliminary propose another vulnerability mitigation worm that utilizes the Link Layer Discovery Protocol (LLDP) for its propagation, along with an evaluation of its performance. In addition, we describe a preliminary taxonomy that rediscovers the relationship between different types of self-replicating programs (i.e. viruses, worms, and botnets) and redefines these programs based on their properties. The taxonomy provides a classification that can be easily applied within the industry and the research community and paves the way for a promising research direction that would consider the defensive side of self-replicating programs.

500

Overcoming Limitations in Computer Worm Models

Posluszny III, Frank S

31 January 2005

In less than two decades, destruction and abuse caused by computer viruses and worms have grown from an anomaly to an everyday occurrence. In recent years, the Computer Emergency Response Team (CERT) has recorded a steady increase in software defects and vulnerabilities, similar to those exploited by the Slammer and Code Red worms. In response to such a threat, the academic community has started a set of research projects seeking to understand worm behavior through creation of highly theoretical and generalized models. Staniford et. al. created a model to explain the propagation behaviors of such worms in computer network environments. Their model makes use of the Kermack-McKendrick biological model of propagation as applied to digital systems. Liljenstam et. al. add a spatial perspective to this model, varying the infection rate by the scanning worms' source and destination groups. These models have been shown to describe generic Internet-scale behavior. However, they are lacking from a localized (campus-scale) network perspective. We make the claim that certain real-world constraints, such as bandwidth and heterogeneity of hosts, affect the propagation of worms and thus should not be ignored when creating models for analysis. In setting up a testing environment for this hypothesis, we have identified areas that need further work in the computer worm research community. These include availability of real-world data, a generalized and behaviorally complete worm model, and packet-based simulations. The major contributions of this thesis involve a parameterized, algorithmic worm model, an openly available worm simulation package (based on SSFNet and SSF.App.Worm), analysis of test results showing justification to our claim, and suggested future directions.

computer virus

network simulation

worm propagation

worm simulation

computer worm

Computer viruses

Computer viruses: The threat today and the expected future / Datorvirus: Dagens situation och förväntad utveckling

Li, Xin

January 2003

<p>This Master’s Thesis within the area computer security concerns ”Computer viruses: The threat today and the expected future”. </p><p>Firstly, the definitions of computer virus and the related threats are presented; Secondly, current situation of computer viruses are discussed, the working and spreading mechanisms of computer viruses are reviewed in details, simplistic attitude of computer world in computer virus defence is analyzed; Thirdly, today’s influencing factors for near future computer virus epidemics are explained, then it further predicts new possible types of computer viruses in the near future; Furthermore, currently available anti-virus technologies are analyzed concerning both advantages and disadvantages; Finally, new promising trends in computer virus defence are explored in details.</p>

Informationsteknik

computer virus

computer worm

theoretical suggestion

anti-virus technology

trend

Informationsteknik

Information technology

Informationsteknik

Computer viruses: The threat today and the expected future / Datorvirus: Dagens situation och förväntad utveckling

Li, Xin

January 2003

This Master’s Thesis within the area computer security concerns ”Computer viruses: The threat today and the expected future”. Firstly, the definitions of computer virus and the related threats are presented; Secondly, current situation of computer viruses are discussed, the working and spreading mechanisms of computer viruses are reviewed in details, simplistic attitude of computer world in computer virus defence is analyzed; Thirdly, today’s influencing factors for near future computer virus epidemics are explained, then it further predicts new possible types of computer viruses in the near future; Furthermore, currently available anti-virus technologies are analyzed concerning both advantages and disadvantages; Finally, new promising trends in computer virus defence are explored in details.

Informationsteknik

computer virus

computer worm

theoretical suggestion

anti-virus technology

trend

Informationsteknik

Computer and Information Sciences

Data- och informationsvetenskap