The microcosmic model of worm propagation

Each year, large amounts of money and labor are spent on patching the vulnerabilities in operating systems and various popular software to prevent exploitation by worms. Modeling the propagation process can help us to devise effective strategies against those worms' spreading. This paper presents a microcosmic analysis of worm propagation procedures. Our proposed model is different from traditional methods and examines deep inside the propagation procedure among nodes in the network by concentrating on the propagation probability and time delay described by a complex matrix. Moreover, since the analysis gives a microcosmic insight into a worm's propagation, the proposed model can avoid errors that are usually concealed in the traditional macroscopic analytical models. The objectives of this paper are to address three practical aspects of preventing worm propagation: (i) where do we patch? (ii) how many nodes do we need to patch? (iii) when do we patch? We implement a series of experiments to evaluate the effects of each major component in our microcosmic model. Based on the results drawn from the experiments, for high-risk vulnerabilities, it is critical that networks reduce the number of vulnerable nodes to below 80%. We believe our microcosmic model can benefit the security industry by allowing them to save significant money in the deployment of their security patching schemes.

Containing smartphone worm propagation with an influence maximization algorithm

In recent years, wide attention has been drawn to the problem of containing worm propagation in smartphones. Unlike existing containment models for worm propagation, we study how to prevent worm propagation through the immunization of key nodes (e.g.; the top k influential nodes). Thus, we propose a novel containment model based on an influence maximization algorithm. In this model, we introduce a social relation graph to evaluate the influence of nodes and an election mechanism to find the most influential nodes. Finally, this model provides a targeted immunization strategy to disable worm propagation by immunizing the top k influential nodes. The experimental results show that the model not only finds the most influential top k nodes quickly, but also effectively restrains and controls worm propagation.

Modeling the propagation of peer-to-peer worms

Propagation of Peer-to-Peer (P2P) worms in the Internet is posing a serious challenge to network security research because of P2P worms' increasing complexity and sophistication. Due to the complexity of the problem, no existing work has solved the problem of modeling the propagation of P2P worms, especially when quarantine of peers is enforced. This paper presents a study on modeling the propagation of P2P worms. It also presents our applications of the proposed approach in worm propagation research.

Motivated by our aspiration to invent an easy-to-employ instrument for worm propagation research, the proposed approach models the propagation processes of P2P worms by difference equations of a logic matrix, which are essentially discrete-time deterministic propagation models of P2P worms. To the best of our knowledge, we are the first using a logic matrix in network security research in general and worm propagation modeling in particular.

Our major contributions in this paper are firstly, we propose a novel logic matrix approach to modeling the propagation of P2P worms under three different conditions; secondly, we find the impacts of two different topologies on a P2P worm's attack performance; thirdly, we find the impacts of the network-related characteristics on a P2P worm's attack performance in structured P2P networks; and fourthly, we find the impacts of the two different quarantine tactics on the propagation characteristics of P2P worms in unstructured P2P networks. The approach's ease of employment, which is demonstrated by its applications in our simulation experiments, makes it an attractive instrument to conduct worm propagation research.

Locating defense positions for thwarting the propagation of topological worms

A common view for the preferable positions of thwarting worm propagation is at the highly connected nodes. However, in certain conditions, such as when some popular users (highly connected nodes in the network) have more vigilance on the malicious codes, this may not always be the truth. In this letter, we propose a measure of betweenness and closeness to locate the most suitable positions for slowing down the worm propagation. This work provides practical values to the defense of topological worms.

Modeling malware propagation in smartphone social networks

Smartphones have become an integral part of our everyday lives, such as online information accessing, SMS/MMS, social networking, online banking, and other applications. The pervasive usage of smartphones also results them in enticing targets of hackers and malware writers. This is a desperate threat to legitimate users and poses considerable challenges to network security community. In this paper, we model smartphone malware propagation through combining mathematical epidemics and social relationship graph of smartphones. Moreover, we design a strategy to simulate the dynamic of SMS/MMS-based worm propagation process from one node to an entire network. The strategy integrates infection factor that evaluates the propagation degree of infected nodes, and resistance factor that offers resistance evaluation towards susceptible nodes. Extensive simulations have demonstrated that the proposed malware propagation model is effective and efficient.

Smartphone malware and its propagation modeling : A survey

Smartphones are pervasively used in society, and have been both the target and victim of malware writers. Motivated by the significant threat that presents to legitimate users, we survey the current smartphone malware status and their propagation models. The content of this paper is presented in two parts. In the first part, we review the short history of mobile malware evolution since 2004, and then list the classes of mobile malware and their infection vectors. At the end of the first part, we enumerate the possible damage caused by smartphone malware. In the second part, we focus on smartphone malware propagation modeling. In order to understand the propagation behavior of smartphone malware, we recall generic epidemic models as a foundation for further exploration. We then extensively survey the smartphone malware propagation models. At the end of this paper, we highlight issues of the current smartphone malware propagation models and discuss possible future trends based on our understanding of this topic. © © 2014 IEEE.

Characterization of Network-Wide Anomalies in Traffic Flows

Detecting and understanding anomalies in IP networks is an open and ill-defined problem. Toward this end, we have recently proposed the subspace method for anomaly diagnosis. In this paper we present the first large-scale exploration of the power of the subspace method when applied to flow traffic. An important aspect of this approach is that it fuses information from flow measurements taken throughout a network. We apply the subspace method to three different types of sampled flow traffic in a large academic network: multivariate timeseries of byte counts, packet counts, and IP-flow counts. We show that each traffic type brings into focus a different set of anomalies via the subspace method. We illustrate and classify the set of anomalies detected. We find that almost all of the anomalies detected represent events of interest to network operators. Furthermore, the anomalies span a remarkably wide spectrum of event types, including denial of service attacks (single-source and distributed), flash crowds, port scanning, downstream traffic engineering, high-rate flows, worm propagation, and network outage.

On the race of worms and patches: modeling the spread of information in wireless sensor networks

Sensor networks are a branch of distributed ad hoc networks with a broad range of applications in surveillance and environment monitoring. In these networks, message exchanges are carried out in a multi-hop manner. Due to resource constraints, security professionals often use lightweight protocols, which do not provide adequate security. Even in the absence of constraints, designing a foolproof set of protocols and codes is almost impossible. This leaves the door open to the worms that take advantage of the vulnerabilities to propagate via exploiting the multi-hop message exchange mechanism. This issue has drawn the attention of security researchers recently. In this paper, we investigate the propagation pattern of information in wireless sensor networks based on an extended theory of epidemiology. We develop a geographical susceptible-infective model for this purpose and analytically derive the dynamics of information propagation. Compared with the previous models, ours is more realistic and is distinguished by two key factors that had been neglected before: 1) the proposed model does not purely rely on epidemic theory but rather binds it with geometrical and spatial constraints of real-world sensor networks and 2) it extends to also model the spread dynamics of conflicting information (e.g., a worm and its patch). We do extensive simulations to show the accuracy of our model and compare it with the previous ones. The findings show the common intuition that the infection source is the best location to start patching from, which is not necessarily right. We show that this depends on many factors, including the time it takes for the patch to be developed, worm/patch characteristics as well as the shape of the network.

Modeling worms propagation on probability

There are the two common means for propagating worms: scanning vulnerable computers in the network and sending out malicious email attachments. Modeling the propagation of worms can help us understand how worms spread and devise effective defence strategies. Most traditional models simulate the overall scale of infected network in each time tick, making them invalid for examining deep inside the propagation procedure among individual nodes. For this reason, this paper proposes a novel probability matrix to model the propagation mechanism of the two main classes of worms (scanning and email worms) by concentrating on the propagation probability. The objective of this paper is to access the spreading and work out an effective scheme against the worms. In order to evaluate the effects of each major component in our probability model, we implement a series of experiments for both worms. From the results, the network administrators can make decision on how to reduce the number of vulnerable nodes to a certain threshold for scanning worms, and how to immunize the highly-connected node for preventing worm's propagation for email worms.

The probability model of peer-to-peer botnet propagation

Active Peer-to-Peer worms are great threat to the network security since they can propagate in automated ways and flood the Internet within a very short duration. Modeling a propagation process can help us to devise effective strategies against a worm's spread. This paper presents a study on modeling a worm's propagation probability in a P2P overlay network and proposes an optimized patch strategy for defenders. Firstly, we present a probability matrix model to construct the propagation of P2P worms. Our model involves three indispensible aspects for propagation: infected state, vulnerability distribution and patch strategy. Based on a fully connected graph, our comprehensive model is highly suited for real world cases like Code Red II. Finally, by inspecting the propagation procedure, we propose four basic tactics for defense of P2P botnets. The rationale is exposed by our simulated experiments and the results show these tactics are of effective and have considerable worth in being applied in real-world networks.

Modeling the propagation of worms in networks: a survey

There are the two common means for propagating worms: scanning vulnerable computers in the network and spreading through topological neighbors. Modeling the propagation of worms can help us understand how worms spread and devise effective defense strategies. However, most previous researches either focus on their proposed work or pay attention to exploring detection and defense system. Few of them gives a comprehensive analysis in modeling the propagation of worms which is helpful for developing defense mechanism against worms' spreading. This paper presents a survey and comparison of worms' propagation models according to two different spreading methods of worms. We first identify worms characteristics through their spreading behavior, and then classify various target discover techniques employed by them. Furthermore, we investigate different topologies for modeling the spreading of worms, analyze various worms' propagation models and emphasize the performance of each model. Based on the analysis of worms' spreading and the existing research, an open filed and future direction with modeling the propagation of worms is provided. © 2014 IEEE.

Propagation model of smartphone worms based on semi-Markov process and social relationship graph

Smartphone applications are getting more and more popular and pervasive in our daily life, and are also attractive to malware writers due to their limited computing source and vulnerabilities. At the same time, we possess limited understanding of our opponents in cyberspace. In this paper, we investigate the propagation model of SMS/MMS-based worms through integrating semi-Markov process and social relationship graph. In our modeling, we use semi-Markov process to characterize state transition among mobile nodes, and hire social network theory, a missing element in many previous works, to enhance the proposed mobile malware propagation model. In order to evaluate the proposed models, we have developed a specific software, and collected a large scale real-world data for this purpose. The extensive experiments indicate that the proposed models and algorithms are effective and practical. © 2014 Elsevier Ltd. All rights reserved.