Download Self-Stopping Worms

Self-Stopping Worms
Justin Ma, Geoffrey M. Voelker, and
Stefan Savage
Presented: Khanh Nguyen
Self-Stopping Worms




Another type of spreading worm
The goal is to infected as many hosts as possible
until it reach a target population then stop.
This would make it harder to identify the
presence of infected hosts.
PROBLEM: how do these independent worms
know when to stop?
Overview

Self-Stopping Worms Algorithms
Random Scanning Strategy
 Permutation Scanning Strategy


Evaluation
Self-Stopping Worms Algorithms
(Random scanning)


Greedy: An infected node infects as many hosts as
possible without stopping
Blind-k: An infected node deactivates w/ probability
1/k at the end of each timestep


Non-Exchange, Non-Estimating Strategies
Based on The Distributed systems literature



dI/dt = γ/A(N-I)a and da/dt = γ/A(N-I)a – (1/k)a
a(I) = I + (1/k)(A/γ)log(1-I/N), ex: A=232, N= 217, γ=4,000,
resulted: 97.8% infected
PROBLEM: known A, N, γ prior to infection to get a good k
value
Self-Stopping Worms Algo. (cont.)
(Random scanning)

Stop-k: Stop with probability 1/k after
redundant hit.
Infection-status feedback
 da/dt = γ/A(N-I)a – (1/k)(γI/A)a
 A(I) = (k+1)/k*I + (N/k)log(1-I/N). Ex: k=3,
N=2^17, infected population = 98%


Tree: Stop after infecting k new hits on
vulnerable
Self-Stopping Worms Algo. (cont.)
(Random Scanning)

Sum-Count:
An infected host keeps 2 counters: one for the
number of vulnerable hosts it has contacted H, one
for the number of scans it has produced S.
 Nest = HA/S

Self-Stopping Algorithms (cont.)
(Random Scanning)

Bitmap:
Uses 2 bitmaps, each w/ size of A bits
 Bitv records the vulnerable hosts it has attempted to
infect.
 Bits records the hosts it has scanned.
 Nest = bitsset(Bitv)*A/bitsset(Bits)
 Disadvantage: large amount of memory required

Self-Stopping Algorithms (cont.)
(Random Scanning)


Sum-Count-X: Operates like Sum-Count, except
that when node A contacts w/ node B, then the
HA + HB and SA + SB
Bitmap-X: Operates like Bitmap, except that
when node A contacts w/ node B, Bitsv,A U
Bitsv,B and Bitss,A U Bitss,B
Self-Stopping Worms Algor. (cont.)
(Permutation scanning)




Greedy Permutation: If the host achieves a redundant
hit, it will randomly choose a new seed and continue.
Stop-k Permutation: same as Stop-k
Sum-Count-X Permutation: Same as Sum-Count-X,
except with the reseed-upon-redundant-hit policy
Partitioned Permutation: Kind of like divide and
conquer. Give up half of the unscanned spaces to the
newly infected descendant. Stops when reaching its
interval (found a redundant hit)
Self-stopping Worms Summary
Evaluation

Basic Heuristics
Blind-k (k=32), Stop-k (k=3) and Tree (k=50)
 A=2^32, N=2^17, γ =4,000
 Would infect about 98% of the vulnerable hosts


Dynamic Heuristics
Sum-Count and Sum-Count-X
 Compared them against Greedy, Blind-32, and the
ideal heuristics: Know-NI, Know-N, and Know-I

Basic Heuristics
Dynamic Heuristics
Scan Rates
Important-Scanning
Worm
IANA Assignments
Web Servers Distribution
CodeRed With IS
Slammer With IS