Download ppt

Optimization of Blaster worms
by Stochastic Modeling
Performance Evaluation Laboratory
Supervised by Prof. Hiroshi Toyoizumi
s1080060 Tatehiro Kaiwa
Purpose



Modeling a Blaster worm, we investigate
influence on a local network.
Optimizing a Blaster worm, we observe and
investigate the threat.
To compare the difference between the existing
Blaster worms and the optimized ones in local
network.
Target Virus



Name: W32.Blaster.Worm (Symantec)
WORM_MSBLAST.A (Trend Micro)
W32/Lovsan.worm.a (McAfee)
Type : Worm
Systems Affected : Windows 2000, XP
Blaster worm exploits a vulnerability of DCOM RPC
Service to penetrate.
Causes system instability
Spread Algorithm (1)
Select an IP address
0.6
Complete
Random
0.4
Local
Create malicious Packets
0.8
For XP
0.2
For 2000
Start to send
many malicious packets
These methods selected only once when
the Blaster worm is executed.
Random : Probabilit y of a random IP address selecting
Local : Probabilit y of a Local IP address selecting
 : Probabilit y that packets are for Window s XP
(1   ) : Probabilit y that packets are for Window s 2000
Spread Algorithm (2)
When the worm use own IP address, A.B.C.D, the worm
change D into 0. Then the worm make the target address
increasing monotonically.
Probability a first worm and other worms attack
to the same IP address with is very high.
Infection rate of all worm except a first worm in the
local network become smaller.
The Experimental Network
This figure shows a local
experimental network to collect
Blaster worm packets data.
To confirm and obtain some
information about the
Blaster worm.
Worm Data Collection
Systems attacked and infected by Blaster worm
may be instability, then sometimes shutdown.
Target
HUB
Blaster
Sniffer
We cannot capture some packets with a infected
PC and all target PCs installed Sniffer.
Prepare a PC no infect, and connection as the
figure, then capture all packets.
The Infection Model
This figure is the worm infection model.
ν: Infection rate of a Blaster worm outside of the local network.
λ: Infection rate of Blaster worms inside of the local network.
λ
λ
ν
ν
ν ν
λ
ν
λ
The Model Solution (1)
ν
ν+nλ
nλ
n
ν
The process with infection rate ν is
Poisson Process, and the process with
infection rate λ is Yule Process.
n
n
ν+(n-1)λ
(n-1)λ
We obtain the new model to mix a Poisson
Process and a Yule Process.
3
ν
ν+2λ
2λ
2
ν
2
λ
1
ν
2
ν+λ
1
 n  ( /  )  1  / 
 p (1  p) n
P{N (t )  n}  
 ( /  )  1 
1
where
ν
0
Each infection activities are independent.
0
p
1
t .
e
The Model Solution (2)
XP
Windows XP
XP
A ratio of each systems having the
vulnerability in a local network.
RXP : R2 k
Windows 2000
PHit  { 
R XP
R XP  R2 k
 (1   ) 
R2 k
R XP  R2 k
} PVul
The Model Solution (3)
M : Average of the number of packets
RSuc :
Rate of successful infection
Each Infection Rate
  M  PHit  RSuc
  M  PHit  RSuc  Local
Graphs of changing a ratio of
each systems in the network
P{N (t )  70}
XP:2000=1:8
All WinXP
All Win2000
The performance of the Blaster worms can be improved if the
ratio of the Windows XP machines is high in the local network.
The difference between
optimized and existing
XP:2000=1:8
P{N (t )  70}
Existing Blaster
Optimized Blaster
The Optimized Blaster worms prove great threat.
Thus, the existing Blaster worm also has a potential threat the same.
Conclusion


A performance of the Blaster worm is great
influence a ratio of each OS in the target
network.
Optimized Blaster worms is the worm having a
great threat. Thus, we need to be careful
individually.
Future Works

As the stochastic model may be different from
existing Blaster worms、we need to close to the
accurate model of the existing Blaster worms in
the future.