Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Optimization of Blaster worms by Stochastic Modeling Performance Evaluation Laboratory Supervised by Prof. Hiroshi Toyoizumi s1080060 Tatehiro Kaiwa Purpose Modeling a Blaster worm, we investigate influence on a local network. Optimizing a Blaster worm, we observe and investigate the threat. To compare the difference between the existing Blaster worms and the optimized ones in local network. Target Virus Name: W32.Blaster.Worm (Symantec) WORM_MSBLAST.A (Trend Micro) W32/Lovsan.worm.a (McAfee) Type : Worm Systems Affected : Windows 2000, XP Blaster worm exploits a vulnerability of DCOM RPC Service to penetrate. Causes system instability Spread Algorithm (1) Select an IP address 0.6 Complete Random 0.4 Local Create malicious Packets 0.8 For XP 0.2 For 2000 Start to send many malicious packets These methods selected only once when the Blaster worm is executed. Random : Probabilit y of a random IP address selecting Local : Probabilit y of a Local IP address selecting : Probabilit y that packets are for Window s XP (1 ) : Probabilit y that packets are for Window s 2000 Spread Algorithm (2) When the worm use own IP address, A.B.C.D, the worm change D into 0. Then the worm make the target address increasing monotonically. Probability a first worm and other worms attack to the same IP address with is very high. Infection rate of all worm except a first worm in the local network become smaller. The Experimental Network This figure shows a local experimental network to collect Blaster worm packets data. To confirm and obtain some information about the Blaster worm. Worm Data Collection Systems attacked and infected by Blaster worm may be instability, then sometimes shutdown. Target HUB Blaster Sniffer We cannot capture some packets with a infected PC and all target PCs installed Sniffer. Prepare a PC no infect, and connection as the figure, then capture all packets. The Infection Model This figure is the worm infection model. ν: Infection rate of a Blaster worm outside of the local network. λ: Infection rate of Blaster worms inside of the local network. λ λ ν ν ν ν λ ν λ The Model Solution (1) ν ν+nλ nλ n ν The process with infection rate ν is Poisson Process, and the process with infection rate λ is Yule Process. n n ν+(n-1)λ (n-1)λ We obtain the new model to mix a Poisson Process and a Yule Process. 3 ν ν+2λ 2λ 2 ν 2 λ 1 ν 2 ν+λ 1 n ( / ) 1 / p (1 p) n P{N (t ) n} ( / ) 1 1 where ν 0 Each infection activities are independent. 0 p 1 t . e The Model Solution (2) XP Windows XP XP A ratio of each systems having the vulnerability in a local network. RXP : R2 k Windows 2000 PHit { R XP R XP R2 k (1 ) R2 k R XP R2 k } PVul The Model Solution (3) M : Average of the number of packets RSuc : Rate of successful infection Each Infection Rate M PHit RSuc M PHit RSuc Local Graphs of changing a ratio of each systems in the network P{N (t ) 70} XP:2000=1:8 All WinXP All Win2000 The performance of the Blaster worms can be improved if the ratio of the Windows XP machines is high in the local network. The difference between optimized and existing XP:2000=1:8 P{N (t ) 70} Existing Blaster Optimized Blaster The Optimized Blaster worms prove great threat. Thus, the existing Blaster worm also has a potential threat the same. Conclusion A performance of the Blaster worm is great influence a ratio of each OS in the target network. Optimized Blaster worms is the worm having a great threat. Thus, we need to be careful individually. Future Works As the stochastic model may be different from existing Blaster worms、we need to close to the accurate model of the existing Blaster worms in the future.