Simulating realistic network worm traffic for worm warning system design and testing

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Simulating realistic network worm traffic for worm warning system design and testing

Full text

Pdf (308 KB)

Source

Workshop on Rapid Malcode archive
Proceedings of the 2003 ACM workshop on Rapid malcode table of contents

Washington, DC, USA

SESSION: Network interactions table of contents

Pages: 24 - 33

Year of Publication: 2003

ISBN:1-58113-785-0

Authors

Michael Liljenstam	Dartmouth College, Hanover, NH
David M. Nicol	Dartmouth College, Hanover, NH
Vincent H. Berk	Dartmouth College, Hanover, NH
Robert S. Gray	Dartmouth College, Hanover, NH

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 4, Downloads (12 Months): 103, Citation Count: 17

Additional Information:

abstract references cited by index terms collaborative colleagues peer to peer

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/948187.948193 What is a DOI?

ABSTRACT

Reproducing the effects of large-scale worm attacks in a laboratory setup in a realistic and reproducible manner is an important issue for the development of worm detection and defense systems. In this paper, we describe a worm simulation model we are developing to accurately model the large-scale spread dynamics of a worm and many aspects of its detailed effects on the network. We can model slow or fast worms with realistic scan rates on realistic IP address spaces and selectively model local detailed network behavior. We show how it can be used to generate realistic input traffic for a working prototype worm detection and tracking system, the Dartmouth ICMP BCC: System/Tracking and Fusion Engine (DIB:S/TRAFEN), allowing performance evaluation of the system under realistic conditions. Thus, we can answer important design questions relating to necessary detector coverage and noise filtering without deploying and operating a full system. Our experiments indicate that the tracking algorithms currently implemented in the DIB:S/TRAFEN system could detect attacks such as Code Red v2 and Sapphire/Slammer very early, even when monitoring a quite limited portion of the address space, but more sophisticated algorithms are being constructed to reduce the risk of false positives in the presence of significant "background noise" scanning.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Labrea. http://www.hackbusters.net/LaBrea.
	2	Ssfnet web site. http://www.ssfnet.org/.
	3	F. Baker. Rfc 1812: Requirements for IP version 4 routers. Request for Comments 1812, June 1995.
	4	Vincent Berk, Wayne Chung, Valentino Crespi, George Cybenko, Robert Gray, Diego Hernando, Guofei Jiang, Han Li, and Yong Sheng. Process Query Systems for Surveillance and Awareness. In Proceedings of the SCI 2003, Orlando, Florida, July 2003.
	5	Vincent H. Berk, Robert S. Gray, and George Bakos. Using Sensor Networks and Data Fusion for Early Detection of Active Worms. In Proceedings of AeroSense 2003: SPIE's 17th Annual International Symposium on Aerospace/Defense Sensing, Simulation, and Controls, Orlando, Florida, April 2003.
	6	Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms. INFOCOM 2003, 2003.
	7	Brent N. Chun, Jason Lee, and Hakim Weatherspoon. Netbait: A distributed worm detection service. Available at http://netbait.plain-lab.org/., 2003.
	8	Cisco. Dealing with mallocfail and high CPU utilization resulting from the "Code Red" worm. http://www.cisco. com/warp/public/-63/ts_codred_worm.shtml, October 2001.
	9	James H. Cowie , David M. Nicol , Andy T. Ogielski, Modeling the Global Internet, Computing in Science and Engineering, v.1 n.1, p.42-50, January 1999 [doi>10.1109/5992.743621 ]
	10	D.J. Daley and J. Gani. Epidemic Modelling: An Introduction. Cambridge University Press, Cambridge, UK, 1999.
	11	Silicon Defense. Countermalice---Worm Containment System. http://www.silicondefense.com/products/countermalice/, 2003.
	12	Sally Floyd , Vern Paxson, Difficulties in simulating the internet, IEEE/ACM Transactions on Networking (TON), v.9 n.4, p.392-403, August 2001 [doi>10.1109/90.944338]
	13	Jeffrey O. Kephart , Steve R. White, Measuring and Modeling Computer Virus Prevalence, Proceedings of the 1993 IEEE Symposium on Security and Privacy, p.2, May 24-26, 1993
	14	M. Liljenstam , Y. Yuan , B. J. Premore , D. Nicol, A Mixed Abstraction Level Simulation Model of Large-Scale Internet Worm Infestations, Proceedings of the 10th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems (MASCOTS'02), p.109, October 11-16, 2002
	15	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003 [doi>10.1109/MSECP.2003.1219056]
	16	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637244]
	17	David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2003), April 2003.
	18	David Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-Service activity. In Proceedings of the 10th USENIX Security Symposium (USENIX'01), Washington, DC, August 2001.
	19	Lawrence R. Rabiner. A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceeding of the IEEE, 77, Num. 2:257--286, 1989.
	20	Donald B. Reid. An algorithm for Tracking Multiple Targets. IEEE Transactions on Automatic Control, AC-24, Num. 6:843--854, 1979.
	21	S. Staniford. Code Red Analysis Pages: July infestation analysis. http://www.silicondefense.com/cr/july.html, 2001.
	22	Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
	23	A. Turner and M. Bing. project page (sourceforge). http://tcpreplay.sourceforge.net/, 2003.
	24	Peer Iljitsch Beijnum , Iljitsch Van Beijnum, Bgp, O'Reilly & Associates, Inc., Sebastopol, CA, 2002
	25	Vinod Yegneswaran , Paul Barford , Johannes Ullrich, Internet intrusions: global characteristics and prevalence, Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 11-14, 2003, San Diego, CA, USA
	26	Cliff Changchun Zou , Weibo Gong , Don Towsley, Code red worm propagation modeling and analysis, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA [doi>10.1145/586110.586130]
	27	Cliff C. Zou, Lixin Gao, Weibo Gong, and Don Towsley. Monitoring and early warning for internet worms. Technical Report TR-CSE-03-01, University of Massachusetts at Amherst, 2003.

CITED BY 17

	David M. Nicol, Modeling and Simulation in Security Evaluation, IEEE Security and Privacy, v.3 n.5, p.71-74, September 2005
	Attila Ondi, A drawback of current anti-virus simulations: the need for background traffic, Proceedings of the 44th annual southeast regional conference, March 10-12, 2006, Melbourne, Florida
	George Kesidis , Ihab Hamadeh , Youngmi Jin , Soranun Jiwasurat , Milan Vojnović, A model of the spread of randomly scanning Internet worms that saturate access links, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-14, April 2008
	David M. Nicol, The impact of stochastic variance on worm propagation and detection, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
	David M. Nicol, Efficient simulation of Internet worms, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-32, April 2008
	Monirul I. Sharif , George F. Riley , Wenke Lee, Comparative Study between Analytical Models and Packet-Level Worm Simulations, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, p.88-98, June 01-03, 2005
	Songjie Wei , Jelena Mirkovic , Martin Swany, Distributed Worm Simulation with a Realistic Internet Model, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, p.71-79, June 01-03, 2005
	Kristopher Hall , Randy Marchany , Nathaniel Davis, Identifying, characterizing, and controlling stealth worms in wireless networks through biological epidemiology, Proceedings of the second international workshop on Wireless traffic measurements and modeling, p.1-es, August 05-05, 2006, Boston, Massachusetts
	Duc T. Ha , Hung Q. Ngo, On the trade-off between speed and resiliency of flashworms and similar malcodes, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	David W. Richardson , Steven D. Gribble , Edward D. Lazowska, The limits of global scanning worm detectors in the presence of background noise, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	Senthilkumar G. Cheetancheri , John Mark Agosta , Denver H. Dash , Karl N. Levitt , Jeff Rowe , Eve M. Schooler, A distributed host-based worm detection system, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.107-113, September 11-15, 2006, Pisa, Italy
	L. Li , P. Liu , Y. C. Jhi , G. Kesidis, Evaluation of collaborative worm containment on the DETER testbed, Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007, p.5-5, August 06-07, 2007, Boston, MA
	Songjie Wei , Jelena Mirkovic, A realistic simulation of internet-scale events, Proceedings of the 1st international conference on Performance evaluation methodolgies and tools, October 11-13, 2006, Pisa, Italy
	Guanling Chen , Robert S. Gray, Simulating non-scanning worms on peer-to-peer networks, Proceedings of the 1st international conference on Scalable information systems, p.29-es, May 30-June 01, 2006, Hong Kong
	Michael Liljenstam , Jason Liu , David M. Nicol , Yougu Yuan , Guanhua Yan , Chris Grier, RINSE: The Real-Time Immersive Network Simulation Environment for Network Security Exercises (Extended Version), Simulation, v.82 n.1, p.43-59, January 2006
	Christopher Kruegel , Giovanni Vigna , William Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.717-738, 5 August 2005
	Ju Wang , Xin Liu , Andrew A. Chien, Empirical study of tolerating denial-of-service attacks with a proxy network, Proceedings of the 14th conference on USENIX Security Symposium, p.4-4, July 31-August 05, 2005, Baltimore, MD