Advertisement

The Journal of Supercomputing

, Volume 62, Issue 3, pp 1451–1479 | Cite as

Strategy of fast and light-load cloud-based proactive benign worm countermeasure technology to contain worm propagation

  • Xufei ZhengEmail author
  • Tao Li
  • Yonghui Fang
Article

Abstract

Benign worms have been attracting wide attention in the field of worm research due to the proactive defense against the worm propagation and patch for the susceptible hosts. In this paper, two revised Worm–Anti-Worm (WAW) models are proposed for cloud-based benign worm countermeasure. These Re-WAW models are based on the law of worm propagation and the two-factor model. One is the cloud-based benign Re-WAW model to achieve effective worm containment. Another is the two-stage Re-WAW propagation model, which uses proactive and passive switching defending strategy based on the ratio of benign worms to malicious worms. This model intends to avoid the network congestion and other potential risks caused by the proactive scan of benign worms. Simulation results show that the cloud-based Re-WAW model significantly improves the worm propagation containment effect. The cloud computing technology enables rapid delivery of massive initial benign worms, and the two stage Re-WAW model gradually clears off the benign worms with the containment of the malicious worms.

Keywords

Worm propagation Benign worm Re-WAW model Cloud-based Re-WAW model Two-stage Re-WAW model 

Notes

Acknowledgements

This work is sponsored by National Natural Science Foundation of China (Nos. 60873246 and 61173159), and the Cultivation Fund of the Key Scientific and Technical Innovation Project, Ministry of Education of China (No. 708075).

References

  1. 1.
    Eugene SH (1988) The Internet worm program: an analysis. Technical report, CSD-TR-823, pp 1–29 Google Scholar
  2. 2.
    Seeley D (1989) A tour of the worm. In: Proceedings of USENIX technical. pp 287–304 Google Scholar
  3. 3.
    Porras P, Saidi H, Yegneswaran V (2011) An analysis of conficker’s logic and rendezvous protocol. http://mtc.sri.com/Conficker/. Accessed 16 March 2011
  4. 4.
    Williams A (2011) The largest cloud in the world is owned by a criminal. http://www.readwriteweb.com/cloud/2010/04/the-largest-cloud-in-the-world.php. Accessed 12 April 2011
  5. 5.
    Symantec (2010) Symantec global Internet security threat report trends for 2009. Technical report, XV Google Scholar
  6. 6.
    Staniford S, Paxson V, Weaver N (2002) How to own the Internet in your spare time. In: Proceedings of the 11th USENIX security symposium, pp 149–167 Google Scholar
  7. 7.
    Castaneda F, Can Sezer E, Xu J (2004) WORM vs WORM: preliminary study of an active counter-attack mechanism. In: Proceedings of the 2004 ACM workshop on rapid malcode, pp 83–93 CrossRefGoogle Scholar
  8. 8.
    Qing S, Wen W (2005) A survey and trends on Internet worms. Comput Secur 24:334–346. doi: 10.1016/j.cose.2004.10.001 CrossRefGoogle Scholar
  9. 9.
    Cohen F (1987) Computer viruses: theory and experiments. Comput Secur 6(1):22–35. doi: 10.1016/0167-4048(87)90122-2 CrossRefGoogle Scholar
  10. 10.
    Bailey NTJ (1975) The mathematical theory of infectious diseases and its applications. Hafner Press, New York zbMATHGoogle Scholar
  11. 11.
    Frauenthal JC (1980) Mathematical modeling in epidemiology. Springer, New York zbMATHCrossRefGoogle Scholar
  12. 12.
    Anderson RM, May RM (1991) Infectious diseases of humans: dynamics and control. Oxford University Press, London Google Scholar
  13. 13.
    Kephart JO, White SR (1991) Directed-graph epidemiological models of computer viruses. In: Proceedings of IEEE symposium on security and privacy, pp 343–359 Google Scholar
  14. 14.
    Kephart JO, Chess DM, White SR (1993) Computers and epidemiology. IEEE Spectr 30(5):20–26 CrossRefGoogle Scholar
  15. 15.
    Andersson H, Britton T (2000) Stochastic epidemic models and their statistical analysis. Springer, New York zbMATHCrossRefGoogle Scholar
  16. 16.
    Zou CC, Gong W, Towsley D (2002) Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on computer and communications security, pp 138–147 CrossRefGoogle Scholar
  17. 17.
    Chen Z, Gao L, Kwiat K (2003) Modeling the spread of active worms. In: IEEE INFOCOM 2003 Google Scholar
  18. 18.
    Piqueira JRC, Navarro BF, Monteiro LHA (2005) Epidemiological models applied to viruses in computer networks. J Comput Sci 1(1):31–34 CrossRefGoogle Scholar
  19. 19.
    Nicol DM (2006) The impact of stochastic variance on worm propagation and detection. In: Proceedings of the 4th ACM workshop on recurring malcode, pp 57–64. doi: 10.1145/1179542.1179555 CrossRefGoogle Scholar
  20. 20.
    Zou CC, Towsley D, Gong W (2006) On the performance of Internet worm scanning strategies. J Perform Eval 63(7):700–723. doi: 10.1016/j.peva.2005.07.032 CrossRefGoogle Scholar
  21. 21.
    Tanachaiwiwat S, Helmy A (2007) Modeling and analysis of worm interactions (war of the worms). In: Proceedings of BROADNETS’07, pp 649–658 Google Scholar
  22. 22.
    Li J, Knickerbocker P (2007) Functional similarities between computer worms and biological pathogens. Comput Secur 26(4):338–347. doi: 10.1016/j.cose.2006.12.002 CrossRefGoogle Scholar
  23. 23.
    Yuan H, Chen G (2008) Network virus-epidemic model with the point-to-group information propagation. Appl Comput Math 206(1):357–367. doi: 10.1016/j.amc.2008.09.025 MathSciNetCrossRefGoogle Scholar
  24. 24.
    Piqueira JRC, Vasconcelos AA, Gabriel CECJ, Araujo VO (2008) Dynamic models for computer viruses. Comput Secur 27(7–8):355–359. doi: 10.1016/j.cose.2008.07.006 CrossRefGoogle Scholar
  25. 25.
    Su F, Lin Z, Ma Y (2010) Modeling and analysis of Internet worm propagation. J China Univ Post Telecommun 17(4):63–68. doi: 10.1016/S1005-8885(09)60489-1 CrossRefGoogle Scholar
  26. 26.
    Yu W, Wang X, Champion A, Xuan D, Lee D (2011) On detecting active worms with varying scan rate. Comput Commun 34(11):1269–1282. doi: 10.1016/j.comcom.2010.10.014 CrossRefGoogle Scholar
  27. 27.
    Provos N (2010) A virtual honeypot framework. CITI technical report 03-1. http://www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf. Accessed 28 July 2010
  28. 28.
    Oudot L (2010) Fighting worms with honeypots: honeyd vs msblast, honeypots mailinglist. http://lists.insecure.org/lists/honeypots/2003/Jul-Sep/0071.htm. Accessed 11 September 2010
  29. 29.
    Berk VH, Gray RS, Bakos G (2003) Using sensor networks and data fusion for early detection of active worms. Proc SPIE 2003:92–104. doi: 10.1117/12.500849 CrossRefGoogle Scholar
  30. 30.
    Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) Inside the slammer worm. IEEE Secur Priv 1(4):33–39. doi: 10.1109/MSECP.2003.1219056 CrossRefGoogle Scholar
  31. 31.
    Zou CC, Gao L, Gong W, Towsley D (2003) Monitoring and early warning for Internet worms. In: Proceedings of the 10th ACM conference on computer and communications security, pp 190–199. doi: 10.1145/948109.948136 CrossRefGoogle Scholar
  32. 32.
    Cheung S, Hoagland J, Levitt K, Rowe J, Staniford S et al (1999) The design of GrIDS: a graph-based intrusion detection system. Technical report, CSE-99-2. http://citeseer.nj.nec.com/cheung99design.html. Accessed 15 September 2010
  33. 33.
    Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Proceedings of IEEE symposium on security and privacy Google Scholar
  34. 34.
    Cooke E, Bailey M, Jahanian F, Mortier R (2006) The dark oracle: perspective-aware unused and unreachable address. In: Proceedings of the 3rd conference on networked systems design & implementation, vol 3, pp 8 Google Scholar
  35. 35.
    Li L, Jhi Y, Liu P, Kesidis G (2007) Evaluation of collaborative worm containment on the deter testbed. In: Proceedings of the DETER community workshop on cyber security experimentation and test Google Scholar
  36. 36.
    Choi Y, Li L, Liu P, Kesidis G (2010) Worm virulence estimation for the containment of local worm outbreak. Comput Secur 29:104–123. doi: 10.1016/j.cose.2009.07.002 CrossRefGoogle Scholar
  37. 37.
    Zou CC, Gong W, Towsley D (2003) Worm propagation modeling and analysis under dynamic quarantine defense. In: Proceedings of the 2003 ACM workshop on rapid malcode, pp 51–60. doi: 10.1145/948187.948197 CrossRefGoogle Scholar
  38. 38.
    Staniford S (2004) Containment of scanning worm in an enterprise networks. Journal of Computer Security Google Scholar
  39. 39.
    Liljenstam M, Nicol DM (2004) Comparing passive and active worm defenses. In: Proceedings of the quantitative evaluation of systems, first international conference, pp 18–27. doi: 10.1109/QEST.2004.12 CrossRefGoogle Scholar
  40. 40.
    Nicol DM, Liljenstam M (2005) Models and analysis of active worm defense. In: Proceedings of the third international conference on mathematical methods, models, and architectures for computer network security, pp 38–53. doi: 10.1007/11560326_4 Google Scholar
  41. 41.
    Yang F, Duan H, Li X (2004) Modeling and analysis on the interaction between the Internet worm and anti-worm. J Sci China Ser E, Inf Sci 34(8):841–856 Google Scholar
  42. 42.
    Wang C, Qing S, He J (2007) Anti-worm based on hybrid confronting technology. J Commun 28(1):28–34 Google Scholar
  43. 43.
    Zhou H, Wen Y, Zhao H (2007) Modeling and analysis of active benign worms and hybrid benign worms containing the spread of worms. In: Proceedings of the sixth international conference on networking. doi: 10.1109/ICN.2007.58 Google Scholar
  44. 44.
    Toutonji O, Yoo S-M (2009) Passive benign worm propagation modeling with dynamic quarantine defense. KSII Trans Internet Inf Syst 3(1):96–107 CrossRefGoogle Scholar
  45. 45.
    Zhou H, Zhao H, Wen Y (2009) Modeling and analysis of divide-and-rule-hybrid-benign worms. J Comput Res Dev 46(7):1110–1116 Google Scholar
  46. 46.
    Xiang F, Yang X (2010) Propagation modeling of peer-to-peer worms. In Proceedings of advanced information networking and applications, pp 1128–1135 Google Scholar
  47. 47.
    Barber B (2004) Cheese worm pros and cons of “Friendly” worm. http://www.sans.org/rr/whitepapers/malicious/31.php. Accessed 16 June 2004
  48. 48.
    Kem M (2003) CRClean. http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0577.html. Accessed 23 March 2003
  49. 49.
    Hexxer H (2003) CodeGreen beta release. http://online.securityfocus.com/archive/. 82/211462. Accessed 8 May 2003
  50. 50.
    Leyden J (2004) Blaster variant offers ‘fix’ for pox-ridden pcs. http://www.theregister.com/2003/08/19/blaster_variant_offer_fix/. Accessed 12 April 2004
  51. 51.
    Zheng X, Li T, Yang H (2011) A novel Cloud-based worm propagation model. J Comput Inf Syst 7(4):1082–1091 Google Scholar
  52. 52.
    Messmer E (2004) The myth of the good worm. http://www.wormblog.com/2004/11/the_myth_of_the.html. Accessed 12 April 2004
  53. 53.
    Zhou H, Wen Y, Zhao H (2007) Passive worm propagation modeling and analysis. In: Proceedings of the international multi-conference on computing in the global information technology, pp 32–42. doi: 10.1109/ICCGI.2007.48 Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  1. 1.School of Computer and Information ScienceSouthwest UniversityChongqingP.R. China
  2. 2.College of Computer ScienceSichuan UniversityChengduP.R. China
  3. 3.State Key Laboratory of Power Transmission Equipment & System Security and New TechnologyChongqingP.R. China

Personalised recommendations