SelfStopping Worms

1
Self-Stopping Worms

• Justin Ma, Geoffrey M. Voelker, and Stefan Savage
• Presented Khanh Nguyen

2
Self-Stopping Worms

• Another type of spreading worm
• The goal is to infected as many hosts as possible
  until it reach a target population then stop.
• This would make it harder to identify the
  presence of infected hosts.
• PROBLEM how do these independent worms know when
  to stop?

3
Overview

• Self-Stopping Worms Algorithms
• Random Scanning Strategy
• Permutation Scanning Strategy
• Evaluation

4
Self-Stopping Worms Algorithms(Random scanning)

• Greedy An infected node infects as many hosts as
  possible without stopping
• Blind-k An infected node deactivates w/
  probability 1/k at the end of each timestep
• Non-Exchange, Non-Estimating Strategies
• Based on The Distributed systems literature
• dI/dt ?/A(N-I)a and da/dt ?/A(N-I)a (1/k)a
• a(I) I (1/k)(A/?)log(1-I/N), ex A232, N
  217, ?4,000, resulted 97.8 infected
• PROBLEM known A, N, ? prior to infection to get
  a good k value

5
Self-Stopping Worms Algo. (cont.)(Random
scanning)

• Stop-k Stop with probability 1/k after redundant
  hit.
• Infection-status feedback
• da/dt ?/A(N-I)a (1/k)(?I/A)a
• A(I) (k1)/kI (N/k)log(1-I/N). Ex k3,
  N217, infected population 98
• Tree Stop after infecting k new hits on
  vulnerable

6
Self-Stopping Worms Algo. (cont.)(Random
Scanning)

• Sum-Count
• An infected host keeps 2 counters one for the
  number of vulnerable hosts it has contacted H,
  one for the number of scans it has produced S.
• Nest HA/S

7
Self-Stopping Algorithms (cont.)(Random Scanning)

• Bitmap
• Uses 2 bitmaps, each w/ size of A bits
• Bitv records the vulnerable hosts it has
  attempted to infect.
• Bits records the hosts it has scanned.
• Nest bitsset(Bitv)A/bitsset(Bits)
• Disadvantage large amount of memory required

8
Self-Stopping Algorithms (cont.)(Random Scanning)

• Sum-Count-X Operates like Sum-Count, except that
  when node A contacts w/ node B, then the HA HB
  and SA SB
• Bitmap-X Operates like Bitmap, except that when
  node A contacts w/ node B, Bitsv,A U Bitsv,B and
  Bitss,A U Bitss,B

9
Self-Stopping Worms Algor. (cont.)(Permutation
scanning)

• Greedy Permutation If the host achieves a
  redundant hit, it will randomly choose a new seed
  and continue.
• Stop-k Permutation same as Stop-k
• Sum-Count-X Permutation Same as Sum-Count-X,
  except with the reseed-upon-redundant-hit policy
• Partitioned Permutation Kind of like divide and
  conquer. Give up half of the unscanned spaces to
  the newly infected descendant. Stops when
  reaching its interval (found a redundant hit)

10
Self-stopping Worms Summary
11
Evaluation

• Basic Heuristics
• Blind-k (k32), Stop-k (k3) and Tree (k50)
• A232, N217, ? 4,000
• Would infect about 98 of the vulnerable hosts
• Dynamic Heuristics
• Sum-Count and Sum-Count-X
• Compared them against Greedy, Blind-32, and the
  ideal heuristics Know-NI, Know-N, and Know-I

12
Basic Heuristics
13
Dynamic Heuristics
14
Scan Rates
15
Important-Scanning Worm
16
IANA Assignments
17
Web Servers Distribution
18
CodeRed With IS
19
Slammer With IS