A COMBINATORICS PROLIFERATION MODEL TO DETERMINE THE TIMING FOR BLOCKING SCANNING MALWARE

Kazumasa Omote, Takeshi Shimoyama, Satoru Torii

Abstract

One of the worst threats present in an enterprise network is the propagation of “scanning malware” (e.g., scanning worms and bots). It is important to prevent such scanning malware from spreading within an enterprise network. It is especially important to suppress scanning malware infection to less than a few infected hosts. We estimated the timing of containment software to block “scanning malware” in a homogeneous enterprise network. The “combinatorics proliferation model”, based on discrete mathematics, developed in this study derives a threshold that gives the number of the packets sent by a victim that must not be exceeded in order to suppress the number of infected hosts to less than a few. This model can appropriately express the early state under which an infection started. The result from our model fits very well to the result of computer simulation using a typical existing scanning malware and an actual network.

References

  1. Barford, P., Yegneswaran, V., 2006. An Inside Look at Botnets. Special Workshop on Malware Detection, Advances in Information Security.
  2. Nikoloski, Z., Deo, N., Kucera, L., 2006. Correlation Model of Worm Propagation on Scale-Free Networks. Complexus, 2006(3):169-182.
  3. Chen, Z., Gao, L., Kwiat, K., 2003. Modeling the Spread of Active Worms. In Proceedings of IEEE INFOCOM.
  4. Staniford, S., 2004. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security.
  5. Moore, D., Shannon, C., Voelker, G. M., Savage, S., 2003. Internet Quarantine: Requirements for Containing Self-Propagating Code, In Proceedings of IEEE INFOCOM.
  6. Zou, C. C., Gao, L., Gong, W., Towsley, D., 2003. Monitoring and Early Warning for Internet Worms. In Proceedings of the 10th ACM Conference on Computer and Communication Security, pages 190- 199. ACM Press.
  7. Williamson, M. M., 2002. Throttling Viruses: Restricting propagation to defeat malicious mobile code. In Proceedings of the 18th Annual Computer Security Applications Conference.
  8. Whyte, D., Kranakis, E., Oorschot, P. C., 2005. DNSbased Detection of Scanning Worms in an Enterprise Network. In Proceedings of the 12th Annual Network and Distributed System Security Symposium.
  9. Whyte, D., Oorschot P. C., Kranakis, E., 2005. Detecting Intra-enterprise Scanning Worms based on Address Resolution. In Proceedings of the 21st Annual Computer Security Applications Conference.
  10. Bakos, G., Berk, V. H., 2002. Early detection of Internet worm activity by metering ICMP destination unreachable messages. In Proceedings of the SPIE Aerosense.
  11. Weaver, N., Staniford, S., Paxson, V., 2004. Very Fast Containment of Scanning Worms. In Proceedings of the13th USENIX Security Symposium.
  12. Jung, J. Paxson, V., Berger, A. W., Balakrishnan, H., 2004. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy.
  13. Schechter, S., Jung, J., Berger, A. W., 2004. Fast Detection of Scanning Worm Infections. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection.
  14. Omote, K., Torii, S., 2003. A Detection Method of Worms's Random Scanning. In Proceedings of the CSS2003. (Japanese).
Download


Paper Citation


in Harvard Style

Omote K., Shimoyama T. and Torii S. (2007). A COMBINATORICS PROLIFERATION MODEL TO DETERMINE THE TIMING FOR BLOCKING SCANNING MALWARE . In Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007) ISBN 978-989-8111-12-8, pages 16-24. DOI: 10.5220/0002119300160024


in Bibtex Style

@conference{secrypt07,
author={Kazumasa Omote and Takeshi Shimoyama and Satoru Torii},
title={A COMBINATORICS PROLIFERATION MODEL TO DETERMINE THE TIMING FOR BLOCKING SCANNING MALWARE},
booktitle={Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007)},
year={2007},
pages={16-24},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002119300160024},
isbn={978-989-8111-12-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007)
TI - A COMBINATORICS PROLIFERATION MODEL TO DETERMINE THE TIMING FOR BLOCKING SCANNING MALWARE
SN - 978-989-8111-12-8
AU - Omote K.
AU - Shimoyama T.
AU - Torii S.
PY - 2007
SP - 16
EP - 24
DO - 10.5220/0002119300160024