Self-Stopping Self-Stopping WormsWorms

Justin Ma, Geoffrey M. Justin Ma, Geoffrey M. Voelker, and Stefan SavageVoelker, and Stefan Savage

Presented: Khanh NguyenPresented: Khanh Nguyen

Self-Stopping WormsSelf-Stopping Worms

Another type of spreading wormAnother type of spreading worm The goal is to infected as many hosts The goal is to infected as many hosts

as possible until it reach a target as possible until it reach a target population then stop.population then stop.

This would make it harder to identify This would make it harder to identify the presence of infected hosts.the presence of infected hosts.

PROBLEM: how do these independent PROBLEM: how do these independent worms know when to stop?worms know when to stop?

OverviewOverview

Self-Stopping Worms AlgorithmsSelf-Stopping Worms Algorithms Random Scanning StrategyRandom Scanning Strategy Permutation Scanning StrategyPermutation Scanning Strategy

EvaluationEvaluation

Self-Stopping Worms Self-Stopping Worms AlgorithmsAlgorithms

(Random scanning)(Random scanning) Greedy: An infected node infects as many Greedy: An infected node infects as many

hosts as possible without stoppinghosts as possible without stopping Blind-k: An infected node deactivates w/ Blind-k: An infected node deactivates w/

probability 1/k at the end of each timestepprobability 1/k at the end of each timestep Non-Exchange, Non-Estimating StrategiesNon-Exchange, Non-Estimating Strategies Based on The Distributed systems literatureBased on The Distributed systems literature

dI/dt = dI/dt = γγ/A(N-I)a and da/dt = /A(N-I)a and da/dt = γγ/A(N-I)a – (1/k)a/A(N-I)a – (1/k)a a(I) = I + (1/k)(A/a(I) = I + (1/k)(A/γγ)log(1-I/N), ex: A=2)log(1-I/N), ex: A=23232, N= , N=

221717, , γγ=4,000, resulted: 97.8% infected=4,000, resulted: 97.8% infected PROBLEM: known A, N, PROBLEM: known A, N, γγ prior to infection to prior to infection to

get a good k valueget a good k value

Self-Stopping Worms Algo. Self-Stopping Worms Algo. (cont.)(cont.)

(Random scanning)(Random scanning) Stop-k: Stop with probability 1/k Stop-k: Stop with probability 1/k

after redundant hit.after redundant hit. Infection-status feedbackInfection-status feedback da/dt = da/dt = γγ/A(N-I)a – (1/k)(/A(N-I)a – (1/k)(γγI/A)aI/A)a A(I) = (k+1)/k*I + (N/k)log(1-I/N). Ex: A(I) = (k+1)/k*I + (N/k)log(1-I/N). Ex:

k=3, N=2^17, infected population = k=3, N=2^17, infected population = 98%98%

Tree: Stop after infecting k new hits Tree: Stop after infecting k new hits on vulnerableon vulnerable

Self-Stopping Worms Algo. Self-Stopping Worms Algo. (cont.)(cont.)

(Random Scanning)(Random Scanning) Sum-Count: Sum-Count:

An infected host keeps 2 counters: one An infected host keeps 2 counters: one for the number of vulnerable hosts it for the number of vulnerable hosts it has contacted H, one for the number of has contacted H, one for the number of scans it has produced S.scans it has produced S.

NNestest = HA/S = HA/S

Self-Stopping Algorithms Self-Stopping Algorithms (cont.)(cont.)

(Random Scanning)(Random Scanning) Bitmap: Bitmap:

Uses 2 bitmaps, each w/ size of A bitsUses 2 bitmaps, each w/ size of A bits Bitv records the vulnerable hosts it has Bitv records the vulnerable hosts it has

attempted to infect.attempted to infect. Bits records the hosts it has scanned.Bits records the hosts it has scanned. NNestest = bitsset(Bit = bitsset(Bitvv)*A/bitsset(Bit)*A/bitsset(Bitss)) Disadvantage: large amount of memory Disadvantage: large amount of memory

requiredrequired

Self-Stopping Algorithms Self-Stopping Algorithms (cont.)(cont.)

(Random Scanning)(Random Scanning) Sum-Count-X: Operates like Sum-Sum-Count-X: Operates like Sum-

Count, except that when node A Count, except that when node A contacts w/ node B, then the Hcontacts w/ node B, then the HAA + H + HBB and Sand SAA + S + SB B

Bitmap-X: Operates like Bitmap, Bitmap-X: Operates like Bitmap, except that when node A contacts w/ except that when node A contacts w/ node B, Bitsnode B, Bitsv,Av,A U Bits U Bitsv,Bv,B and Bits and Bitss,As,A U U BitsBitss,Bs,B

Self-Stopping Worms Algor. Self-Stopping Worms Algor. (cont.)(cont.)

(Permutation scanning)(Permutation scanning) Greedy Permutation:Greedy Permutation: If the host achieves a If the host achieves a

redundant hit, it will randomly choose a new seed redundant hit, it will randomly choose a new seed and continue.and continue.

Stop-k Permutation:Stop-k Permutation: same as Stop-k same as Stop-k Sum-Count-X Permutation:Sum-Count-X Permutation: Same as Sum- Same as Sum-

Count-X, except with the reseed-upon-redundant-Count-X, except with the reseed-upon-redundant-hit policyhit policy

Partitioned Permutation:Partitioned Permutation: Kind of like divide and Kind of like divide and conquer. Give up half of the unscanned spaces to conquer. Give up half of the unscanned spaces to the newly infected descendant. Stops when the newly infected descendant. Stops when reaching its interval (found a redundant hit)reaching its interval (found a redundant hit)

Self-stopping Worms Self-stopping Worms SummarySummary

EvaluationEvaluation

Basic HeuristicsBasic Heuristics Blind-k (k=32), Stop-k (k=3) and Tree (k=50)Blind-k (k=32), Stop-k (k=3) and Tree (k=50) A=2^32, N=2^17, A=2^32, N=2^17, γγ =4,000 =4,000 Would infect about 98% of the vulnerable Would infect about 98% of the vulnerable

hostshosts Dynamic HeuristicsDynamic Heuristics

Sum-Count and Sum-Count-XSum-Count and Sum-Count-X Compared them against Greedy, Blind-32, Compared them against Greedy, Blind-32,

and the ideal heuristics: Know-NI, Know-N, and the ideal heuristics: Know-NI, Know-N, and Know-Iand Know-I

Basic HeuristicsBasic Heuristics

Dynamic HeuristicsDynamic Heuristics

Scan RatesScan Rates

Important-Important-Scanning WormScanning Worm

IANA AssignmentsIANA Assignments

Web Servers DistributionWeb Servers Distribution

CodeRed With ISCodeRed With IS

Slammer With ISSlammer With IS