On the impact of dynamic addressing on malware propagation

Rajab, Moheeb Abu; Monrose, Fabian; Terzis, Andreas

doi:10.1145/1179542.1179554

Cited by 30 publications

(14 citation statements)

References 13 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Conversely, DHCP will cause a single host's scanning activity to consistently manifest as originating from multiple hosts, when in fact, that host's source address lease had expired and subsequently a new address was acquired. Therefore, we postulate that such consistent effects (along with random source spoofing) alter the density of routable addresses on the Internet and are more likely to impact the speed of specific malware 1371 propagation (as discussed in [12]), which is irrelevant to the self-similar aggregate characteristics that are studied in this paper.…”

Section: Classificationmentioning

confidence: 96%

Self‐similar characteristics of network intrusion attempts and the implications for predictability

Wahid

Zhou

2011

Concurrency and Computation

View full text Add to dashboard Cite

SUMMARYOne way of proactively detecting multistage attacks such as Distributed Denial of Service (DDoS), worms and coordinated spamming is to profile hosts that engage in scanning activity and predict their future actions, which is a difficult challenge. We attempt to better understand this challenge by hypothesising that network intrusion attempts exhibit self-similar characteristics. We analyse logs from the DShield repository of globally distributed IDS alerts corresponding to the first 2 weeks of January 2005 and present three pieces of evidence in favour of this hypothesis. First, we observed that the persistence of hosts that attempt network intrusions obey a power-law relationship such that the overwhelming majority of hosts are short-lived whereas a small number are highly persistent. Second, the distribution of hosts in the IP address space is broadly identical regardless of different categories of lifetimes and intrusion attempts. Finally, there is a scale invariant diurnal cycle with long-range dependence in the number of unique hosts observed per unit time. The overall implication of these findings is that any predictive model must account for identical statistical characteristics regardless of the volumetric, spatiotemporal and categorical resolution of the observations used to build and train that model.

show abstract

Section: Classificationmentioning

confidence: 96%

Self‐similar characteristics of network intrusion attempts and the implications for predictability

Wahid

Zhou

2011

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…This fragmented attack commands into multiple packets interspersed with irrelevant data that was discarded after the intrusion detection system of the target site examined the stream for attacks, but before the stream reached the target. Other multistage attacks, often in the guise of malware (see for example [2,4,7,12] are "multistage" in their activation or execution. Models [8,14,19] and interpretative methods such as visualization [13] have been created and applied to help understand how multistage attacks work and how they spread.Of these attacks, the Internet worm is closest to what we describe.…”

Section: Related Workmentioning

confidence: 99%

Multi-stage delivery of malware

Ramilli

Bishop

2010

2010 5th International Conference on Malicious and Unwanted Software

View full text Add to dashboard Cite

Malware signature detectors use patterns of bytes, or variations of patterns of bytes, to detect malware attempting to enter a systems. This approach assumes the signatures are both or sufficient length to identify the malware, and to distinguish it from non-malware objects entering the system. We describe a technique that can increase the difficulty of both to an arbitrary degree. This technique can exploit an optimization that many anti-virus systems use to make inserting the malware simple; fortunately, this particular exploit is easy to detect, provided the optimization is not present. We describe some experiments to test the effectiveness of this technique in evading existing signature-based malware detectors.

show abstract

“…This is a promising countermeasure since it is much more feasible than rate limiting. Deployment of Network Address Translation (NAT) can slow down the spread of active worms employing the localized scanning approach [25]. This is due to decreased hitting probability caused by decreased vulnerability density inside NAT.…”

Section: Defending Against the Propagation Of Active Wormsmentioning

confidence: 99%

Defending against the propagation of active worms

Fan

Xiang

2009

J Supercomput

View full text Add to dashboard Cite

Active worms propagate across networks by employing the various target discovery techniques. The significance of target discovery techniques in shaping a worm's propagation characteristics is derived from the life cycle of a worm. The various target discovery techniques that could be employed by active worms are discussed. It is anticipated that future active worms would employ multiple target discovery techniques simultaneously to greatly accelerate their propagation. To accelerate a worm's propagation, the slow start phase in the worm's propagation must be shortened by letting the worm infect the first certain percentage of susceptible hosts as soon as possible. Strategies that future active worms might employ to shorten the slow start phase in their propagation are studied. Their respective cost-effectiveness is assessed. A novel active defense mechanism is proposed, which could be an emerging solution to the active worm problem. Our major contributions in this article are first, we found the combination of target discovery techniques that can best accelerate the propagation of active worms; second, we proposed several strategies to shorten a worm's slow start phase in its propagation and found the cost-effective hit-list size and average size of internally generated target lists; third, we proposed a novel active defense mechanism and evaluated its effectiveness; and fourth, we proposed three novel discrete time deterministic propagation models of active worms.

show abstract

On the impact of dynamic addressing on malware propagation

Cited by 30 publications

References 13 publications

Self‐similar characteristics of network intrusion attempts and the implications for predictability

Self‐similar characteristics of network intrusion attempts and the implications for predictability

Multi-stage delivery of malware

Defending against the propagation of active worms

Contact Info

Product

Resources

About