ENTERPRISE WORM: SIMULATION, DETECTION, AND OPTIMAL CONTAINMENT

Open Access
Author:
Li, Lunquan
Graduate Program:
Information Sciences and Technology
Degree:
Doctor of Philosophy
Document Type:
Dissertation
Date of Defense:
May 29, 2008
Committee Members:
  • Peng Liu, Committee Chair/Co-Chair
  • Chao Hsien Chu, Committee Member
  • Prasenjit Mitra, Committee Member
  • George Kesidis, Committee Member
Keywords:
  • computer worm
  • testbed
  • simulation
  • optimal containment
  • dark port
Abstract:
The research on computer worms and their defense has been in full swing in recent years. Still, there are some challenges in understanding the nature of worm propagation because of the complex structure and dynamics of networks, in conducting detailed network worm emulation experiments, and in devising and evaluating new worm defense or containment strategies. In this report, we propose a new virtualization method for running high-fidelity network emulation experiments on a network testbed and present an integrated toolkit we developed for the benefit of experiment specification and data visualization. On the analytical model and computer simulation front, we extend the KMSim worm model, a variation of Kermack-McKendrick epidemic model that takes enterprise networks as the unit of analysis so that various distributions of worm susceptible and network topology characteristics can be accounted for. Extension of KMSim worm model is used to study the self-destructing and removal/death behavior of worms and for the simulation of worm propagation in enterprise networks. On the defense side, we call attention on the danger of a class of worms which target specific enterprise networks. The efficiency and stealthiness of such local scanning worms with advanced scan strategies would render most existing worm defense schemes ineffective. For this reason, we propose a new dark port detection scheme to actively monitor all intra-enterprise network connections and raise security alerts when a new connection attempt targeting a non-servicing host/port tuple is detected. To compensate possible false positives and balance between worm defense and maintaining normal service, we further explore using a Markov decision process model to quantitatively evaluate various defense strategies and make best defense decisions based on this cost-benefit analysis. Cost-effective containment requires accurate estimation of worm virulence and extent of network damages under various game scenarios. In this regard, we develop a maximum likelihood estimation algorithm to estimate the size of susceptible population using inter-arrival timing information collected by the dark port detectors. Based on the idea of worm propagation detection and worm virulence estimation algorithm, we propose two collaborative containment strategies which can effectively containment a local scanning worm and cause minimum service disruption to the network.