Doc, 36kB - Telecommunications & Information Technology Institute

Telecommunications & Information Technology Institute
Electrical & Computer Engineering Department
Coolllleeggee ooff E
Ennggiinneeeerriinngg,, FFlloorriiddaa IInntteerrnnaattiioonnaall U
Invited Talk Series
Modeling Internet Worm Attacks
Dr. Zesheng Chen
Georgia Institute of Technology
Wednesday, May 23, 2007; 10:30AM
EC 3753, 10555 West Flagler Street
As computer and communication networks become prevalent, the Internet has been a battlefield for attackers
and defenders. One of the most powerful weapons for attackers is the Internet worm. Specifically, a worm
attacks vulnerable computer systems and employs self-propagating methods to flood the Internet rapidly. As
a result, worms, such as Code Red, Slammer, and Witty, have infected hundreds of thousands of hosts and
become a significant threat to network security and management.
The objective of my research is to characterize the spread of worms, analyze Internet vulnerabilities, and
develop effective countermeasures. First, a discrete-time mathematical model, called the analytical active
worm propagation (AAWP) model, is presented to capture the spreading dynamics of random-scanning
worms. The AAWP model provides a tool for characterizing the propagation of worms using different
scanning methods and for evaluating the performance of worm detection and defense systems. Second,
vulnerable hosts are observed to be highly unevenly distributed in the Internet, which leads to an optimal
worm scanning method called importance scanning. Such a new method is developed from and named after
importance sampling in statistics and enables a worm to spread much faster than both random and routable
scanning. The information of vulnerable-host distributions, however, may not be known before a worm is
released. To overcome this, a self-learning worm is designed that can accurately estimate the underlying
vulnerable-host distribution while propagating. Finally, a new metric, referred to as the non-uniformity
factor, is presented to quantify both the unevenness of a vulnerable-host distribution and the spreading ability
of network-aware worms. This metric is essentially the Renyi information entropy. Network-aware worms
are shown to be able to increase the spreading speed at the early stage with a rate of nearly) the nonuniformity factor. To fight against network-aware worms, defenders should scatter applications uniformly in
the entire IP-address space from the viewpoint of game theory.
For more information, please contact Dr. Kia Makki at 305-348-3738