Download
1 / 19
190 likes | 317 Vues
Self-stopping worms are autonomous entities designed to infect hosts until they reach a target population, then halt spread to reduce detection. This paper by Justin Ma, Geoffrey M. Voelker, and Stefan Savage, presented by Khanh Nguyen, explores various algorithms for these worms, including random and permutation scanning strategies. The study evaluates methods like Greedy, Stop-k, and Sum-Count approaches, demonstrating their effectiveness in reaching high infection rates. Understanding these dynamics could aid in developing better defenses against such threats.
E N D
Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, and Stefan Savage Presented: Khanh Nguyen
Self-Stopping Worms • Another type of spreading worm • The goal is to infected as many hosts as possible until it reach a target population then stop. • This would make it harder to identify the presence of infected hosts. • PROBLEM: how do these independent worms know when to stop?
Overview • Self-Stopping Worms Algorithms • Random Scanning Strategy • Permutation Scanning Strategy • Evaluation
Self-Stopping Worms Algorithms(Random scanning) • Greedy: An infected node infects as many hosts as possible without stopping • Blind-k: An infected node deactivates w/ probability 1/k at the end of each timestep • Non-Exchange, Non-Estimating Strategies • Based on The Distributed systems literature • dI/dt = γ/A(N-I)a and da/dt = γ/A(N-I)a – (1/k)a • a(I) = I + (1/k)(A/γ)log(1-I/N), ex: A=232, N= 217, γ=4,000, resulted: 97.8% infected • PROBLEM: known A, N, γ prior to infection to get a good k value
Self-Stopping Worms Algo. (cont.)(Random scanning) • Stop-k: Stop with probability 1/k after redundant hit. • Infection-status feedback • da/dt = γ/A(N-I)a – (1/k)(γI/A)a • A(I) = (k+1)/k*I + (N/k)log(1-I/N). Ex: k=3, N=2^17, infected population = 98% • Tree: Stop after infecting k new hits on vulnerable
Self-Stopping Worms Algo. (cont.)(Random Scanning) • Sum-Count: • An infected host keeps 2 counters: one for the number of vulnerable hosts it has contacted H, one for the number of scans it has produced S. • Nest = HA/S
Self-Stopping Algorithms (cont.)(Random Scanning) • Bitmap: • Uses 2 bitmaps, each w/ size of A bits • Bitv records the vulnerable hosts it has attempted to infect. • Bits records the hosts it has scanned. • Nest = bitsset(Bitv)*A/bitsset(Bits) • Disadvantage: large amount of memory required
Self-Stopping Algorithms (cont.)(Random Scanning) • Sum-Count-X: Operates like Sum-Count, except that when node A contacts w/ node B, then the HA + HB and SA + SB • Bitmap-X: Operates like Bitmap, except that when node A contacts w/ node B, Bitsv,A U Bitsv,B and Bitss,A U Bitss,B
Self-Stopping Worms Algor. (cont.)(Permutation scanning) • Greedy Permutation: If the host achieves a redundant hit, it will randomly choose a new seed and continue. • Stop-k Permutation: same as Stop-k • Sum-Count-X Permutation: Same as Sum-Count-X, except with the reseed-upon-redundant-hit policy • Partitioned Permutation: Kind of like divide and conquer. Give up half of the unscanned spaces to the newly infected descendant. Stops when reaching its interval (found a redundant hit)
Evaluation • Basic Heuristics • Blind-k (k=32), Stop-k (k=3) and Tree (k=50) • A=2^32, N=2^17, γ =4,000 • Would infect about 98% of the vulnerable hosts • Dynamic Heuristics • Sum-Count and Sum-Count-X • Compared them against Greedy, Blind-32, and the ideal heuristics: Know-NI, Know-N, and Know-I
