Home Research Personal  activity   Linux & Security Link

 

   Internet Worm Propagation Simulator

Since some people have asked me for the details of my simulation experiments, here I provide my worm propagation simulators and Kalman filter program used in our papers. I hope it is helpful for other researchers. 

  Witty Worm Propagation Modeling 

Based on the unique destructive action of Witty worm,  I model the crashing time of a Witty-infected computer as an exponential distributed random variable, which explains well the dynamics of Witty infected population.

  Publication:

  Referred Journal

   Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao. "The Monitoring and Early Detection of Internet Worms," to appear in IEEE/ACM Transactions on Networking

    Cliff C. Zou, Don Towsley, and Weibo Gong. "On the Performance of Internet Worm Scanning Strategies,"  to appear in Journal of Performance Evaluation (extended from Umass ECE Technical Report TR-03-CSE-07, November, 2003).

  Referred conferences and workshops

  Cliff C. Zou, Don Towsley, Weibo Gong, and Songlin Cai. "Routing Worm: A Fast, Selective Attack Worm based on IP Address Information," 19th ACM/IEEE/SCS Workshop on Principles of Advanced and Distributed Simulation (PADS'05), June 1-3, Monterey, USA (Best Paper Nominee; Acceptance ratio: 22/46=48%; Conference presentation slides with speaking notes; extended from Umass ECE Technical Report TR-03-CSE-06, November, 2003). 

   Cliff C. Zou, Nick Duffield, Don Towsley, and Weibo Gong. "Adaptive Defense Against Various Network Attacks," to appear in SRUTI: Steps to Reducing Unwanted Traffic on the Internet, July 7-8, Boston, 2005.

  Cliff C. Zou, Don Towsley, and Weibo Gong. "Email Worm Modeling and Defense," 13th International Conference on Computer Communications and Networks (ICCCN'04), October 11-13, Chicago, 2004 (Best Paper Nominee, Acceptance ratio: 73/207=35.3%, Conference presentation slides; extended from previous Technical Report TR-03-CSE-04).

  Cliff C. Zou, Weibo Gong, and Don Towsley. "Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense," ACM CCS Workshop on Rapid Malcode (WORM'03), Oct. 27, Washington DC, USA, 2003. ( Acceptance ratio: 10/25=40%. Workshop presentation slides with speaking notes )

  Cliff C. Zou, Lixin Gao, Weibo Gong and Don Towsley. "Monitoring and Early Warning for Internet Worms," 10th ACM Conference on Computer and Communication Security (CCS'03), Oct. 27-31, Washington DC, USA, 2003 ( Acceptance ratio: 35/253=13.8%. Conference presentation slides with speaking notes

  Cliff C. Zou, Weibo Gong, Don Towsley. "Code Red Worm Propagation Modeling and Analysis," 9th ACM Conference on Computer and Communication Security (CCS'02), Nov. 18-22, Washington DC, USA, 2002.  ( Acceptance ratio: 27/153=17.6%.  Conference presentation slides with speaking notes ) 

  Other publications

  Cliff C. Zou, Weibo Gong, and Don Towsley. "Feedback Email Worm Defense System for Enterprise Networks," Umass ECE Technical Report TR-04-CSE-05, April 16, 2004

  Cliff C. Zou, Don Towsley, and Weibo Gong. "A Firewall Network System for Worm Defense in Enterprise Networks," Umass ECE Technical Report TR-04-CSE-01, February 4, 2004

  Cassandras, C.G., C.G. Panayiotou, G. Diehl, W. Gong, Z. Liu, and C.C. Zou, "Clustering Methods for Multi-Resolution Simulation Modeling," Proceedings of SPIE's 14th Annual Internation Symposium on Aerospace/Defense Sensing, Simulation, and Control, Orlando, FL, April 24-28, 2000.

  Changchun Zou, Hongsheng Xi, Baoqun Yin, Yaping Zhou, Demin Sun.  "Derivative Estimates Parallel Simulation Algorithm Based on Performance Potentials Theory,"  International Federation of Automatic Control Conference (IFAC'99), Jul. 5-9, Beijing, China, 1999.

 

  Invited talk:   "Modeling, Analysis, and Mitigation of Internet Worm Attacks". abstract, presentation slides (ppt, pdf).

    December 9, 2003: AT&T Labs Research, Florham Park, New Jersey.

    January 16, 2004:   Computer Science Department Colloquium, Worcester Polytechnic Institute (WPI), Massachusetts.

 

Other research description:

   Using Hidden Markov Model in Anomaly Intrusion Detection

Hidden Markov Model (HMM) has been successfully used in speech recognition and some classification areas. Since Anomaly Intrusion Detection can be treated as a classification problem, we proposed some basic idea on using HMM model to modeling user's behavior. Then we tried HMM modeling on the real SIAC company log data. The results are not good, the reasons are:  1. SIAC data gives us too little information that can distinguish normal behavior and anomaly behavior;  2. Anomaly Intrusion Detection is a very hard topic. By now, it is still in academic research area without real application;  3. HMM is suitable for one-dimension sequence classification, like voice wave or spectrum. Typical anomaly detection  data are multi-dimensional sequences with continuous and discrete variables mixed together. It seems that using HMM alone is not quite suitable for anomaly intrusion detection task.