Simulating realistic network worm traffic for worm warning system design and testing

Michael Liljenstam, David M. Nicol, Vincent H. Berk, Robert S. Gray

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Reproducing the effects of large-scale worm attacks in a laboratory setup in a realistic and reproducible manner is an important issue for the development of worm detection and defense systems. In this paper, we describe a worm simulation model we are developing to accurately model the large-scale spread dynamics of a worm and many aspects of its detailed effects on the network. We can model slow or fast worms with realistic scan rates on realistic IP address spaces and selectively model local detailed network behavior. We show how it can be used to generate realistic input traffic for a working prototype worm detection and tracking system, the Dartmouth ICMP BCC: System/Tracking and Fusion Engine (DIB:S/TRAFEN), allowing performance evaluation of the system under realistic conditions. Thus, we can answer important design questions relating to necessary detector coverage and noise filtering without deploying and operating a full system. Our experiments indicate that the tracking algorithms currently implemented in the DIB:S/TRAFEN system could detect attacks such as Code Red v2 and Sapphire/Slammer very early, even when monitoring a quite limited portion of the address space, but more sophisticated algorithms are being constructed to reduce the risk of false positives in the presence of significant "background noise" scanning.

Original languageEnglish (US)
Title of host publicationWORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode
PublisherAssociation for Computing Machinery
Pages24-33
Number of pages10
ISBN (Print)1581137850, 9781581137859
DOIs
StatePublished - 2003
Externally publishedYes
EventWORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode - Washington, DC, United States
Duration: Oct 27 2003Oct 27 2003

Publication series

NameWORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode

Other

OtherWORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode
Country/TerritoryUnited States
CityWashington, DC
Period10/27/0310/27/03

Keywords

  • Code Red
  • Network Modeling and Simulation
  • Network Security
  • Slammer
  • Worm Detection Systems
  • Worms

ASJC Scopus subject areas

  • General Engineering

Fingerprint

Dive into the research topics of 'Simulating realistic network worm traffic for worm warning system design and testing'. Together they form a unique fingerprint.

Cite this