Simulating realistic network worm traffic for worm warning system design and testing

Michael Liljenstam; David M. Nicol; Vincent H. Berk; Robert S. Gray

doi:10.1145/948187.948193

Simulating realistic network worm traffic for worm warning system design and testing

Michael Liljenstam, David M. Nicol, Vincent H. Berk, Robert S. Gray

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Reproducing the effects of large-scale worm attacks in a laboratory setup in a realistic and reproducible manner is an important issue for the development of worm detection and defense systems. In this paper, we describe a worm simulation model we are developing to accurately model the large-scale spread dynamics of a worm and many aspects of its detailed effects on the network. We can model slow or fast worms with realistic scan rates on realistic IP address spaces and selectively model local detailed network behavior. We show how it can be used to generate realistic input traffic for a working prototype worm detection and tracking system, the Dartmouth ICMP BCC: System/Tracking and Fusion Engine (DIB:S/TRAFEN), allowing performance evaluation of the system under realistic conditions. Thus, we can answer important design questions relating to necessary detector coverage and noise filtering without deploying and operating a full system. Our experiments indicate that the tracking algorithms currently implemented in the DIB:S/TRAFEN system could detect attacks such as Code Red v2 and Sapphire/Slammer very early, even when monitoring a quite limited portion of the address space, but more sophisticated algorithms are being constructed to reduce the risk of false positives in the presence of significant "background noise" scanning.

Original language	English (US)
Title of host publication	WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode
Publisher	Association for Computing Machinery
Pages	24-33
Number of pages	10
ISBN (Print)	1581137850, 9781581137859
DOIs	https://doi.org/10.1145/948187.948193
State	Published - 2003
Externally published	Yes
Event	WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode - Washington, DC, United States Duration: Oct 27 2003 → Oct 27 2003

Publication series

Name	WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode

Other

Other	WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode
Country/Territory	United States
City	Washington, DC
Period	10/27/03 → 10/27/03

Keywords

Code Red
Network Modeling and Simulation
Network Security
Slammer
Worm Detection Systems
Worms

ASJC Scopus subject areas

Engineering(all)

Online availability

10.1145/948187.948193

Library availability

Discover UIUC Full Text

Cite this

Liljenstam, M., Nicol, D. M., Berk, V. H., & Gray, R. S. (2003). Simulating realistic network worm traffic for worm warning system design and testing. In WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode (pp. 24-33). (WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode). Association for Computing Machinery. https://doi.org/10.1145/948187.948193

Simulating realistic network worm traffic for worm warning system design and testing. / Liljenstam, Michael; Nicol, David M.; Berk, Vincent H. et al.
WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode. Association for Computing Machinery, 2003. p. 24-33 (WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Liljenstam, M, Nicol, DM, Berk, VH & Gray, RS 2003, Simulating realistic network worm traffic for worm warning system design and testing. in WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode. WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode, Association for Computing Machinery, pp. 24-33, WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode, Washington, DC, United States, 10/27/03. https://doi.org/10.1145/948187.948193

@inproceedings{c98131b8c1e94a22a951defecc5ddd5a,

title = "Simulating realistic network worm traffic for worm warning system design and testing",

abstract = "Reproducing the effects of large-scale worm attacks in a laboratory setup in a realistic and reproducible manner is an important issue for the development of worm detection and defense systems. In this paper, we describe a worm simulation model we are developing to accurately model the large-scale spread dynamics of a worm and many aspects of its detailed effects on the network. We can model slow or fast worms with realistic scan rates on realistic IP address spaces and selectively model local detailed network behavior. We show how it can be used to generate realistic input traffic for a working prototype worm detection and tracking system, the Dartmouth ICMP BCC: System/Tracking and Fusion Engine (DIB:S/TRAFEN), allowing performance evaluation of the system under realistic conditions. Thus, we can answer important design questions relating to necessary detector coverage and noise filtering without deploying and operating a full system. Our experiments indicate that the tracking algorithms currently implemented in the DIB:S/TRAFEN system could detect attacks such as Code Red v2 and Sapphire/Slammer very early, even when monitoring a quite limited portion of the address space, but more sophisticated algorithms are being constructed to reduce the risk of false positives in the presence of significant {"}background noise{"} scanning.",

keywords = "Code Red, Network Modeling and Simulation, Network Security, Slammer, Worm Detection Systems, Worms",

author = "Michael Liljenstam and Nicol, {David M.} and Berk, {Vincent H.} and Gray, {Robert S.}",

year = "2003",

doi = "10.1145/948187.948193",

language = "English (US)",

isbn = "1581137850",

series = "WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode",

publisher = "Association for Computing Machinery",

pages = "24--33",

booktitle = "WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode",

address = "United States",

note = "WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode ; Conference date: 27-10-2003 Through 27-10-2003",

}

TY - GEN

T1 - Simulating realistic network worm traffic for worm warning system design and testing

AU - Liljenstam, Michael

AU - Nicol, David M.

AU - Berk, Vincent H.

AU - Gray, Robert S.

PY - 2003

Y1 - 2003

N2 - Reproducing the effects of large-scale worm attacks in a laboratory setup in a realistic and reproducible manner is an important issue for the development of worm detection and defense systems. In this paper, we describe a worm simulation model we are developing to accurately model the large-scale spread dynamics of a worm and many aspects of its detailed effects on the network. We can model slow or fast worms with realistic scan rates on realistic IP address spaces and selectively model local detailed network behavior. We show how it can be used to generate realistic input traffic for a working prototype worm detection and tracking system, the Dartmouth ICMP BCC: System/Tracking and Fusion Engine (DIB:S/TRAFEN), allowing performance evaluation of the system under realistic conditions. Thus, we can answer important design questions relating to necessary detector coverage and noise filtering without deploying and operating a full system. Our experiments indicate that the tracking algorithms currently implemented in the DIB:S/TRAFEN system could detect attacks such as Code Red v2 and Sapphire/Slammer very early, even when monitoring a quite limited portion of the address space, but more sophisticated algorithms are being constructed to reduce the risk of false positives in the presence of significant "background noise" scanning.

AB - Reproducing the effects of large-scale worm attacks in a laboratory setup in a realistic and reproducible manner is an important issue for the development of worm detection and defense systems. In this paper, we describe a worm simulation model we are developing to accurately model the large-scale spread dynamics of a worm and many aspects of its detailed effects on the network. We can model slow or fast worms with realistic scan rates on realistic IP address spaces and selectively model local detailed network behavior. We show how it can be used to generate realistic input traffic for a working prototype worm detection and tracking system, the Dartmouth ICMP BCC: System/Tracking and Fusion Engine (DIB:S/TRAFEN), allowing performance evaluation of the system under realistic conditions. Thus, we can answer important design questions relating to necessary detector coverage and noise filtering without deploying and operating a full system. Our experiments indicate that the tracking algorithms currently implemented in the DIB:S/TRAFEN system could detect attacks such as Code Red v2 and Sapphire/Slammer very early, even when monitoring a quite limited portion of the address space, but more sophisticated algorithms are being constructed to reduce the risk of false positives in the presence of significant "background noise" scanning.

KW - Code Red

KW - Network Modeling and Simulation

KW - Network Security

KW - Slammer

KW - Worm Detection Systems

KW - Worms

UR - http://www.scopus.com/inward/record.url?scp=18844367440&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=18844367440&partnerID=8YFLogxK

U2 - 10.1145/948187.948193

DO - 10.1145/948187.948193

M3 - Conference contribution

AN - SCOPUS:18844367440

SN - 1581137850

SN - 9781581137859

T3 - WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode

SP - 24

EP - 33

BT - WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode

PB - Association for Computing Machinery

T2 - WORM'03 - Proceedings of the 2003 ACM Workshop on Rapid Malcode

Y2 - 27 October 2003 through 27 October 2003

ER -

Simulating realistic network worm traffic for worm warning system design and testing

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this