Article

Worm anatomy and model

Author:

Dan EllisAuthors Info & Claims

WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode

Pages 42 - 50

https://doi.org/10.1145/948187.948196

Published: 27 October 2003 Publication History

Abstract

We present a general framework for reasoning about network worms and analyzing the potency of worms within a specific network. First, we present a discussion of the life cycle of a worm based on a survey of contemporary worms. We build on that life cycle by developing a relational model that associates worm parameters, attributes of the environment, and the subsequent potency of the worm. We then provide a worm analytic framework that captures the generalized mechanical process a worm goes through while moving through a specific environment and its state as it does so. The key contribution of this work is a worm analytic framework. This framework can be used to evaluate worm potency and develop and validate defensive countermeasures and postures in both static and dynamic worm conflict. This framework will be implemented in a modeling and simulation language in order to evaluate the potency of specific worms within an environment.

References

[1]

http://www.cert.org/body/advisories/CA200126_FA200126.html

[2]

Fred Cohen, "Computer Viruses: Theory and Experiments", Computers and Security, Volume 6, Number 1, January, 1987, pp 22--35.

Digital Library

[3]

Fred Cohen, "A Formal Definition of Computer Worms and Some Related Results", Computers and Security, Volume 11, Number 7, November, 1992, pp 641--652.

Digital Library

[4]

Stuart Staniford-Chen, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, D. Zerkle, "GrIDS A Graph-Based Intrusion Detection System for Large Networks", In the Proceedings of the 19th National Information Systems Security Conference, 1996.

[5]

Robert Baldwin, Rule Based Analysis of Computer Security. PhD Thesis, MIT EE, June 1987.

[6]

Dan Zerkle, Karl Levitt, "NetKuang -- A Multi-Host Configuration Vulnerability Checker", In 6th USENIX Security Symposium, San Jose, California, July 1996.

Digital Library

[7]

Paul Ammann, Duminda Wijesekera, Saket Kaushik, "Scalable, Graph-based Network Vulnerability Analysis", ACM CCS 2002, November 18-22, 2002, Washington, DC.

Digital Library

[8]

Oleg Sheyner, Somesh Jha, Jeannette M. Wing, "Automated Generation and Analysis of Attack Graphs", Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.

Digital Library

[9]

J. O. Kephat, S. R. White, "Directed-graph Epidemiological Models of Computer Viruses", Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 343--359.

[10]

J. O. Kephart, S. R. White, and Chess, "Computers and Epidemiology", IEEE Spectrum, May 1993.

Digital Library

[11]

Stuart Staniford, Vern Paxson, Nicholas Weaver, "How to 0wn the Internet in Your Spare Time", Proceedings of the 11th USENIX Security Symposium 2002.

Digital Library

[12]

Cliff Changchun Zou, Weibo Gong, Don Towsley, "Code Red Worm Propagation Modeling and Analysis", ACM CCS 2002, November 18-22, 2002, Washington, DC.

Digital Library

[13]

Chenxi Wang, John Knight, Matthew Elder, "On Computer Viral Infection and the Effect of Immunization", ACSAC 2000, pp 246--25.

Digital Library

[14]

http://www.sophos.com/virusinfo/analyses/w32nachia.html

[15]

http://www.whitehats.com/library/worms/lion/

Cited By

Ochieng NMwangi WAteya I(2020)Generalization Performance Comparison of Machine Learners for the Detection of Computer Worms Using Behavioral FeaturesSoft Computing: Theories and Applications10.1007/978-981-15-4032-5_62(677-693)Online publication date: 30-Jun-2020
https://doi.org/10.1007/978-981-15-4032-5_62
Hu HWang MOuyang MHu G(2019)Toward Network Worm Victims Identification Based on Cascading Motif DiscoveryElectronics10.3390/electronics80201838:2(183)Online publication date: 5-Feb-2019
https://doi.org/10.3390/electronics8020183
Leszczyna RFovino I(2013)Evaluating Security and Resilience of Critical Networked Infrastructures after StuxnetCritical Information Infrastructure Protection and Resilience in the ICT Sector10.4018/978-1-4666-2964-6.ch012(242-256)Online publication date: 2013
https://doi.org/10.4018/978-1-4666-2964-6.ch012
Show More Cited By

Index Terms

Worm anatomy and model

Recommendations

WORM vs. WORM: preliminary study of an active counter-attack mechanism
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Self-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to ...
Worm damage minimization in enterprise networks

Attackers utilize many forms of intrusion via computer networks; currently, worms are an important vector with the potential for widespread damage. None of the strategies is effective and rapid enough to mitigate worm propagation. Therefore, it is ...
Modeling and Detection of Camouflaging Worm

Active worms pose major security threats to the Internet. This is due to the ability of active worms to propagate in an automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation, and thus, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode

October 2003

92 pages

ISBN:1581137850

DOI:10.1145/948187

General Chair:
Stuart Staniford
Silicon Defense
,
Program Chair:
Stefan Savage
University of California, San Diego

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS03

Sponsor:

CCS03: Tenth ACM Conference on Computer and Communications Security 2003

October 27, 2003

DC, Washington, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
2,278
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)6

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ochieng NMwangi WAteya I(2020)Generalization Performance Comparison of Machine Learners for the Detection of Computer Worms Using Behavioral FeaturesSoft Computing: Theories and Applications10.1007/978-981-15-4032-5_62(677-693)Online publication date: 30-Jun-2020
https://doi.org/10.1007/978-981-15-4032-5_62
Hu HWang MOuyang MHu G(2019)Toward Network Worm Victims Identification Based on Cascading Motif DiscoveryElectronics10.3390/electronics80201838:2(183)Online publication date: 5-Feb-2019
https://doi.org/10.3390/electronics8020183
Leszczyna RFovino I(2013)Evaluating Security and Resilience of Critical Networked Infrastructures after StuxnetCritical Information Infrastructure Protection and Resilience in the ICT Sector10.4018/978-1-4666-2964-6.ch012(242-256)Online publication date: 2013
https://doi.org/10.4018/978-1-4666-2964-6.ch012
Liu JWang Y(2013)Study on Computer Network Intrusion Effect EvaluationProceedings of the 2013 Third International Conference on Instrumentation, Measurement, Computer, Communication and Control10.1109/IMCCC.2013.80(349-353)Online publication date: 21-Sep-2013
https://dl.acm.org/doi/10.1109/IMCCC.2013.80
Sandaruwan GRanaweera POleshchuk V(2013)PLC security and critical infrastructure protection2013 IEEE 8th International Conference on Industrial and Information Systems10.1109/ICIInfS.2013.6731959(81-85)Online publication date: Dec-2013
https://doi.org/10.1109/ICIInfS.2013.6731959
Leszczyna R(2013)Agents in Simulation of Cyberattacks to Evaluate Security of Critical InfrastructuresMultiagent Systems and Applications10.1007/978-3-642-33323-1_6(129-146)Online publication date: 2013
https://doi.org/10.1007/978-3-642-33323-1_6
Bose AShin K(2011)Agent‐based modeling of malware dynamics in heterogeneous environmentsSecurity and Communication Networks10.1002/sec.2986:12(1576-1589)Online publication date: 25-Feb-2011
https://doi.org/10.1002/sec.298
Kondakci SDincer C(2011)Internet epidemiology: healthy, susceptible, infected, quarantined, and recoveredSecurity and Communication Networks10.1002/sec.2874:2(216-238)Online publication date: 5-Jan-2011
https://doi.org/10.1002/sec.287
Oliner AKulkarni AAiken A(2010)Community epidemic detection using time-correlated anomaliesProceedings of the 13th international conference on Recent advances in intrusion detection10.5555/1894166.1894191(360-381)Online publication date: 15-Sep-2010
https://dl.acm.org/doi/10.5555/1894166.1894191
Fan XXiang Y(2010)Defending against the propagation of active wormsThe Journal of Supercomputing10.1007/s11227-009-0283-851:2(167-200)Online publication date: 1-Feb-2010
https://dl.acm.org/doi/10.1007/s11227-009-0283-8
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents