A Self-Learning Worm Using Importance Scanning

Short Description
nerable hosts, a self-learning worm can spread much faster. than a random-scanning worm, … Such worm intends to use importance scanning but avoids …

Website: www1.cs.columbia.edu | Filesize: 364kb

Content
A Self-Learning Worm Using Importance Scanning
Zesheng Chen
School of Electrical & Computer Engineering
Georgia Institute of Technology
Atlanta, Georgia 30332
zchen@ece.gatech.edu
Chuanyi Ji
School of Electrical & Computer Engineering
Georgia Institute of Technology
Atlanta, Georgia 30332
jic@ece.gatech.edu
ABSTRACT
The use of side information by an attacker can help a worm
speed up the propagation. This philosophy has been the basis
for advanced worm scanning mechanisms such as hitlist
scanning, routable scanning, and importance scanning. Some
of these scanning methods use information on vulnerable
hosts. Such information, however, may not be easy to collect
before a worm is released. Questions then arise whether
and how a worm can self-learn and use such information
while propagating, and how virulent the resulting worm may
be. In this paper, we design a self-learning worm using importance
scanning. An optimal yet practical importancescanning
strategy is derived based on a new metric. A selflearning
worm is demonstrated to have the ability to accurately
estimate the underlying vulnerable-host distribution
if a sufficient number of infected hosts are observed. Experimental
results based on parameters chosen from Code Red
show that after accurately estimating the distribution of vulnerable…