• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.19 no.12
• /
• pp.2858-2864
• /
• 2015

Internet worms have been the major Internet threats may disclose important information and can bring about faults of computer systems, which spread with the fastest speed among malicious codes. Simultaneously spreading multiple worms and its variants are revealing the limitation of conventional responses based on single worms. In order to defend them effectively, it is necessary to study how multiple worms propagate and what factors affect worm spreading. In this paper, we improve the existed single worm spreading models and try to describe the correct spreads of multiple worms. Thus we analyze the spreading effects of multiple worms and its variants by various experiments.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.1
• /
• pp.89-102
• /
• 2008

Internet becomes more and more popular, and most companies and institutes use web services for e-business and many other purposes. With the explosion of Internet, the attack of internet worm has grown. Simulation is one of the most widely used method to study internet worms. But, it is quite challenging to simulate very large-scale worm attacks because of various reasons. By this reason, we often use the modeling network simulation technique. But, it also has problem that it difficult to apply each worm attacks to simulation. In this paper, we propose worm attack representation and mapping methods for apply worm attack to simulation. The proposed method assist to achieve the simulation efficiency. And we can express each worm attacks more detail. Consequently, the simulation of worm attacks has the time-efficiency and the minuteness.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.3
• /
• pp.43-53
• /
• 2007

Internet becomes more and more popular, and most companies and institutes use web services for e-business and many other purposes. With the explosion of Internet, the occurrence of cyber terrorism has grown very rapidly. Simulation is one of the most widely used method to study internet worms. But, it is quite challenging to simulate very large-scale worm attacks because of various reasons. In this paper, we propose a hybrid modeling method for RCS(Random Constant Spreading) worm simulation. The proposed hybrid model simulates worm attacks by synchronizing modeling network and packet network. So, this model will be both detailed enough to generate realistic packet traffic, and efficient enough to model a worm spreading through the Internet. Moreover, our model have the capability of dynamic updates of the modeling parameters. Finally, we simulate the hybrid model with the CodeRed worm to show validity of our proposed model for RCS worm simulation.

• Journal of KIISE:Computing Practices and Letters
• /
• v.15 no.9
• /
• pp.675-684
• /
• 2009

Internet worm can cause a traffic problem through DDoS(Distributed Denial of Services) or other kind of attacks. In those manners, it can compromise the internet infrastructure. In addition to this, it can intrude to important server and expose personal information to attacker. However, current detection and response mechanisms to worm have many vulnerabilities, because they only use local characteristic of worm or can treat known worms. In this paper, we propose a new framework to detect unknown worms. It uses macroscopic characteristic of worm to detect unknown worm early. In proposed idea, we define the macroscopic behavior of worm, propose a worm detection method to detect worm flow directly in IP packet networks, and show the performance of our system with simulations. In IP based method, we implement the proposed system and measure the time overhead to execute our system. The measurement shows our system is not too heavy to normal host users.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37 no.3B
• /
• pp.212-218
• /
• 2012

An Internet worm is a self-replicating malware program which uses a computer network. As the network connectivity among computers increases, Internet worms have become widespread and are still big threats. There are many approaches to model the propagation of Internet worms such as Code Red, Nimda, and Slammer to get the insight of their behaviors and to devise possible defense methods to suppress worms' propagation activities. The influence of the network characteristics on the worm propagation has usually been modeled by medical epidemic model, named SI model, due to its simplicity and the similarity of propagation patterns. So far, SI model is still dominant and new variations of the SI model, called SI-style models, are being proposed for the modeling of new Internet worms. In this paper, we elaborate the problems of SI-style models and then propose a new accurate stochastic model using an occupancy problem.

• Journal of Internet Computing and Services
• /
• v.15 no.1
• /
• pp.125-134
• /
• 2014

As the social media which was simple communication media is activated on account of twitter and facebook, it's usability and importance are growing recently. Although many companies are making full use of its the capacity of information diffusion for marketing, the adverse effects of this capacity are growing. Because social network is formed and communicates based on friendships and relationships, the spreading speed of the spam and mal-ware is very swift. In this paper, we draw parameters affecting malicious data diffusion in social network environment, and compare and analyze the diffusion capacity of each parameters by propagation experiment with XSS Worm and Koobface Worm. In addition, we discuss the structural characteristics of social network environment and then proposed malicious data propagation model based on parameters affecting information diffusion. n this paper, we made up BA and HK models based on SI model, dynamic model, to conduct the experiments, and as a result of the experiments it was proved that parameters which effect on propagation of XSS Worm and Koobface Worm are clustering coefficient and closeness centrality.

• ETRI Journal
• /
• v.30 no.1
• /
• pp.81-88
• /
• 2008

The security threat posed by worms has steadily increased in recent years. This paper discusses the application of the optimal and sub-optimal Internet worm control via Pontryagin's maximum principle. To this end, a control variable representing the optimal treatment strategy for infectious hosts is introduced into the two-factor worm model. The numerical optimal control laws are implemented by the multiple shooting method and the sub-optimal solution is computed using genetic algorithms. Simulation results demonstrate the effectiveness of the proposed optimal and sub-optimal strategies. It also provides a theoretical interpretation of the practical experience that the maximum implementation of treatment in the early stage is critically important in controlling outbreaks of Internet worms. Furthermore, our results show that the proposed sub-optimal control can lead to performance close to the optimal control, but with much simpler strategies for long periods of time in practical use.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.1
• /
• pp.484-510
• /
• 2017

Network security is rapidly developing, but so are attack methods. Network worms are one of the most widely used attack methods and have are able to propagate quickly. As an active defense approach to network worms, the honeynet technique has long been limited by the closed architecture of traditional network devices. In this paper, we propose a closed loop defense system of worms based on a Software-Defined Networking (SDN) technology, called Worm-Hunter. The flexibility of SDN in network building is introduced to structure the network infrastructures of Worm-Hunter. By using well-designed flow tables, Worm-Hunter is able to easily deploy different honeynet systems with different network structures and dynamically. When anomalous traffic is detected by the analyzer in Worm-Hunter, it can be redirected into the honeynet and then safely analyzed. Throughout the process, attackers will not be aware that they are caught, and all of the attack behavior is recorded in the system for further analysis. Finally, we verify the system via experiments. The experiments show that Worm-Hunter is able to build multiple honeynet systems on one physical platform. Meanwhile, all of the honeynet systems with the same topology operate without interference.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.3B
• /
• pp.551-557
• /
• 2010

Fast spreading Internet worms will be sure to become one of the new major threats of convergence networks as well as the Internet. In order to defend and respond them, it is necessary to study how Internet worms propagate and what factors affect worm spreading. In this paper, we try to describe the correct spread of worms on convergence network environments. Therefore we propose a spreading model and analyze the spreading effects by various experiments.

• Journal of KIISE:Information Networking
• /
• v.34 no.3
• /
• pp.186-192
• /
• 2007

The virus throttling technique[5,6] is the one of well-known worm early technique. Virus throttling reduce the worm propagration by delaying connection packets artificially. However the worm detection time is not sufficiently fast as expected when the worm generated worm packets at a low rate. This is because the virus throttling technique use only delay queue length. In this paper we use the trend of weighted average delay queue length (TW AQL). By using TW AQL, the worm detection time is not only shorten at a low rate Internet worm, but also the false alarm does not largely increase. By experiment, we also proved our proposed algorithm had better performance.