Shahzad, Khurram (2015) An investigation of mechanisms to mitigate zero-day computer worms within computer networks. PhD thesis, University of Greenwich.

Preview

PDF Khurram Shahzad 2015.pdf - Published Version Available under License Creative Commons Attribution Non-commercial No Derivatives. Download (2MB) | Preview

Abstract

An Internet worm replicates itself by automatically infecting vulnerable systems and may infect hundreds of thousands of hosts across the Internet in tens of minutes. The speed of propagation of a worm is significantly higher than many other types of malware, including viruses. The potential for signification damage within a short time is therefore great. Worm detection and response systems must, therefore, act quickly to identify and counter the effects of worms. In this thesis, an investigation of mechanisms to mitigate zero-day computer worms has been carried out, while defining the key research questions to answer.
This thesis presents a novel distributed automated worm detection and containment scheme, RL+LA, developed during the course of this research, that is based on the correlation of Domain Name System (DNS) queries against the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary, while utilizing cooperation between different communicating scheme members using a custom protocol, which has been termed Friends. To the knowledge of author, this is the first implementation of such a scheme. A set of tools i.e. a Pseudo-Worm Daemon (PWD), which provides random scanning and hit-list worm like functionality; and a Virtualized Malware Testbed (VMT) for testing of worm experiments, were also developed in order to empirically evaluate the performance of the desired countermeasure scheme, RL+LA.
A set of empirical experiments were conducted by using Pseudo-Slammer and Pseudo-Witty worms with real world attributes of Slammer and Witty worms in order to evaluate PWD. The experimental results are broadly comparable to real worm outbreak reported data. Furthermore, these results are compared with a biological epidemiological model (SI model) in order to explore the applicability of SI model to cyber malware infections in general, as well as to assess its usefulness in characterising the virulence of cyber malware. From base comparison of Pseudo-Slammer and Pseudo-Witty worm experimental results with reported outbreak data of Slammer and Witty worms; and SI model, it is concluded that: (a) PWD can be used as an effective tool to empirically analyze the propagation behaviour of random scanning and hit-list worms and to test potential countermeasures, (b) SI model can be effectively used in characterising the virulence of random scanning worms. Another comprehensive sets of empirical experiments were also conducted by using a Slammer-like pseudo-worm on a small scale with class C networks and on class A networks by using Pseudo-Slammer and Pseudo-Witty worms with real attributes of Slammer and Witty worms, without any countermeasures and by invoking RL and RL+LA countermeasures, in order to evaluate the performance of the proposed scheme, RL+LA. The experimental results show a significant reduction in the infection speed of the worms, when the countermeasure scheme is invoked.

Item Type:	Thesis (PhD)
Uncontrolled Keywords:	computer networks; malware; viruses; computer worm; worm detection;
Subjects:	Q Science > QA Mathematics T Technology > TK Electrical engineering. Electronics Nuclear engineering
Faculty / School / Research Centre / Research Group:	Faculty of Engineering & Science Faculty of Engineering & Science > School of Engineering (ENG)
Last Modified:	23 Nov 2017 12:42
URI:	http://gala.gre.ac.uk/id/eprint/18137

Actions (login required)

View Item

Downloads