• The Journal of the Korea Contents Association
• /
• v.6 no.12
• /
• pp.155-162
• /
• 2006

It was well known that how much seriously the Internet worm such as the Code Red had an effect on our daily activities. Recently the rapid growth of the Internet speed will produce more swift damage us in a short term period. In order to defend against future worm, we need to understand the propagation pattern during the lifetime of worms. In this paper, we analyze the propagation pattern of the Code Red worm by a computer simulation. In particular, we show that an existing simulation result about the number of infectious hosts does not match the observed data, and then we introduce a factor of revised human countermeasures into the simulation. We also show the simulation results presenting the importance of patching and pre-patching of the Internet worm.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.12 no.1
• /
• pp.81-86
• /
• 2008

Fast spreading Internet worms, such as Code Red and Slammer, have become one of the new major throne of the Internet recently. In order to defend against theses worms, it is essential to understand how Internet worms propagate and how different Internet factors affect worm spreading. In this paper, we intend to describe the spread of worms on Internet environments accurately. Therefore we model and analyze the spreading effects by various simulations considering Internet addressing and speed. The results lead to a better prediction of the worm spreading on current and future Internet environments.

• Kyungpook Mathematical Journal
• /
• v.56 no.4
• /
• pp.1191-1205
• /
• 2016

The emergence of various Internet worms, including the stand-alone Code Red worm that caused a distributed denial of service (DDoS), has prompted many studies on their propagation speed to minimize potential damages. Many studies, however, assume the same probabilities for initially infected nodes to infect each node during their propagation, which do not reflect accurate Internet worm propagation modelling. Thus, this paper analyzes how Internet worm propagation speed varies according to the number of vulnerable hosts directly connected to infected hosts as well as the link costs between infected and vulnerable hosts. A mathematical model based on centrality theory is proposed to analyze and simulate the effects of degree centrality values and closeness centrality values representing the connectivity of nodes in a large-scale network environment on Internet worm propagation speed.

• The Journal of the Korea Contents Association
• /
• v.7 no.11
• /
• pp.94-101
• /
• 2007

We introduce the way to detect the mutation worm. We implemented the program that can generate signature using LCSeq(Longest Common Subsequence) technique in Suffix Tree studied as pattern recognition algorithm. We also showed the process to detect the mutation of CodeRed worm and Nimda worm and evaluated signatures generated by snort and LCSeq.

• Journal of KIISE:Information Networking
• /
• v.35 no.6
• /
• pp.474-481
• /
• 2008

Scanning worm increases network traffic load and result in severe network congestion because it is a self-replicating worm and send copies of itself to a number of hosts through the Internet. So an early detection system which can automatically detect scanning worms is needed to protect network from those attacks. Although many studies are conducted to detect scanning worms, most of them are focusing on the method using packet header information. The method using packet header information has long detection delay since it must examine the header information of all packets entering or leaving the network. Therefore we propose an algorithm to detect scanning worms using network traffic characteristics such as variance of traffic volume, differentiated traffic volume, mean of differentiated traffic volume, and product of mean traffic volume and mean of differentiated traffic volume. We verified the proposed algorithm by analyzing the normal traffic captured in the real network and the worm traffic generated by simulator. The proposed algorithm can detect CodeRed and Slammer which are not detected by existing algorithm. In addition, all worms were detected in early stage: Slammer was detected in 4 seconds and CodeRed and Witty were detected in 11 seconds.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.173-181
• /
• 2008

Recently, Worm epidemic models have been developed in response to the cyber threats posed by worms in order to analyze their propagation and predict their spread. Some of the most important ones involve mathematical model techniques such as Epidemic(SI), KM (Kermack-MeKendrick), Two-Factor and AAWP(Analytical Active Worm Propagation). However, most models have several inherent limitations. For instance, they target worms that employ random scanning in the network such as CodeRed worm and it was able to be applied to the specified threats. Therefore, we propose the probabilistic of worm propagation based on the Markov Chain, which can be applied to cyber threats such as Mass SQL Injection worm. Using the proposed method in this paper, we can predict the occurrence probability and occurrence frequency for each threats in the entire system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.3
• /
• pp.43-53
• /
• 2007

Internet becomes more and more popular, and most companies and institutes use web services for e-business and many other purposes. With the explosion of Internet, the occurrence of cyber terrorism has grown very rapidly. Simulation is one of the most widely used method to study internet worms. But, it is quite challenging to simulate very large-scale worm attacks because of various reasons. In this paper, we propose a hybrid modeling method for RCS(Random Constant Spreading) worm simulation. The proposed hybrid model simulates worm attacks by synchronizing modeling network and packet network. So, this model will be both detailed enough to generate realistic packet traffic, and efficient enough to model a worm spreading through the Internet. Moreover, our model have the capability of dynamic updates of the modeling parameters. Finally, we simulate the hybrid model with the CodeRed worm to show validity of our proposed model for RCS worm simulation.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37 no.3B
• /
• pp.212-218
• /
• 2012

An Internet worm is a self-replicating malware program which uses a computer network. As the network connectivity among computers increases, Internet worms have become widespread and are still big threats. There are many approaches to model the propagation of Internet worms such as Code Red, Nimda, and Slammer to get the insight of their behaviors and to devise possible defense methods to suppress worms' propagation activities. The influence of the network characteristics on the worm propagation has usually been modeled by medical epidemic model, named SI model, due to its simplicity and the similarity of propagation patterns. So far, SI model is still dominant and new variations of the SI model, called SI-style models, are being proposed for the modeling of new Internet worms. In this paper, we elaborate the problems of SI-style models and then propose a new accurate stochastic model using an occupancy problem.

• Electronics and Telecommunications Trends
• /
• v.20 no.1 s.91
• /
• pp.9-16
• /
• 2005

최초의 인터넷 웜(worm)으로 불리는 Morris 웜이 1988년 11월에 발표된 이래로 현재까지 많은 웜 공격이 발생되고 또 발표되어 왔다. 초기의 웜은 작은 규모의 네트워크에서 퍼지는 정도였으며, 실질적인 피해를 주는 경우는 거의 없었다. 그러나 2001년 CodeRed 웜은 인터넷에 연결된 많은 컴퓨터들을 순식간에 감염시켜 많은 피해를 발생시켰으며 그 이후 2003년 1월에 발생한 Slammer 웜은 10분이라는 짧은시간안에 75,000여 대 이상의 호스트를 감염시키고 네트워크 자체를 마비시켰다. 특히 Slammer 웜은 국내에서 더욱 유명하다. 명절 구정과 맞물려 호황을 누리던 인터넷 쇼핑 몰, 은행 거래 등을 일시에 마비시켜 버리면서 경제적으로도 막대한 피해를 우리에게 주었다. 이런 웜을 막기 위해서 많은 보안 업체들이나서고 있으나, 아직은 사전에 웜의 피해를 막을만한 확실한 대답을 얻지 못하고 있다. 본 문서에서는 현재 웜의 발생 초기 단계를 탐지하고 이를 피해가 커지기 이전에 막기 위한 연구들을 설명할 것이다.

• The KIPS Transactions:PartC
• /
• v.12C no.5 s.101
• /
• pp.633-642
• /
• 2005

Ubiquitous computing system is about networked processors, which is constructed with one or more computers interconnected by the networks. However, traditional security solution lacks a Proactive maintenance technique because of its focusing on developing the qualitative detection and countermeasure after attack. Thus, in this paper, we propose a quantitative assessment modeling technique, by which the general infrastructure can be improved and the attacks on a specific infrastructure be detected and protected. First of all, we develop the definition of survivality and modeling technique for quantitative assessment modeling with the static information on the system random information, and attack-type modeling. in addition, the survivality analysis on TCP-SYN attack and code-Red worm attack is performed for validating the proposed technique.