The Worms Containment Strategy Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract- Computer worms -- malicious, self-propagating programs -- represent a significant threat to large networks. One possible defense, containment, seeks to limit a worm's spread by isolating it in a small subsection of the network. [2] In this work we develop containment algorithms suitable for deployment in high-speed, low-cost network hardware. We show that these techniques can stop a scanning host. A branching process model for characterizing the propagation of internet worms is illustrated. The model is developed for uniform scanning worms. This leads to the development of an automatic worm containment strategy that prevents the spread of the worm beyond its early stage. Specifically, for uniform scanning worms, we are able to provide a precise condition that determines whether the worm spread will eventually stop to obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain preference scanning worms. Our strategy is based on limiting the number of scans to dark-address space. The limiting value is determined by our analysis. Our worm containment schemes effectively contain both scanning worms and local preference scanning worm, and it is validated through simulations and real trace data to be non intrusive benefit the internet.

Index Terms-Dark address space, stochastic analysis, need for deterministic analysis


Self propagating codes ,called worms, such as Code Red, Nimda and Slammer, have drawn significant attention due to their enormously adverse impact on the internet. Thus, there is a great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. Worms are different from computer viruses and are more hazardous in nature in terms of their activity. These are malicious programs that can infect a system and spread rapidly without any human intervention. One class o such code ,known as random scanning worms spreads by using a scanning strategy to find vulnerable hosts to infect. Network worms have the potential to infect many

vulnerable hosts on the internet before human countermeasures take place. The aggressive scanning traffic generated by the infected hosts has caused network congestion, equipment failure and blocking of physical facilities such as subway stations, 911 call centers, etc. The propagation of random scanning worms and the corresponding development of automatic containment mechanisms is extended to protect an enterprise network from a preference scanning worm. A host infected with random scanning worms finds and infects other vulnerable hosts by scanning a list of randomly generated IP addresses. We consider the generation-wise evolution of worms, with the hosts that are infected at the beginning of the propagation forming generation zero. The hosts that are directly infected by hosts in generation n are said to belong to generation n+1. The model captures the worm spreading dynamics for worms of arbitrary scanning rate, including stealth worms, that may turn themselves off at times.

The total number of scans that an infected host attempts, and not the more restrictive scanning rate, which determines whether worms, can spread. Moreover, we can probabilistically bund the total number of infected hosts. The main ides is to limit the total number of distinct IP addresses contacted per host over a period, we call the containment cycle, which is of the order of weeks or months. The value of MC does not need to be as carefully tuned as in the traditional rate control mechanisms. Further, this scheme has marginal impact on the normal operation of the networks. This scheme is fundamentally different from rate limiting schemes because we are not bounding instantaneous scanning rates. Preference scanning worms are a common class of worms but have received significantly less attention from the research community. Unlike uniform scanning worms, this type of worm prefers to scan random IP addresses in the local network to the overall internet. We therefore propose a local worm containment system based on restricting a host's total number of scans to local unused IP addresses(denoted as N).We then use a stochastic branching process model to come up with a bound on the value of N to ensure that the worm spread is stopped.


A computer worm is a self-replicating program. It uses a network to send copies of itself to other nodes and it may do so without any user intervention.


.Worm containment is designed to halt the spread of a worm in an enterprise by detecting infected machines and preventing them from contacting further systems. Scanning worms operate by picking 'random' addresses and attempting to infect them. The actual selection technique can vary considerably, from linear scanning of an address space, fully random, a bias toward local addresses or Permutation Scanning. Since containment works best when the cells are small, It needs to be integrated into the network's outer switches, to the end hosts economically feasible


The key component for today's containment techniques is scan suppression: responding to detect port scans by blocking future scanning attempts. Port scans-probe attempts to determine if a service is operating at a target IP address-are used by both human attackers and worms to discover new victims. The goal of scan suppression is often expressed in terms of preventing scans coming from 'outside' LAN inbound to the 'inside' internal network. We derived our scan detection algorithm from TRW(Threshold Random Walk) scan detection. The algorithm operates by using an oracle to determine if a connection will fail or succeed. A successfully completed connection drives a random walk upwards; a failure to connect drives it downwards. TRW can make a decision on how far the random walk deviates above or below the origin. TRW rely on track connection establishment. It only considers the success or failure of connection attempts to new addresses.. If a source repeatedly contacts the same host, TRW does its random walk accounting and decision making only for first attempt. This requires to keep track of which pairs of addresses have tried to connect, too costly for our goal of a line-rate hardware implementation. Our technique uses a number of approximations of TRW.


The worm was based on proof of concept code demonstrated at the Black Hat Briefings by David Litchfield, who had initially discovered the buffer overflow vulnerability that the worm exploited. It is a small piece of code that does little other than generate IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unmatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the internet with more copies of the worm program. The slowdown was caused by the collapse of numerous routers under the burden of traffic from infected servers. A significant portion of internet bandwidth is consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed down or stopped.



This model leads to the development of an automatic worm containment that prevents the spread of a worm beyond its early stage. It can effectively contain both fast and slow scan worms by knowing the worm signature in advance or needing to explicitly detect the worm..

The containment scheme is based on the idea of restricting the total number of scans to unique IP addresses by any host. It has the following steps:

Step 1: Let MC be the total number of unique IP addresses that a host can contact in a containment cycle. At the beginning of each new containment cycle, set a counter that counts the number of unique IP addresses for each host to be zero.

Step 2: Increment this counter for each host when it scans a new IP address.

Step 3: If a host reaches a scan limit before the end of the containment cycle, it is removed and goes through a heavy-duty checking process to ensure that it is free of infection before being allowed back into the system. When allowed back, its counter is reset to zero.

Step 4: Hosts are thoroughly checked for infection at the end of a containment cycle(one by one to limit the disruption to the network) and their counters reset to zero.

Pseudo Code

Data structures- MC=Total no. of scan limit, I=Integer

1. Set MC:=IP Addresses

Counter:=0 , I:=0

2. for( I=0;I<=MC;I++)

Set Counter:=Counter+1


If Process needs to be repeated

Set Counter:=0

Goto Step 2



































In this module we have designed a graphical user interfaced design .This module scans the systems that are connected in the Local Area Network (LAN) in which occur server system exists. Then it detects the IPv4 addresses of each and every system in the LAN and stores those IP addresses in a database. Then for each and every second it scans the IP address of each system in the database previously stored to update their respective IP addresses. In case at any moment if any of the systems IP address has been changed, than that particular system been identified as victim system infected by worm and that system details are placed in victim hosts window.


In this module, we create a worm. This module is designed for the creations of worm inside a network. This module scans the system and identifies the drive it scans each folders and subfolders till no more subfolders are left. Then it creates a file in the same name as that of the folder name with my extension in each and every folder available in that drive. The process is applied recursively for all drives in the system.

Then this demo worm tend to change the IP address of the system by just adding fifteen to the last two octets in the current IP address of the system. After changing the IP address the system gets restarted to update the IP address.


In this module we do worm propagation to other systems in the network. The worm is converted as java archive(JAR) file and send to the systems in the network. Since we are doing a simulation of the worm propagation here, the worm file request is made to all the systems in the network and that we term as modeling of our project and spread our infected only to those systems that can establish socket connection on the same port id as that of the worm spreading system.


In this module we detect the systems that have been infected and eliminate the worm infections from that particular system. Here we scan the drives and inside it the folders and the subfolders for files with do my extensions and delete those files from those folders. The process is recursive and repeated until the system is free from files. This module is done for betterment of the project in order not to affect the system in which this project is executed.

3.2.5 CLIENT

This module leads to the automatic containment strategy of worms. In this module we have to stop the worm propagation beyond its early stage. The worm scans the hosts available and spread itself from one host to other host in timely manner. Thus we stop the spreading of worms automatically by using our containment.


This model allows us to characterize the early phase of worm propagation. Using the branching process model, we are able to provide a precise bound M on the total number of scans that the worm will eventually die out. Further, from our model, we also obtain the probability that total number of hosts that the worm infects is below the certain level, as the function of the scan limit M. The insights gained from analyzing this model also allow us to develop an effective and automatic worm containment strategy that does not let the worm propagate beyond the early stages of infection. Our strategy can effectively contain both fast scan worms and slow scan worms without knowing the worm signature in advance or needing to explicitly to detect the worm. We show via simulations and real trace data, that the containment strategy is both effective and non intrusive. In this scheme, we restrict the total number of scans per host to the dark address space, which ensures that the worm ill be contained. This containment scheme, combined with firewalls at the network boundary, allows for incremental deployment of the worms containment system without participation of outside networks.


We would like to propose a statistical model for the spread of topology-aware worms and subsequently design mechanisms for automatic containment of such worms.

We would like to characterize the deviation of our proposed branching process model from the "ideal" stochastic epidemic model, assuming that the values of its rich set of parameters were available.

The system in which we run our containment scheme is server client architecture. So, the worms are detected only after entering into the FFFnetwork (e.g. LAN,WAN).

In future, we like to port our worm containment schemes to edge routers and local routers and to evaluate the performance using real data from enterprise networks ,thereby detecting the worms at very earlier stage even before entering into the network detected at the router itself.


[1] Z. Chen, L. Gao, and K. Kwiat, Modelling the Spread of Active Worms," IEEE INFOCOMM, 2003

[2] Nicholas Weaver,Stuart Staniford,Verm Paxson,"Very fast containment of scanning worms",17 May 2004

[3] F. Freitas. Verme: Worm containment in overlay networks. Master Dissertation in Computer Engineering, Technical University of Lisbon,2008.

[4] D. Moore and C. Shannon, "Code-Red: a Case Study on the Spread and Victims of an Internet Worm," in Proceedings of the 2002 ACM SICGOMM Internet Measurement Workshop, Marseille, France, Nov. 2002, pp. 273-284.

[5] J.O. Kephart and S. R. White, \Measuring and Modelling Computer Virus Prevalence," Proceedings of the IEEE Symposium on Security and Privacy, 1993

[6] C. C. Zou, L. Gao, W. Gong and D. Towsley, \Monitoring and Early Warning for Internet Worms," In 10th ACM Symposium on Computer and Communication Security, pp.190{199 ,2003.