ppt

Download Report

Transcript ppt 

Optimization of NACHI Spreads
s1080057 Satoshi Onoda
Supervised by Prof. Hiroshi Toyoizumi
Background
Worm is one of the computer virus, which
spreads by itself.
The worm, which kills other worms exists.
These worms are effective in countermeasure
against malicious worms.
But, these worms may have a bad influence
on the network.
Purpose
To find a method finding the
optimum scan rate of NACHI, which
can terminate MSBLAST and control
the increase of NACHI as little as
possible.
MSBLAST
Type:Worm
Platform:
Windows 2000, XP
Scan IP
Discover alive Computer
Send Wrong Data for XP
to 2k
to XP
Fail to Expect
Send Wrong Data for 2k
to XP
to 2k
Succeed to Expect
Instruct to Download
80%
Fail
20%
Succeed
Instruct to Execute
NACHI
Kill MSBLAST
Type:
Worm
Platform:
Windows 2000, XP
Defect:
ICMP packets increasing
on the network
Check whether already Patched or not
Yet
Update
Already
Scan IP
Discover alive Computer
Expect Security Hole
Instruct to Download & Execute
Relation between NACHI and MSBLAST
r
a
b
MSBLAST
NACHI
Model -equationi) a  r
dx
 rx  by
dt
dy
 ay
dt
( x(0), y (0))  ( x0 , y0 )
rt
at
by
(
e

e
)
x(t)  x0e rt  0
ar
ii) a  r
x(t )  ( x0  by0 )e rt
y (t )  y0 e at
x(t) :# of the computers infected MSBLAST at time t
y(t) :# of the computers infected NACHI at time t
r :propagation rate of MSBLAST
a :propagation rate of NACHI
b :# in which NACHI kills MSBLAST per second
Experiment
1.NACHI or MSBLAST
runs in one client
2.Capture packets from
first infected client
3.Find scan rate
Result of Experiment
Range of Scanning IP
NACHI
MSBLAST
Required Time[sec] Rate[/sec]
192.168.0.0 - 192.168.255.255
4495
192.165.0.0 - 192.165.255.255
3050
61.157.0.0 - 61.157.255.255
1018
(256*256 random IPs)
1008
203.78.0.0 - 203.82.254.254
29582
41.084
10.991
Model -grapha  41.084  71 / 65536  4.45 10 2
71
1 1
71 
4 1
3
r  10.991   
  
  5  1.19 10
 5 2 65536 5 2 65536 
b  a / 10
( x0 , y0 )  (1000,1)
Global Maximum of BLAST
x(t’)
t’
by0 ( f  f )
x(t ' )  x0 f 
ar
r
r
a
 r (by0  x0 (a  r )) 

f (a)  
aby0


1
ar
Algorithm
1.
2.
3.
4.
by0 ( f  f )
x0 f 
 max
ar
r
a
r
Decide the constants
Decide the value of max
Solve x(t’)=max for a
Divide a by infecting probability
Obtain optimum scan rate of NACHI, s
Optimum Scan Rate for some max
r  1.19 10 3
b  a / 10
( x0 , y0 )  (1000,1)
Conclusion
We obtained a method to determine the
optimum scan rate of NACHI with some
conditions.
When we need the good worm like
NACHI, we must find the optimum rate.