optimization of nachi spreads s1080057 satoshi onoda supervised by prof. hiroshi toyoizumi
TRANSCRIPT
Optimization of NACHI Spreads
s1080057 Satoshi OnodaSupervised by Prof. Hiroshi Toyoizumi
Background
Worm is one of the computer virus, which spreads by itself.The worm, which kills other worms exists. These worms are effective in countermeasure against malicious worms.But, these worms may have a bad influence on the network.
Purpose
To find a method finding the optimum scan rate of NACHI, which can terminate MSBLAST and control the increase of NACHI as little as possible.
MSBLAST
Type:WormPlatform: Windows 2000, XP
Scan IP
Discover alive Computer
Send Wrong Data for 2kSend Wrong Data for XP
Fail to Expect Succeed to Expect
Fail
Instruct to Download
Succeed
Instruct to Execute
to XPto XP to 2kto 2k
80% 20%
NACHI
Type: WormPlatform: Windows 2000, XPDefect: ICMP packets increasing on the network
Kill MSBLAST
Update
Check whether already Patched or not
Instruct to Download & Execute
Scan IP
Yet
Already
Expect Security Hole
Discover alive Computer
Relation between NACHI and MSBLAST
MSBLAST NACHI
arb
Model -equation-
x(t) :# of the computers infected MSBLAST at time ty(t) :# of the computers infected NACHI at time tr :propagation rate of MSBLASTa :propagation rate of NACHIb :# in which NACHI kills MSBLAST per second
),())0(),0(( 00 yxyx
aydt
dy
byrxdt
dx
rt
atrtrt
ebyxtx
ra
ra
eebyexx(t)
ra
)()(
ii)
)(
i)
00
00
ateyty 0)(
Experiment
1.NACHI or MSBLAST runs in one client
2.Capture packets from first infected client
3.Find scan rate
Result of Experiment
Range of Scanning IP Required Time[sec]
NACHI
192.168.0.0 - 192.168.255.255
4495
192.165.0.0 - 192.165.255.255
3050
61.157.0.0 - 61.157.255.255 1018
(256*256 random IPs) 1008
MSBLAST
203.78.0.0 - 203.82.254.254 29582
Rate[/sec]
41.084
10.991
Model -graph-
)1,1000(),(
10/
1019.1565536
71
2
1
5
1
65536
71
2
1
5
4991.10
1045.465536/71084.41
00
3
2
yx
ab
r
a
Global Maximum of BLAST
t’
x(t’)
ra
ffbyfxtx
arr
)(
)'( 00
ra
aby
raxbyraf
1
0
00 ))(()(
Algorithm
1. Decide the constants2. Decide the value of max3. Solve x(t’)=max for a4. Divide a by infecting probability
Obtain optimum scan rate of NACHI, s
max)(0
0
ra
ffbyfx
arr
Optimum Scan Rate for some max
)1,1000(),(
10/
1019.1
00
3
yx
ab
r, s
Conclusion
We obtained a method to determine the optimum scan rate of NACHI with some conditions.When we need the good worm like NACHI, we must find the optimum rate.