Use this URL to cite or link to this record in EThOS:
Title: An investigation of mechanisms to mitigate zero-day computer worms within computer networks
Author: Shahzad, Khurram
ISNI:       0000 0004 6494 4377
Awarding Body: University of Greenwich
Current Institution: University of Greenwich
Date of Award: 2015
Availability of Full Text:
Access from EThOS:
Access from Institution:
An Internet worm replicates itself by automatically infecting vulnerable systems and may infect hundreds of thousands of hosts across the Internet in tens of minutes. The speed of propagation of a worm is significantly higher than many other types of malware, including viruses. The potential for signification damage within a short time is therefore great. Worm detection and response systems must, therefore, act quickly to identify and counter the effects of worms. In this thesis, an investigation of mechanisms to mitigate zero-day computer worms has been carried out, while defining the key research questions to answer. This thesis presents a novel distributed automated worm detection and containment scheme, RL+LA, developed during the course of this research, that is based on the correlation of Domain Name System (DNS) queries against the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary, while utilizing cooperation between different communicating scheme members using a custom protocol, which has been termed Friends. To the knowledge of author, this is the first implementation of such a scheme. A set of tools i.e. a Pseudo-Worm Daemon (PWD), which provides random scanning and hit-list worm like functionality; and a Virtualized Malware Testbed (VMT) for testing of worm experiments, were also developed in order to empirically evaluate the performance of the desired countermeasure scheme, RL+LA. A set of empirical experiments were conducted by using Pseudo-Slammer and Pseudo-Witty worms with real world attributes of Slammer and Witty worms in order to evaluate PWD. The experimental results are broadly comparable to real worm outbreak reported data. Furthermore, these results are compared with a biological epidemiological model (SI model) in order to explore the applicability of SI model to cyber malware infections in general, as well as to assess its usefulness in characterising the virulence of cyber malware. From base comparison of Pseudo-Slammer and Pseudo-Witty worm experimental results with reported outbreak data of Slammer and Witty worms; and SI model, it is concluded that: (a) PWD can be used as an effective tool to empirically analyze the propagation behaviour of random scanning and hit-list worms and to test potential countermeasures, (b) SI model can be effectively used in characterising the virulence of random scanning worms. Another comprehensive sets of empirical experiments were also conducted by using a Slammer-like pseudo-worm on a small scale with class C networks and on class A networks by using Pseudo-Slammer and Pseudo-Witty worms with real attributes of Slammer and Witty worms, without any countermeasures and by invoking RL and RL+LA countermeasures, in order to evaluate the performance of the proposed scheme, RL+LA. The experimental results show a significant reduction in the infection speed of the worms, when the countermeasure scheme is invoked.
Supervisor: Woodhead, Steve ; Bakalis, Panayiotis Sponsor: University of Greenwich
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available
Keywords: QA Mathematics ; TK Electrical engineering. Electronics Nuclear engineering