In order to speed up the propagating process, the worms need to scan many IP addresses to target vulnerable hosts. However, the distribution of IP addresses is highly non uniform, which results in many scans wasted on invulnerable addresses. Inspired by the theory of good point set, this paper proposes a new scanning strategy, referred to as good point set scanning (GPSS), for worms. Experimental results show that GPSS can generate more distinct IP addresses and less unused IP addresses than the permutation scanning. Combined with group distribution, a static optimal GPSS is derived. Since the information can not be easily collected before a worm is released, a self learning worm with GPSS is designed. Such worm can accurately estimate the underlying vulnerable host distribution when a sufficient number of IP addresses of infected hosts are collected. We use a modified Analytical Active Worm Propagation (AAWP) to simulate data of Code Red and the performance of different scanning strategies. Experimental results show that once the distribution of vulnerable hosts is accurately estimated, a self learning worm can propagate much faster than other worms.
展开▼
