Creation of the importance scanning worm using information collected by Botnets

0140-3664/$ see front matter 2009 Elsevier B.V. A doi:10.1016/j.comcom.2009.11.012 * Corresponding authors. Tel.: +1 814 863 0641. E-mail addresses: [email protected] (Y.-H. Choi), pl snu.ac.kr (S.-W. Seo). Importance scanning worm exploits a non-uniform distribution of vulnerable hosts on the Internet. To realize an importance scanning worm, the attacker needs to obtain or estimate the distribution of vulnerable hosts. Zesheng Chen and Chuanyi Ji claimed that a worm can infer the distribution of vulnerable hosts on the Internet by either using public information (e.g., empirical distribution of web servers) or using the distribution of worm-infected hosts during worm propagation. However, the first method may often fail and the second method may not be fast as expected. In this paper, we answer the question, ‘‘How do we determine which part on the Internet is more vulnerable, while maintaining a simple worm propagation mechanism?”. To learn the distribution of vulnerable hosts on the Internet, the proposed estimation method applies statistical sampling and estimation theory while using a Botnet, which is a distributed network of Bots. From analytical models and their validation results, we show the proposed estimation method can get sufficiently accurate estimations; in many cases, the good-enough sampling ratio is as small as 0.6%. Also, it is shown that the estimated distribution is unbiased toward the actual distribution of vulnerable hosts on the Internet. Thus, we believe that the estimated distribution table of vulnerable hosts on the Internet will help the worm identify target systems more effectively. 2009 Elsevier B.V. All rights reserved.