Hackers

Research Critique

Introduction

The ability of the attackers to rapidly gain control of vast number of Internet hosts poses an immense threat to the overall security of the Internet (Staniford, Paxson & Weaver, 2002). Once compromised, these hosts can not only be used for massive Distributed Denial of Service (DDoS) attacks, but also steal or corrupt great quantities of sensitive information by confusing and disrupting the network in more subtle ways (Honeynet, 2005).

The attackers accomplish this task by sending an intrusion agent commonly known as 'worm'. There are "two major types of malicious codes in the wild" (Todd, 2003, pp. 2). These codes are differentiated by their means of propagation: worms are self-replicating, self-propagating, whereas, viruses require some form of human interaction. Much like biological viruses cause disease in humans by compromising their body defence mechanism, a worm can not only damage or shut down host or networks but they are also mutating and becoming more complex. Worms can carry payloads designed for specific malicious intent (Todd, 2003). According to Geer (2005) there is a less familiar threat that many experts say could be just as dangerous: malicious bot software. According to Nazario et al. the evolution of the Internet worms will prove to be more difficult to identify and eradicate (Nazario, Anerson, Wash & Connelly, 2001).

Hackers can install bots on multiple computers to set up "Malnets" or "Botnets" that they can use for massive DDoS attacks. Network security experts identify and shut down Malnets with 10 to 100 compromised hosts several times a day. Large malnets with 10,000 compromised hosts are rare but they still happen weekly, besides security investigators have found one malnet of 100,000 computers (Johannes, 2004).

Rationale for selecting this article:

Long before the first known massive worm infection on the internet in 1988, the researchers had already started taking interest in self-propagating and self-replicating software. First article that discussed self-replicating code within a C compiler appeared in 1984 by Thompson. Morris worm was launched in 1988, which had a devastating effect on the Internet (Todd, 2003).

Most research conducted so far has focused on modeling and detection of the Internet worm propagation. However, the final objective of the research is containment and elimination of these worms, which has not received enough research (Zheng & Duan).

This paper discusses the possible future network attack which will probably use an organized army of malicious nodes called malnets. These malnets are capable of delivering many different types of attacks. According to several researchers who are working on finding out how the malicious worms propagate on the internet the ground has already been set (Honeynet, 2005; Zheng & Duan; Geer, 2005; Staniford, Paxson & Weaver, 2002). However, "partly due to the lack of understanding of the resiliency and efficiency a malnet can have, countering malnets has been ineffective" (Li, Ehrenkranz & Kuenning, 2005).

Placement of the article in the literature

The paper is very recent and appeared in 2005. Since the paper has an interesting and unique topic both in security of the Internet and how distributed systems of malicious bots work it can be considered both as emerging seminal work and supporting the existing literature. The literature on self-propagating code emerged four years before (Thompson, 1984) the actual Morris worm attack in 1988, and made the paper a classic. The authors of this article utilize all resources at their disposal to address the major problem in the modern Internet. According to the authors the second-wave attack can be very devastating and can disrupt the entire internet.

Research question addressed in this paper

The authors of this paper give a new term for Botnets which is commonly used in the literature and call it malnets. The network of compromised computers which work as an organized distributed system and first justifies why it is important to understand the efficiency and resiliency of the malnets. The authors then use calculation and simulation to study the efficiency and resiliency characteristics of three types of malnets. They study "Random malnet", "Small-world malnet", and "Gnutella-like malnet". They attempt to answer the following two questions:

1. For a given malnet, if x nodes are randomly disinfected, what percentage of remaining nodes will remain connected?

2. What is the impact of a malnet's size on its resiliency?

They answer all these questions by studying the three types of malnets. Finally the discussion of the results of simulation is given along with related work.

Research Method involved

The research method used is simulation and calculation. They simulate all three types of malnets and calculate how long it will take the malicious code to propagate from the controller to any node in the malnet.

Findings

According to authors it will take 6 minutes for the malicious code of about one megabyte to propagate on a malnet with one million malnodes, and it will require a maximum of 17 hops between any two nodes in a random malnet, if each malnode is connecting to maximum of four nodes.

They further find that although there is no direct organization in a random malnet by testing 20 different 10,000 node malnets with different values of x if they drop 1024 nodes randomly where the connectivity is r=2 the reachibility is decreased 43.3%, however, if the r=4 the reachability remains 99.8% .

To disconnect small-world networks the authors use Watts and Strogatz model (1998). They used r=4 and disconnected 795 carefully selected nodes however, if the random nodes are disconnected they have to be around 7000 to 8000 to make the small world malnet disfunctional.

Gnutella like malnets stay connected according to simulation even when 75% of the total nodes are dropped, and dropping around 87.5% nodes will still leave 97% of the nodes connected.

They conclude that even malnets with a relatively modest number of nodes are still very difficult to disconnect.

Significance of contribution

According to authors due to lack of understanding of the resiliency and efficiency features a malnet can have not much work has been done for disabling these malicious networks. The authors have shown that it

...