[转载]Importance-Scanning Worm Using Vulnerable-Host Distribution

信息来源：http://users.ece.gatech.edu/~zchen/

Most Internet worms use random scanning. The distribution of vulnerable hosts on the Internet, however, is highly non-uniform over the IP-address space. This implies that random scanning wastes many scans on invulnerable addresses, and more virulent scanning schemes may take advantage of the non-uniformity of a vulnerable-host distribution. Questions then arise how attackers may make use of such information, and how virulent the resulting worm may be. These issues provide “worst-case scenarios” for defenders and “best-case scenarios” for attackers if the vulnerable-host distribution is available. This work develops such a scenario as the so-called importance scanning. Importance scanning results from Importance Sampling in statistics that scans IP-address space according to an empirical distribution of vulnerable hosts. An analytical model is developed to relate the infection rate of worms with the importancescanning strategies. Experimental results based on parameters chosen from Code Red and Slammer worms show that an importance-scanning worm can spread much faster than both a random-scanning worm and a routing worm. Furthermore, a game-theory approach suggests that the best strategy for defenders is to scatter applications uniformly in the entire IPaddress space.