The Use of White Holes to Mislead and Defeat Importance Scanning Worm
by Guofei Gu & Phillip Porras.
We refer to a new self-learning worm propagation strategy as the importance scanning method. Under the importance scanning approach, a worm employs an address sampling scheme to search for the underlying group distribution of (vulnerable) hosts in the address space through which it propagates. The worm exploits this information to increase the rate at which it locates viable addresses during its search for infection targets. In introducing a strategy to combat the importance scanning propagation technique, we propose the use of white hole networks, which employ several existing components to dissuade, slow, and ultimately halt the propagation of importance scanning worms. We have demonstrated how the white hole approach can be an effective defense, even when the deployment of this countermeasure represents a very small fraction of the address space population.