Defeat scanning worms in cyber warfare
Article first published online: 10 JUN 2014
Copyright © 2014 John Wiley & Sons, Ltd.
Security and Communication Networks
Volume 8, Issue 5, pages 715–726, 25 March 2015
How to Cite
2015), Defeat scanning worms in cyber warfare, Security Comm. Networks, 8, 715–726, doi: 10.1002/sec.1019, , and (
- Issue published online: 17 FEB 2015
- Article first published online: 10 JUN 2014
- Manuscript Accepted: 11 MAR 2014
- Manuscript Revised: 18 DEC 2013
- Manuscript Received: 20 MAY 2013
- computer crime;
- network security;
- system security;
In this paper, we propose an automatic defense system, called Serum System, against scanning worms. The homeland security department of a country can use Serum System to protect its Internet infrastructure. When an infecting host is infecting a Serum System host, called Serum System Server (SSS), the SSS automatically replaces the shellcode inside the infecting string with its code (called serum code) and then uses the modified string (called serum string) to counterattack the infecting host and takes control of it. The serum code transforms the infecting host into a Serum System Client (SSC) that has the same functions as the SSS and is immune to the same worm. Therefore, infecting hosts attacking SSSs or SSCs will transform themselves into SSCs. We implemented Serum System on Linux and also built a mathematical model for Serum System to analyze its effectiveness and bandwidth savings. Our analyses show that with only a small number of SSSs and through chain counterattacks, Serum System can automatically and rapidly defeat related infected hosts. Compared with white worms whose spread cannot be controlled, Serum System only spreads on infected hosts. The amount of accumulative traffic saved by Serum System at time tick 450 reached 90%. Copyright © 2014 John Wiley & Sons, Ltd.