code red worm propagation modeling and analysis
DESCRIPTION
Code Red Worm Propagation Modeling and Analysis. Cliff Changchun Zou , Weibo Gong, Don Towsley. Introduction. The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation. - PowerPoint PPT PresentationTRANSCRIPT
CODE RED WORM PROPAGATION MODELING AND ANALYSISCliff Changchun Zou, Weibo Gong, Don Towsley
Introduction The Code Red worm incident of July 2001
has stimulated activities to model and analyze Internet worm propagation.
Previous works didn’t consider two factors affecting Code Red propagation Dynamic countermeasures taken by ISPs
and users The slowed down worm infection rate
Two factor worm model
Background on Code Red Worm Code Red worm exploited Windows IIS
vulnerability on Windows 2000
Each worm copy generated 100 threads 99 threads randomly chose one IP address
to attack Timeout: 21 seconds
Background on Code Red Worm
Background on Code Red Worm
Background on Code Red Worm
Using Epidemic Models to Model Code Red Worm Propagation
Computer viruses and worms are similar to biological viruses on their self-replicating and propagation behavior
Introduce two classical epidemic models as the bases of the two-factor internet worm model Classical simple epidemic model Kermack-Mckendrick model
Classical Simple Epidemic Model
J(t): the number of infected hosts at time t : infection rate S(t): the number of susceptible hosts at time t N: size of population At t=0: J(0) hosts are infected and other N-J(0)
hosts are all susceptible
Classical Simple Epidemic Model
Let , dividing both sides by N^2
where
Classical Simple Epidemic Model The classical epidemic model can match
the beginning phase of Code Red spreading, it can’t explain the later part of Code Red propagation: during the last five hours from 20:00 to 00:00 UTC, the worm scans kept decreasing
Kermack-Mckendrick Model Considers the removal process of
infectious hosts Once a host recovers from the disease, it
will be immune to the disease forever – “removed” state
I(t): the number of infections hosts at time t
R(t): the number of removed hosts from previously infectious hosts at time t
Kermack-Mckendrick Model Base on the simple epidemic model, Kermack-
Mckendrick Model is:
J(t): the number of infected hosts at time t: removal rate of infectious hosts: infection rate N: size of population
Kermack-Mckendrick Model Define
If the initial number of susceptible hosts is smaller than some critical value, there will be no epidemic and outbreak
Kermack-Mckendrick Model The Kermack-Mckendrick model
improves the classical simple epidemic model by considering that some infectious hosts either recover or die after some time, but still not suitable for modeling Internet worm propagation Removal only from the infectious hosts Assume infection rate to be constant
A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL
Two factors affecting Code Red worm propagation Human countermeasures Decreased infection rate
A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL
According to the same principle in deriving the Kermack-Mckendrick Model:
In order to solve the equation, we have to know the dynamic properties of , and
A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL
Use the same assumption as what Kermack-McKendrick model uses:
The removal process from susceptible hosts looks similar to a typical epidemic propagation:
A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL
Last, we model the decrease infection rate by the equation:
: initial infection rate : used to adjust the infection rate sensitivity to the number of infection hosts
A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL
For parameters N=1000000, I(0)=1, =3, r=0.05, u=0.06/N, =0.8/N
Simulation
Simulation
Simulation
Conclusion Considering human countermeasures
taken by ISPs and users and the slowed down worm infection rate, two-factor worm model match the observed data better than previous models do
The two-factor worm model is a general Internet worm model for modeling worms by adjusting different parameters