CODE RED WORM PROPAGATION MODELING AND ANALYSISCliff Changchun Zou, Weibo Gong, Don Towsley

Introduction The Code Red worm incident of July 2001

has stimulated activities to model and analyze Internet worm propagation.

Previous works didn’t consider two factors affecting Code Red propagation Dynamic countermeasures taken by ISPs

and users The slowed down worm infection rate

Two factor worm model

Background on Code Red Worm Code Red worm exploited Windows IIS

vulnerability on Windows 2000

Each worm copy generated 100 threads 99 threads randomly chose one IP address

to attack Timeout: 21 seconds

Background on Code Red Worm

Background on Code Red Worm

Background on Code Red Worm

Using Epidemic Models to Model Code Red Worm Propagation

Computer viruses and worms are similar to biological viruses on their self-replicating and propagation behavior

Introduce two classical epidemic models as the bases of the two-factor internet worm model Classical simple epidemic model Kermack-Mckendrick model

Classical Simple Epidemic Model

J(t): the number of infected hosts at time t : infection rate S(t): the number of susceptible hosts at time t N: size of population At t=0: J(0) hosts are infected and other N-J(0)

hosts are all susceptible

Classical Simple Epidemic Model

Let , dividing both sides by N^2

where

Classical Simple Epidemic Model The classical epidemic model can match

the beginning phase of Code Red spreading, it can’t explain the later part of Code Red propagation: during the last five hours from 20:00 to 00:00 UTC, the worm scans kept decreasing

Kermack-Mckendrick Model Considers the removal process of

infectious hosts Once a host recovers from the disease, it

will be immune to the disease forever – “removed” state

I(t): the number of infections hosts at time t

R(t): the number of removed hosts from previously infectious hosts at time t

Kermack-Mckendrick Model Base on the simple epidemic model, Kermack-

Mckendrick Model is:

J(t): the number of infected hosts at time t: removal rate of infectious hosts: infection rate N: size of population

Kermack-Mckendrick Model Define

If the initial number of susceptible hosts is smaller than some critical value, there will be no epidemic and outbreak

Kermack-Mckendrick Model The Kermack-Mckendrick model

improves the classical simple epidemic model by considering that some infectious hosts either recover or die after some time, but still not suitable for modeling Internet worm propagation Removal only from the infectious hosts Assume infection rate to be constant

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL

Two factors affecting Code Red worm propagation Human countermeasures Decreased infection rate

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL

According to the same principle in deriving the Kermack-Mckendrick Model:

In order to solve the equation, we have to know the dynamic properties of , and

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL

Use the same assumption as what Kermack-McKendrick model uses:

The removal process from susceptible hosts looks similar to a typical epidemic propagation:

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL

Last, we model the decrease infection rate by the equation:

: initial infection rate : used to adjust the infection rate sensitivity to the number of infection hosts

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL

For parameters N=1000000, I(0)=1, =3, r=0.05, u=0.06/N, =0.8/N

Simulation

Simulation

Simulation

Conclusion Considering human countermeasures

taken by ISPs and users and the slowed down worm infection rate, two-factor worm model match the observed data better than previous models do

The two-factor worm model is a general Internet worm model for modeling worms by adjusting different parameters