Presentation is loading. Please wait.

Presentation is loading. Please wait.

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

Published byGodwin Wheeler Modified over 8 years ago

Similar presentations

Presentation on theme: "CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley."— Presentation transcript:

1 CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley

2 Introduction  The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation.  Previous works didn’t consider two factors affecting Code Red propagation  Dynamic countermeasures taken by ISPs and users  The slowed down worm infection rate  Two factor worm model

3 Background on Code Red Worm  Code Red worm exploited Windows IIS vulnerability on Windows 2000  Each worm copy generated 100 threads  99 threads randomly chose one IP address to attack  Timeout: 21 seconds

4 Background on Code Red Worm

5

6

7 Using Epidemic Models to Model Code Red Worm Propagation  Computer viruses and worms are similar to biological viruses on their self-replicating and propagation behavior  Introduce two classical epidemic models as the bases of the two-factor internet worm model  Classical simple epidemic model  Kermack-Mckendrick model

8 Classical Simple Epidemic Model J(t): the number of infected hosts at time t : infection rate S(t): the number of susceptible hosts at time t N: size of population  At t=0: J(0) hosts are infected and other N-J(0) hosts are all susceptible

9 Classical Simple Epidemic Model  Let, dividing both sides by N^2 where

10 Classical Simple Epidemic Model  The classical epidemic model can match the beginning phase of Code Red spreading, it can’t explain the later part of Code Red propagation: during the last five hours from 20:00 to 00:00 UTC, the worm scans kept decreasing

11 Kermack-Mckendrick Model  Considers the removal process of infectious hosts  Once a host recovers from the disease, it will be immune to the disease forever – “removed” state I(t): the number of infections hosts at time t R(t): the number of removed hosts from previously infectious hosts at time t

12 Kermack-Mckendrick Model  Base on the simple epidemic model, Kermack-Mckendrick Model is: J(t): the number of infected hosts at time t : removal rate of infectious hosts : infection rate N: size of population

13 Kermack-Mckendrick Model  Define  If the initial number of susceptible hosts is smaller than some critical value, there will be no epidemic and outbreak

14 Kermack-Mckendrick Model  The Kermack-Mckendrick model improves the classical simple epidemic model by considering that some infectious hosts either recover or die after some time, but still not suitable for modeling Internet worm propagation  Removal only from the infectious hosts  Assume infection rate to be constant

15 A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  Two factors affecting Code Red worm propagation  Human countermeasures  Decreased infection rate

16 A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  According to the same principle in deriving the Kermack-Mckendrick Model:  In order to solve the equation, we have to know the dynamic properties of, and

17 A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  Use the same assumption as what Kermack- McKendrick model uses:  The removal process from susceptible hosts looks similar to a typical epidemic propagation:

18 A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  Last, we model the decrease infection rate by the equation: : initial infection rate : used to adjust the infection rate sensitivity to the number of infection hosts

19 A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  For parameters N=1000000, I(0)=1, =3, r=0.05, u=0.06/N, =0.8/N

20 Simulation

21

22

23 Conclusion  Considering human countermeasures taken by ISPs and users and the slowed down worm infection rate, two-factor worm model match the observed data better than previous models do  The two-factor worm model is a general Internet worm model for modeling worms by adjusting different parameters

Download ppt "CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.

October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
A VERY IMPORTANT CONCEPT Disease epidemiology is first and foremost a population biology problem Important proponents: Anderson, May, Ewald, Day, Grenfell.

A VERY IMPORTANT CONCEPT Disease epidemiology is first and foremost a population biology problem Important proponents: Anderson, May, Ewald, Day, Grenfell.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.

1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.

Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.
The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.

The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Online Social Networks and Media Epidemics and Influence.

Online Social Networks and Media Epidemics and Influence.
Emerging Infectious Disease: A Computational Multi-agent Model.

Emerging Infectious Disease: A Computational Multi-agent Model.

Similar presentations

Ads by Google