1 / 17

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley. Michael E. Locasto March 21, 2003. Overview. Code Red incident data & impact epidemiology models traditional (biological) infection models two-factor worm model related work & questions (Weaver & Sapphire). Motivation.

faris
Download Presentation

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Code Red Worm Propagation Modeling and AnalysisZou, Gong, & Towsley Michael E. Locasto March 21, 2003

  2. Overview • Code Red incident data & impact • epidemiology models • traditional (biological) infection models • two-factor worm model • related work & questions • (Weaver & Sapphire)

  3. Motivation • Internet great medium for spreading malicious code • Code Red & Co. renew interest in worm studies • Issues: • How to explain worm propagation curves? • What factors affect spreading behavior? • Can we generate a more accurate model?

  4. Background: Code Red • Three versions: • CRv1.1 (bad rng) July 13, 2001 • CRv1.2 July 19, 2001 • CRv2 August, 2001 • 100 threads, 300k victims • “maliciously crafted URL” (default.ida vulnerability)

  5. Background: The Stack Smash • Buffer overflows in C functions • gets(), etc • home-grown functions • code injection & modify return pointer • both parts are critical: overflow alone does not allow you to execute code

  6. The Stack Smashing Mechanism • Insert “junk” (nop), attack code, and return value • this is how many worms propagate • SQL “Slammer” fits in one UDP packet. (376 bytes of assembly code)

  7. Epidemic Models • Deterministic vs. Stochastic • Simple epidemic model (previous paper) • general epidemic model (Kermack-Mckendrick add notion of removed hosts) • good baseline, need to be adjusted to explain Internet worm data • any model must be deterministic (b/c of scale)

  8. Two-Factor Worm Model • Two major factors affect worm spread: • dynamic human countermeasures • anti-virus software cleaning • patching • firewall updates • disconnect/shutdown • interference due to aggressive scanning • Rate of infection (ß) is not constant

  9. Two-Factor Worm Model (con) • Two important restrictions: • consider only “continuously activated” worms • consider worms that propagate w/ort topology

  10. Infection Statistics

  11. Classic Simple Epidemic Model • Model presented in previous paper (classic simple epidemic model, k=1.8, k=BN) • a(t) = J(t) / N (fraction of population infected) • Wrong! (compare to last slide)

  12. Simple Epidemic Model Math • Variables: • infected hosts (had virus at some point) = J(t) • population size = N • infection rate = ß(t) • dJ(t)/dt = βJ(t)[N - J(t)]

  13. Two-Factor Model Math • dI(t)/dt = β(t)[N - R(t) - I(t) - Q(t)]I(t) - dR(t)/dt • S(t) = susceptible hosts • I(t) = infectious hosts • R(t) = removed hosts from I population • Q(t) = removed hosts from S population • J(t) = I(t) + R(t) • C(t) = R(t) + Q(t) • J(t) = I(t) + R(t) • N = population (I+R+Q+S)

  14. Two-Factor Fit • Take removed hosts from both S and I populations into account • non-constant infection rate (decreases) • fits well with observed data

  15. Results • Two-factor worm model • accurate model without topology constraints • explains exponential start & end drop off • identifies 2 critical factors in worm propagation • Only 60% of CR targets infected

  16. The SQL Slammer (Sapphire) • Infection stats: • 90% in 10 minutes • pop doubled every 8.5s • >=75000 infected • 1 UDP packet!

  17. Questions • Sapphire paper: • http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html • “Previous” Code Red paper: • http://www.icir.org/vern/papers/cdc-usenix-sec02/

More Related