1 / 23

Code Red Worm Propagation Modeling and Analysis

Code Red Worm Propagation Modeling and Analysis. Cliff Changchun Zou , Weibo Gong, Don Towsley. Introduction. The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation.

filia
Download Presentation

Code Red Worm Propagation Modeling and Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley

  2. Introduction • The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation. • Previous works didn’t considertwo factors affecting Code Red propagation • Dynamic countermeasures taken by ISPs and users • The slowed down worm infection rate • Two factor worm model

  3. Background on Code Red Worm • Code Red worm exploited Windows IIS vulnerability on Windows 2000 • Each worm copy generated 100 threads • 99 threads randomly chose one IP address to attack • Timeout: 21 seconds

  4. Background on Code Red Worm

  5. Background on Code Red Worm

  6. Background on Code Red Worm

  7. Using Epidemic Models to Model Code Red Worm Propagation • Computer viruses and worms are similar to biological viruseson their self-replicating and propagation behavior • Introduce two classical epidemic models as the bases of the two-factor internet worm model • Classical simple epidemic model • Kermack-Mckendrickmodel

  8. Classical Simple Epidemic Model J(t): the number of infected hosts at time t :infection rate S(t): the number of susceptible hosts at time t N: size of population • At t=0: J(0) hosts are infected and other N-J(0) hosts are all susceptible

  9. Classical Simple Epidemic Model • Let , dividing both sides by N^2 where

  10. Classical Simple Epidemic Model • The classical epidemic model can match the beginning phase of Code Red spreading, it can’t explain the later part of Code Red propagation: during the last five hours from 20:00 to 00:00 UTC, the worm scans kept decreasing

  11. Kermack-Mckendrick Model • Considers the removal process of infectious hosts • Once a host recovers from the disease, it will be immune to the disease forever – “removed” state I(t): the number of infections hosts at time t R(t): the number of removed hosts from previously infectious hosts at time t

  12. Kermack-Mckendrick Model • Base on the simple epidemic model, Kermack-MckendrickModel is: J(t): the number of infected hosts at time t : removal rate of infectious hosts : infection rate N: size of population

  13. Kermack-Mckendrick Model • Define • If the initial number of susceptible hosts is smaller than some critical value, there will be no epidemic and outbreak

  14. Kermack-Mckendrick Model • The Kermack-Mckendrickmodel improves the classical simple epidemic model by considering that some infectious hosts either recover or die after some time, but still not suitable for modeling Internet worm propagation • Removal only from the infectious hosts • Assume infection rate to be constant

  15. A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL • Two factors affecting Code Red worm propagation • Human countermeasures • Decreased infection rate

  16. A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL • According to the same principle in deriving the Kermack-MckendrickModel: • In order to solve the equation, we have to know the dynamic properties of , and

  17. A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL • Use the same assumption as what Kermack-McKendrickmodel uses: • The removal process from susceptible hosts looks similar to a typical epidemic propagation:

  18. A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL • Last, we model the decrease infection rate by the equation: : initial infection rate : used to adjust the infection rate sensitivity to the number of infection hosts

  19. A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL • For parameters N=1000000, I(0)=1, =3, r=0.05, u=0.06/N, =0.8/N

  20. Simulation

  21. Simulation

  22. Simulation

  23. Conclusion • Considering human countermeasures taken by ISPs and users and the slowed down worm infection rate, two-factor worm model match the observed data better than previous models do • The two-factor worm model is a general Internet worm model for modeling worms by adjusting different parameters

More Related