Modeling Computer Worm Propagation. Renata Aryanti Ilya Perepelitsky Justin Pettit

Transcription

1 Modeling Computer Worm Propagation Renata Aryanti Ilya Perepelitsky Justin Pettit

2 Background Computer worms are self-replicating programs that spread between systems on a network. They often randomly generate an address to choose their next victim. They spread so quickly that they can have world-wide impact in just a few minutes.

3 Our questions What is the trend of the worm spreading across the corporate network (i.e., the expected number of machines infected per second within 1 hour)? If 50% of the machines in the local network got infected, the high traffic will be noticeable. What is the probability that the outside network is infected before this is noticed? What is the best strategy for a worm writer to achieve this? For a user, what is the best way to fight worm spread?

4 Probability Model Think about coins in a bag. Start with 1 coin on the table. Each turn: Flip every coin. For each head => take 1 extra coin from the bag in the end of the turn. Example: Step 1 : H => there will be 2 coins after the turn Step 2 : TH => there will be 3 coins after the turn Step 3 : TTT => there will be 3 coins after the turn # coins on the table = # machines infected.

5 (continue) Define: m = # coins in the beginning of turn n = # coins in the end of the turn Then, n will be in this set: {x, x+1,, 2x} p = probability to affect 1 more machine P(x) = Probability to get (n-m) additional coins in the turn: P(n-m) = bin (m, p) ; 0 n m Probability to get x coins in the end of turn i :

6 P(affecting another machine in the local network) Address space : 2^8 for local network, and 2^16 for distant network. N l = # computers in the local network N d = # computers in the distant network v i = probability of reaching invalid address v l = probability of reaching local network v d = probability of reaching distant network i = # of currently infected computers p vul = probability that a computer is vulnerable = probability that the computer is running Windows operating system * P(system is unpatches) I = infecting another machine in the local network I = unable to infect another machine.

7 P(affecting another machine) Address space : 2^8 for local network, and 2^16 for distant network. N l = # computers in the local network N d = # computers in the distant network v i = probability of reaching invalid address v l = probability of reaching local network = N l / address space v d = probability of reaching distant network = N d / address space i = # of currently infected computers p vul = probability that a computer is vulnerable = probability that the computer is running Windows operating system * P(system is unpatches) I = infecting another machine in the local network I = unable to infect another machine. Thus, Similarly, for the outside network :

8 Generating our numbers.. Our assumption in generating P y (x) for local network: Each infected machine tries to send 1 message every second We are looking at 3600 second (1 hour) data We consider the local network to reach its limit when 50% of the machines are infected. We wrote Perl script to generate P y (x) and calculate E[x] for each y.

9 What p_vul to use? Constant p : assume that p doesn t change throughout the tryout (use the first p found from the previous formula) Dynamic p : resemble the real world better, since the more computer get infected, the p to reach a valid address is reducing. Comparison result : they are not very different. For simplicity then we use constant p.

10 Best algorithm for worm writer Each algorithm choose address from max address space available. Goal of worm writer: spread the worm as much to the distant network before the local network maxed out. Define: P(l) : probability of infecting one additional machine in the local network P(d) : probability of infecting one additional machine in the distant network Z : proportion of using local address space VS global address space What is optimal z? If z is high, local network will be maxed out quicker. What about P(l) = P(d)? It sounds optimal. See second figure. What about z = 0? P(d) should be a lot higher since there are more machines outside. Turns out that no matter what z we choose, we would max out local very soon before reaching outside machine. This is because we have 1 infected machine in the local network to begin with.

11 Worm prevention Current debate: reduce the use of Windows OS to reduce worm spread. Is this true? We played around with our variables p_vul The two graph compares 2 different approaches: to downsize Windows OS or to increase the patched systems It is shown to be more important to have updated patches on the system.

12 Conclusion It is better to patch systems than to try to increase the diversity of Operating Systems. Once a worm spreads widely enough, the amount of traffic it generates quickly causes serious problems that slow its spread. In the future, a move to a larger address space (such as provided by IPv6) will significantly reduce the effectiveness of random scanning.

13 Limitation & Suggestion We have to simplify the network system due to the complexity of the real world model. This and the big size of the data requires tools beyond Excel. For future study, a more elaborate script will be needed. A study of how an IPv6 worm would be interesting and some suggestions are contained in the paper.