The Effect of Infection Time on Internet Worm Propagation

Transcription

1 The Effect of Infection Time on Internet Worm Propagation Erika Rice The Effect of Infection Time oninternet Worm Propagation p 1

2 Background Worms are self propagating programs that spread over a network, usually the Internet Unlike viruses, worms are not dependent on other programs, like clients Worms spread by scanning the network for vulnerable machines and then infecting them The Effect of Infection Time oninternet Worm Propagation p 2

3 Worm Spread Internet worms can spread devastatingly quickly July 2001: Code Red infects 359,000 computers in less than 14 hours January 2003: SQL Slammer infects 75,000 computers in 10 minutes August 2003: MSBlaster infects 120,000 computers in 24 hours The Effect of Infection Time oninternet Worm Propagation p 3

4 Existing Models Propagation Models Staniford, Paxson & Weavers s Random Constant Spread Model (RCS) Kephart & White s Epidemiological Model Kermack-Mckendrick Epidemic Model Chen, Gao & Kwiat s Analytical Active Worm Propagation Model (AAWP) Specialized Models Williamson & Léveillé s Virus Scanner Model Zou, Gong & Towsley s Dynamic Quarantine Model The Effect of Infection Time oninternet Worm Propagation p 4

5 Infection Time These models ignore the fact that computers are not infected instantaneously It takes time for the worm to transer its code to the infected machine Does transfer time significantly effect the time it takes a worm to spread? The Effect of Infection Time oninternet Worm Propagation p 5

6 Approach Extend the Kermack-Mckendrick Epidemic Model to have a state for scanned computers The Effect of Infection Time oninternet Worm Propagation p 6

7 Assumptions Computers are not entering the network Removed computers never re-enter the network Computers are only removed after they have been fully infected Any computer can reach any other computer in one hop, and scanning is random The network is large The worm in running on an IPv4 network Infected machines rarely scan the same machine at the same time The network speed is not affected by the worm The Effect of Infection Time oninternet Worm Propagation p 7

8 Assumptions Computers are not entering the network Removed computers never re-enter the network Computers are only removed after they have been fully infected Any computer can reach any other computer in one hop, and scanning is random The network is large The worm in running on an IPv4 network Infected machines rarely scan the same machine at the same time The network speed is not affected by the worm The Effect of Infection Time oninternet Worm Propagation p 7

9 My Model: Populations Define the following populations: V : Vulnerable machines S: Scanned machines I: Infected machines R: Removed machines The Effect of Infection Time oninternet Worm Propagation p 8

10 My Model: Constants Define the following constants: η: Scans per second from an infected machine β: η 2 32, the chance a scan hits a real IP address γ: Removal rate of infected machines γ 1 is the average number of seconds an infected machine will spread the worm τ: The average network transfer rate in KB/s σ: The size of the worm in KB The Effect of Infection Time oninternet Worm Propagation p 9

11 My Model: Equations dv dt = βiv di dt = τ σ S γi ds dt = βiv τ σ S dr dt = γi The Effect of Infection Time oninternet Worm Propagation p 10

12 Results: Code Red These results show the effect of scanning for the Code Red worm For this simulation V 0 = 500,000, I 0 = 1, t max = 100 hours, η = 2 scans/s, and γ = For the scanning model (right) σ = 4 KB, τ = 001 KB/s 5 x 105 Worm Spread Under the Kermack Mckendrick Epidemic Model 5 x 105 Worm Spread Under the Scanning Model Population size % of total population Infected Removed Vulnerable Population size % of total population Infected Removed Vulnerable Scanned time (hours) time (hours) The Effect of Infection Time oninternet Worm Propagation p 11

13 Results: SQL Slammer These results show the effect of scanning for the Code Red worm For this simulation V 0 = 75,000, I 0 = 10, t max = 600 seconds, η = 4000 scans/s, and γ = For the scanning model (right) σ = 04 KB, τ = 001 KB/s 8 x 104 Worm Spread Under the Kermack Mckendrick Epidemic Model 8 x 104 Worm Spread Under the Scanning Model Population size % of total population Infected Removed Vulnerable Population size % of total population Infected Removed Vulnerable Scanned time (seconds) time (seconds) The Effect of Infection Time oninternet Worm Propagation p 12

14 Analysis Choice of network speed: 001 KB/s reflects the network slowing due to the worm Code Red: The download time for the worm is not significant when the scan rate is low SQL Slammer: The download time for the worm is significant when the scan rate is high Extensions: Model the network speed as a function of the number of infected computers The Effect of Infection Time oninternet Worm Propagation p 13

15 References [1] David Becker & Matt Hines FBI arrests MSBlast worm suspect [2] CAIDA Analysis of Code Red [3] Zesheng Chen, Lixin Gao, & Kevin Kwiat Modeling the Spread of Active Worms wwwlabreatechnologiescom/aawppdf [4] Cliff Changchun Zou, Weibo Gong, & Don Towsley Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense tennisecsumassedu/~czou/research/dynamicquarantinepdf [5] Kimberly Claffy Internet traffic characterization citeseeristpsuedu/claffy94internethtml [6] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, & Nicholas Weaver The Spread of the Sapphire/Slammer Worm The Effect of Infection Time oninternet Worm Propagation p 14