The Effect of Infection Time on Internet Worm Propagation



Similar documents
Intelligent Worms: Searching for Preys

Optimal worm-scanning method using vulnerable-host distributions

IPv4 Routing Worm - A Fast, Selective Attack

The Spread of the Sapphire/Slammer Worm

Source Code Analysis of Worms

A Study of Mass-mailing Worms

Understanding the Behavior of Internet Worm through PArallel Worm Simulator (PAWS)

Review Study on Techniques for Network worm Signatures Automation

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Code Red Worm Propagation Modeling and Analysis

How To Attack A Server With A Ddos Attack On A Zombie Army Of Your Computer (For A Free Download)

How To Understand The History Of The Witty Worm

MODELING AND DEFENDING AGAINST INTERNET WORM ATTACKS

A Firewall Network System for Worm Defense in Enterprise Networks

Distributed Worm Simulation with a Realistic Internet Model

A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks

Sapphire/Slammer Worm. Code Red v2. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Why Was Slammer So Fast?

Volume 2, Issue 9, September 2014 International Journal of Advance Research in Computer Science and Management Studies

An Approach against a Computer Worm Attack

Lecture 19 - Network Security

Inferring Internet Denial-of

Tartarus: A honeypot based malware tracking and mitigation framework

Analysis of Attacks towards Turkish National Academic Network

CSE331: Introduction to Networks and Security. Lecture 14 Fall 2006

INTRUSION DETECTION SYSTEMS. Edited by Pawel Skrobanek

2-5 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks

Slammer (sometimes called Sapphire) was the

Lecture 13 - Network Security

Software & Hardware Security

Computer Security DD2395

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

Nonlinear Analysis: Real World Applications

How to Detect and Prevent Cyber Attacks

1 Introduction. Agenda Item: Work Item:

Malware: Malicious Software

On the Development of an Internetwork-centric Defense for Scanning Worms

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

1 Introduction. Agenda Item: Work Item:

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

HoneyBOT User Guide A Windows based honeypot solution

Firewalls and intrusion detection systems

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

A Realistic Simulation of Internet-Scale Events

Network Security and the Small Business

A Survey Paper on Malicious Computer Worms

Research in Computer Viruses and Worms. Tom Chen SMU

Frequently Asked Questions for New Electric Mail Administrators 1 Domain Setup/Administration

Let the Pirates Patch? An Economic Analysis of Network Software Security Patch Restrictions

A SURVEY OF INTERNET WORM DETECTION

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Malware Defense Using Network Security Authentication

(Self-Study) Identify How to Protect Your Network Against Viruses

Transcription:

The Effect of Infection Time on Internet Worm Propagation Erika Rice The Effect of Infection Time oninternet Worm Propagation p 1

Background Worms are self propagating programs that spread over a network, usually the Internet Unlike viruses, worms are not dependent on other programs, like email clients Worms spread by scanning the network for vulnerable machines and then infecting them The Effect of Infection Time oninternet Worm Propagation p 2

Worm Spread Internet worms can spread devastatingly quickly July 2001: Code Red infects 359,000 computers in less than 14 hours January 2003: SQL Slammer infects 75,000 computers in 10 minutes August 2003: MSBlaster infects 120,000 computers in 24 hours The Effect of Infection Time oninternet Worm Propagation p 3

Existing Models Propagation Models Staniford, Paxson & Weavers s Random Constant Spread Model (RCS) Kephart & White s Epidemiological Model Kermack-Mckendrick Epidemic Model Chen, Gao & Kwiat s Analytical Active Worm Propagation Model (AAWP) Specialized Models Williamson & Léveillé s Virus Scanner Model Zou, Gong & Towsley s Dynamic Quarantine Model The Effect of Infection Time oninternet Worm Propagation p 4

Infection Time These models ignore the fact that computers are not infected instantaneously It takes time for the worm to transer its code to the infected machine Does transfer time significantly effect the time it takes a worm to spread? The Effect of Infection Time oninternet Worm Propagation p 5

Approach Extend the Kermack-Mckendrick Epidemic Model to have a state for scanned computers The Effect of Infection Time oninternet Worm Propagation p 6

Assumptions Computers are not entering the network Removed computers never re-enter the network Computers are only removed after they have been fully infected Any computer can reach any other computer in one hop, and scanning is random The network is large The worm in running on an IPv4 network Infected machines rarely scan the same machine at the same time The network speed is not affected by the worm The Effect of Infection Time oninternet Worm Propagation p 7

Assumptions Computers are not entering the network Removed computers never re-enter the network Computers are only removed after they have been fully infected Any computer can reach any other computer in one hop, and scanning is random The network is large The worm in running on an IPv4 network Infected machines rarely scan the same machine at the same time The network speed is not affected by the worm The Effect of Infection Time oninternet Worm Propagation p 7

My Model: Populations Define the following populations: V : Vulnerable machines S: Scanned machines I: Infected machines R: Removed machines The Effect of Infection Time oninternet Worm Propagation p 8

My Model: Constants Define the following constants: η: Scans per second from an infected machine β: η 2 32, the chance a scan hits a real IP address γ: Removal rate of infected machines γ 1 is the average number of seconds an infected machine will spread the worm τ: The average network transfer rate in KB/s σ: The size of the worm in KB The Effect of Infection Time oninternet Worm Propagation p 9

My Model: Equations dv dt = βiv di dt = τ σ S γi ds dt = βiv τ σ S dr dt = γi The Effect of Infection Time oninternet Worm Propagation p 10

Results: Code Red These results show the effect of scanning for the Code Red worm For this simulation V 0 = 500,000, I 0 = 1, t max = 100 hours, η = 2 scans/s, and γ = 000002 For the scanning model (right) σ = 4 KB, τ = 001 KB/s 5 x 105 Worm Spread Under the Kermack Mckendrick Epidemic Model 5 x 105 Worm Spread Under the Scanning Model 45 45 4 4 Population size 35 3 25 2 98% of total population Infected Removed Vulnerable Population size 35 3 25 2 98% of total population Infected Removed Vulnerable Scanned 15 15 1 1 05 05 0 0 10 20 30 40 50 60 70 80 90 100 time (hours) 0 0 10 20 30 40 50 60 70 80 90 100 time (hours) The Effect of Infection Time oninternet Worm Propagation p 11

Results: SQL Slammer These results show the effect of scanning for the Code Red worm For this simulation V 0 = 75,000, I 0 = 10, t max = 600 seconds, η = 4000 scans/s, and γ = 000002315 For the scanning model (right) σ = 04 KB, τ = 001 KB/s 8 x 104 Worm Spread Under the Kermack Mckendrick Epidemic Model 8 x 104 Worm Spread Under the Scanning Model 7 7 6 6 Population size 5 4 3 98% of total population Infected Removed Vulnerable Population size 5 4 98% of total population Infected Removed Vulnerable Scanned 2 3 1 2 0 1 1 0 100 200 300 400 500 600 time (seconds) 0 0 100 200 300 400 500 600 time (seconds) The Effect of Infection Time oninternet Worm Propagation p 12

Analysis Choice of network speed: 001 KB/s reflects the network slowing due to the worm Code Red: The download time for the worm is not significant when the scan rate is low SQL Slammer: The download time for the worm is significant when the scan rate is high Extensions: Model the network speed as a function of the number of infected computers The Effect of Infection Time oninternet Worm Propagation p 13

References [1] David Becker & Matt Hines FBI arrests MSBlast worm suspect http://newscomcom/2100-1009-5070000html [2] CAIDA Analysis of Code Red http://wwwcaidaorg/analysis/security/code-red/ [3] Zesheng Chen, Lixin Gao, & Kevin Kwiat Modeling the Spread of Active Worms wwwlabreatechnologiescom/aawppdf [4] Cliff Changchun Zou, Weibo Gong, & Don Towsley Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense tennisecsumassedu/~czou/research/dynamicquarantinepdf [5] Kimberly Claffy Internet traffic characterization citeseeristpsuedu/claffy94internethtml [6] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, & Nicholas Weaver The Spread of the Sapphire/Slammer Worm http://wwwcsberkeleyedu/~nweaver/sapphire/ The Effect of Infection Time oninternet Worm Propagation p 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information