An Approach against a Computer Worm Attack

48 An Approach against a Computer Worm Attack Ossama Toutonji and Seong-Moo Yoo University of Alabama in untsville, Department of Electrical and Computer Engineering, untsville, Alabama 35899, USA {toutono; yoos}@eng.uah.edu Abstract: Building a realistic model for a network defense system against a worm attack is vital to better understand the effects of a worm attack on network assets and functionality. Traditional epidemic worm modeling does not take into consideration the real network topology or network actual defense measures. In this paper, we reviewed the network defense systems from different perspectives for defining the level of immunity of different parts of the network and ascertaining the real impact of a worm attack on the network. The idea of immunity came from examining and comparing the immune system in the human body to the defense and security measures of computer networks. Then, we developed a novel, realistic model by splitting the network into the highly immune part of the network (I) and the partially immune part of the network (I) in order to measure the real impact of worm attack on computer network. ext, we evaluated the effectiveness of this model by implementing network defense measurements adopted from the human immune system. Computer simulations show that the infection waves of worms in I have minimal impacts compared to those in the I. Keywords: epidemic worm modeling, highly immune part of the network (I), human immune system, partially immune part of network (I), worm attack. 1. Introduction Worm attack [1, 2, 7, 9, 17, 18, 20, 21, 22] still poses an enormous threat to network security. A destructive, automated, and self replicated behavior of a worm causes bandwih consumption and corrupt network performance. The design of worm code could go beyond the intention to propagate through the network. A malicious code could be built to delete executable files on the attacked machine, create a backdoor listener, and cause a denial-of-service attack. Generally, a worm is categorized according to the way it propagates, installs or lunches. A worm could spread through e-mails, instant messages, internet relay chat, and file sharing. Burckhar [4] proposed a virtual reality modeling of infectious diseases in the human population. The model took into consideration several important factors including; the level of contact between individuals and the duration of immunity in the graveyard stage, which considers the fact that individuals who lack immunity in the recovery state will move back to a stage of susceptibility. Burckhar s research suggested new ways to reduce widespread infection by using quarantine and treatment in the human population as a future study [3], [4]. Kim and Bentley explored the similarity between the human immune system, network intrusion detection systems and the possibilities of emulating the human immune system, to design a novel network-based intrusion detection system [5]. Castaneda et al. proposed a new method that generates an anti-worm after detecting and recognizing the payload of the malicious worm. The results showed the effects of implementing anti-worms with respective propagation schemes and the limitation of antiworms in practical implementations [6]. These worm models assume that all hosts in the network have the same probability to become infected by worms, and; therefore, the same level of vulnerability when it comes to worm attack. Consequently, the results will lead to an unrealistic prediction of the infection wave. This paper represents new approaches to modeling a worm attack on a computer network; the study took into consideration the pre-existing conditions in different parts of network topology. We reviewed the network from a network security prospective where different parts of the network have different levels of defense and immunity measures. The idea of immunity came from examining and comparing the immune system in the human body to the defense and security measures of computer networks [13], [14], [15], [16]. Then, we developed a novel realistic model by splitting the network into the highly immune part of the network (I) and the partially immune part of the network (I) in order to measure the real impact of a worm attack on a computer network. ext, we evaluated the effectiveness of this model by implementing network defense measurements adopted from the human immune system. Computer simulations show that the infection waves of worms in I have minimal impacts compared to I. This paper is organized as follows: section 2 contains a detailed description of the similarity between the human immune system and a computer network defense system. In this section, we defined the human immune system and we adopt the same concept to invent a new definition for computer network immunity. Section 3 summarizes existing epidemic modeling used as tools for modeling worm attacks on computer networks. In section 4, we present the theoretical and the mathematical approaches for our new realistic epidemic worm modeling epidemic model. The last section includes the conclusion and possibilities for future research. 2. Similarity between the uman Immune System and etwork Defense System In the human body, the immune system is a constellation of responses to outside attacks on the human body [6]. The general population represents a network of individuals that interact with each other. The medical measures taken by a community in general and locally by individuals represent the defense system of human beings against the spread of disease. There are three types of immunity in the human

49 body: active immunity, passive immunity, and hybrid immunity. 1) Active uman Immunity is acquired from previous viral infections. When an antigen infects the body, it triggers the immune system to develop antibodies from plasma cells found in the bone marrow. lasma cells will generate B-cells that synthesize antibody molecules. These antibody molecules bind to the antigens and destroy them. The body will keep a copy of all generated antibodies in the immunologic memory to defend against future identical viral infections. 2) assive uman Immunity is acquired from vaccination. The antibody will be transferred from an actively immunized individual to a susceptible individual and will work only for a specific type of virus. 3) ybrid uman Immunity is acquired from using Monoclonal antibody cells (ybridmas) produced in a medical laboratory used to treat more complex and serious illnesses. ybridmas are hybrid cells produced by fusing myeloma cells with the spleen cells from animals such as mice or rabbits that have been immunized from the desired antigen. The main purpose is to stimulate the patient's immune system to fight tumor cells and to prevent tumor growth by blocking specific cell receptors. By comparison, active immunity is longer-lasting and more effective than passive immunity due to the immunologic memory produced by the patient s own immune system. assive immunity is produced outside the body and then implanted inside the patient. ybrid immunity is a combination of both active and passive immunity. It is both a vaccine and a stimulus which combine the characteristics of both active and passive immune systems. etwork immunity consists of network security processes and defense measures that have been implemented to defend the network against inside or outside attacks. It is the software and the hardware security steps taken to secure network infrastructure [3]. Some key characters of human immunity are similar to network immunity. A computer network has similar active, passive, and hybrid defense systems. We will illustrate the three different types of immunity in computer networks and show the similarity and differences between network immunity and the human immune system. 1)-Active etwork Immunity is established by using an effective intrusion detection system (IDS) and safe ethical worms. The (IDS) monitors network traffic and blocks suspicious activities by detecting known malicious codes. In 2004, F. Castaneda et. al proposed an automated method to detect worm attack, analyze the worm s malicious code, and then generate an anti-worm. The generated anti-worm, or ethical worm, has the same self-replication behavior as the bad worm. The ethical worm will spread through the network and overcome the bad worm. Most network security experts still oppose the idea of using ethical worms due to the fact that they could unintentionally cause a denial-of-service attack by breaking applications or consuming network bandwih, or they could be used by hackers as a tool for a new vulnerability. Both active human immunity and active network immunity have a memory of invaders identities that will help identify an attacker, but the main difference is that active human immunity is dynamically capable of developing immunity for new antigens where (IDS), or safe ethical worms, are only capable of identifying previously known malicious codes. Building a complete active immune system that generates safe ethical worms against newly invented worms is still in ongoing research. 2)-assive etwork Immunity is established by installing antivirus software, downloading the required update patches, configuring a firewall system, and blocking arbitrary outbound connections [10]. In both passive human immunity and passive network immunity, the required immunity must be transferred to the target system. 3)-ybrid etwork Immunity is established by combining both passive and active immunity. Both hybrid human immunity and hybrid network immunity are capable of dealing with more complex and serious invaders. Like the hybrid human immunity, the combined immunity in a hybrid network is capable of defending against a wider range of network attacks. By analyzing network infrastructure from a security defense perspective, network immunity levels vary depending on the network security steps that have been taken in different sections of the network. The steps needed to achieve and maintain a secure network can be summarized as follows: 1) Assessment: a technical evaluation of network security and defense systems; includes an organization s policies, procedures, laws, regulations, budgeting, and other managerial duties [3]. 2) rotection: previously established defense countermeasures to prevent network attacks. 3) Detection: process for identifying intrusion. 4) Response: measures that will be taken to overcome new attacks. From the above-mentioned steps; we may split a network into two parts: a) ighly immune part of the network (I): here all network security defense measures have been implemented. b) artially immune part of the network (I): here, the network is either missing at least one security measure or at least one of the measures has not been fully implemented. To determine the true impact of a worm attack on network functionality, we took into consideration our network categories and used different values for our model parameters. Our aim is to develop a new realistic approach to worm modeling. The results gave us a close look at the widespread behavior of worms in different parts of the network and the future strategic measures that need to be taken to fight the impact of destructive worm attacks against networks. Our model was based on the epidemic model in which a host that lacks immunity may return to the susceptible stage, therefore remaining vulnerable to worm attack and possibly becoming re-infected. We built our assumptions on a factual network and defense measurements that are usually performed by information assurance engineers. In a real functional network, the model s parameters vary depending

50 on the level of immunity. In I, the probability of worm infection is higher than in I, which will lead to higher infection rate. The removal rate is smaller due to a higher number of recovered hosts in I compared to I. We also experienced that the number of hosts moved back to the susceptible stage in I is higher when compared to I. Based on these observations, we claim that in more realistic worm attack modeling, various model parameters must be used for different parts of the network that have disparate levels of defense, immunity, and monitoring. 3. Existing Epidemic Models In this section, we will summarize the basic epidemic models [4], [8], [11], [12], [19] that have been used to model a worm attack on computer networks. Table 1 shows a list of notation and symbols that have been used to develop the set of differential equations in this section for the basic epidemic models. 3.1 Kermack-McKendrick (KM) model The KM model [8] is an epidemiological model with three main elements: a) Susceptible hosts: hosts which are vulnerable to worm attack. b) Infectious hosts: hosts infected by worms. c) Removed hosts: hosts which have recovered from an attack and are immune to future infection. This model is considered an SIR (Susceptible, Infectious, and Removed) model. The hosts in this type of modeling could be in any one of the three states: Susceptible (S), Infectious (I), or Removal (R). The model builds on the assumption that the population size is fixed (no births or deaths) and the population is homogenously mixed. A set of nonlinear differential equations describes the change in the population for the different types of hosts. Equations (1-4) describe the KM epidemic model: By rearranging equation (2): ds( t) = β ( t) I ( t) S( t) (1) di ( t) = β ( t) I( t) S( t) γ I ( t) (2) dr( t) = γ I ( t) (3) S( t) + I ( t) + R( t) = (4) di( t) = I ( t)( β ( t) S( t) γ ) (5) From (5), we conclude that S0 > γ / β should be satisfied to cause epidemic growth. Where S0 is the initial number of susceptible hosts, ρ = γ / β represents the epidemic threshold and φ = γs0 / β represents the basic reproduction number of the infection, and φ > 1 will cause the infectious population to grow. Figure 1 shows a state transition of the KM model. Table 1. otations and initial values of the model used in Section 3 otation Susceptible Infectious Removal 3.2 SIRS model Explanation I(t) umber of infectious hosts at S(t) umber of susceptible hosts at R(T) umber of removed hosts at Size of total vulnerable population β Infection rate µ Re-susceptible rate on a removed host ρ γ φ Epidemic threshold Removal rate Reproduction number of infection Figure 1. Kermack-McKendrick epidemic model. In the SIRS model [4], there is a state in which the removed host could lose immunity and move back to the susceptible stage. The model is governed by the following set of nonlinear differential equations: ds( t) = β ( t) I ( t) S( t) + µ R( t) (6) di ( t) = β ( t) I( t) S( t) γ I ( t) (7) dr( t) = γ I ( t) µ R( t) (8) The SIRS model has the same initial conditions as the SIR model regarding a fixed number of hosts and the threshold value criteria. Figure 2 shows a block diagram of SIRS model. Susceptible Infectious Removal Figure 2. SIRS epidemic model 4. roposed Computer etwork Realistic Model The similarity in the behavior between the spread of infection in a human population and the self-replication of a worm in a network environment makes modeling worm attacks on computer networks similar to modeling the spread of viral infection in a human population. The level of immunity in a computer network determines the impact of a worm attack on the computer network. In realistic worm modeling, a network has various levels of immunity. The susceptible population is divided into two groups: the highly immune population and partially immune population. Disparate types of susceptible hosts will behave differently when confronted with a worm attack.

51 The level of immunity in the susceptible hosts will determine the infection rate, the recovery rate and the re-susceptibility rate of the epidemic model. We examined the value of these rates depending on the network immunity level by looking at the main factors that cause changes in these rates. In doing so, we made a detailed comparison between a human population and a computer network. Table 2 shows a list of notations and symbols that we used in this section. 1) Infection rate: In a human population, the infection rate involves major parameters which include the contact rate between humans (θ, human/time), the proportion of infection in the population (I / ), and the transmission infection probability (η). Since we are interested in the interaction Table 2. otations and initial values of the proposed model otation Explanation Initial value Ip(t) umber of infectious hosts in I at time Ip(0)=1 t I(t) umber of infectious hosts in I at time I(0)=1 t Sp(t) umber of susceptible hosts in I at Sp(0)=350,000 S(t) umber of susceptible hosts in I at S(0)=650,00 0 Rp(t) umber of removed hosts from I at Rp(t)=0 R(t) umber of removed hosts from I at R(0)=0 θ Contact rate of I 2 θ Contact rate of I 2 η Transmission infection probability for I 1 η Transmission infection probability for 0.25 I λ Recovery rate of infectious I 0.1 λ Recovery rate of infectious I 0.25 µ Re-susceptible rate of I 0.01 µ Re-susceptible rate of I 5 * 10-6 I(t) Total number of infectious hosts at I(0)=2 Total number of hosts 1,000,000 between susceptible hosts and the infectious hosts, we defined the force of infection as (θ η I / ). The change in the number of susceptible hosts is represented by the equation: ds( t) I = θ η S (9) By adopting the infection parameters in a human population to a network environment, we assumed that hosts in both (I) and (I) have the same contact rate, and any host in the network will contact the same number of infectious hosts. In (I), more hosts will move from the susceptible stage to the infectious stage due to a lack of immunity, leading to a higher rate of infection. 2) Recovery rate: the recovery rate in a human population depends on the period of infection. The recovery rate for k days infection is proportional to 1/k. In a network environment, the recovery rate varies depending on the level of immunity. 3) Re-susceptibility rate: in a human population, the number of people who move from the recovery stage back to the susceptible stage varies depending on the level of immunity in the community. aving more people immunized against widespread viral infection forecasts a small resusceptibility rate and vice-versa. In a network environment, the same concept could be applied; Figure 3 shows a realistic SIRS modeling of a worm attack on computer network. The changes in the number of susceptible, infectious, and removed hosts for the (I) and (I) could be described by the following set of differential equations: Susceptible (I) FS(t) Infectious (I) λi(t) Recovery (I) µr(t)+µr(t) Susceptible (I) FS(t) Infectious (I) λi(t) Recovery (I) 1) The set of differential equations for I: dsp( t) I ( t) = θ p η p S( t) prp + µ ( t) (10) dip( t) I ( t) = θ p η p Sp( t) pip + λ ( t) (11) drp( t) = λ pip( t) µ prp( t) (12) I ( t) Fp = θ p η p (13) 0p θ p η p R = λ p+ µ (14) p ere, Fp represents the force of infection in the I population, R0 represents the basic reproductive rate for the I population, and it satisfies the condition R0 > 1 for the epidemic to grow. 2) The set of differential equations for I: S I R Figure 3. roposed worm attack model. ds( t) I ( t) = θ η S( t) R + µ ( t) (15) di( t) I ( t) = θ η S( t) I + λ ( t) (16)

52 dr( t) = λ I( t) µ R( t) (17) I ( t) F = θ η (18) 0 R θ η = λ + µ (19) ere, F represents the force of infection in I population, R0 represents the basic reproductive rate for the I population, and it satisfies the condition R0 > 1 for the epidemic to grow. ow, = Sp( t) + I( t) + Rp( t) + S( t) + I( t) + R( t) (20) 5. Simulation To identify the realistic effects of a worm attack on a computer network, we simulated our model by using realistic sets of parameters that emphasize the different level of immunity in the network. Then, we used fixed sets of parameters for the entire network. We also examined the relationship between mitigation technique factors, modeling parameters and the effects of changing these parameters on worm propagation. The results shows, as expected, that the number of infectious hosts in I is higher than I even though the number of I s population is bigger than the I s population due to better defense and security measurements in I. B - Comparison between Traditional and Realistic Worm Modeling: To identify the realistic effects of a worm attack on a computer network, we ran our model in three different scenarios. First, we simulated our proposed model, R-SIRS, by considering both I and I parameters. Then we simulated the SIRS model separately in I then in I parameters. The solid line represents the R-SIRS model. Tp-SIRS represents a traditional SIRS model in I parameters. Th-SIRS represents the traditional SIRS model in I parameters. Figure 5 shows a comparison of R-SIRS, Tp-SIRS, and Th-SIRS models. A Effects of a worm attack on I and I populations: Figure 4 shows a SIRS model simulation for both I and I. Figure 5. Comparison between R-SIRS, Tr-SIRS, Th-SIRS models Figure 4. SIRS model for I and I In the model, 35% of the susceptible population is partially immune and 65% is highly immune. The probability of infection and the recovery rate for both the I and I have been set as follows: a) For I, the infection probability is 1, all hosts will get infected, and the recovery rate is 0.1; b) For I, the probability of infection is 0.25, and the recovery rate is 0.25. Both I and I hosts will experience the same interaction with infectious hosts throughout the simulation so they have the same contact rate. The results show that using unrealistic traditional worm modeling will yield an incorrect estimate of worm infection. From the figure, Tp-SIRS and Th-SIRS infectious populations are different from the R-SIRS model. The number of infectious hosts in the R-SIRS model stands between Tp-SIRS and Th-SIRS infectious populations. The R-SIRS model gives us the real impact of a worm attack on a computer network. C- The effect of changing the contact rate in the R-SIRS model: Quarantine of infected patients is one measure of preventing widespread disease in a human population by decreasing the level of contact between infected and healthy individuals, and thereby reducing the number of infectious individuals in the human population. We apply the same concept to a network environment by using quarantine as a defense technique to reduce the level of worm infection. We simulated the R-SIRS model for four different values of contact rate (2, 3, 4, and 5).

53 Figure 6. Effect of contact rate The result in Figure 6 shows that the infectious population decreases by decreasing the contact rate. D- The effect of changing the probability of infection in the R-SIRS model: In a human population, vaccination is used to decrease the rate of infection due to the reduction in the probability of infection. Similarly, adding security measures to network assets will enhance the defensive measures of the network against worm attack and decrease the probability of worm infection in a computer network. To examine the realistic impact of adding new mitigation to a network environment, we simulated the R-SIRS model using four different values of infection probability (0.25, 0.35, 0.5, and 1). Figure 7 shows the effect of reducing the probability of infection of worm attack by adding more security measures to the network. The result shows that the number of infectious populations declines when the probability of infection decreases. Figure 7. Effect of probability of infection 6. Conclusion This paper presents a new approach to modeling a worm attack on a computer network by using the R-SIRS model. We built our R-SIRS model by emulating the human immune system in a network environment. Building worm attack models by using the same capability of the human body to overcome virus infection is a major step in constructing the necessary network defense system against current and future worm attacks. Our simulation results show that worm infection has disparate impacts on different parts of the network based on different levels of immunity. By adding new mitigation techniques to enhance network security we are changing the model parameters to discover the real impact of a worm attack on network infrastructure. Using traditional modeling of a worm attack on a computer network without studying network immunization topology may lead to underestimation of the security measures needed to defend network security assets. In future research, we would benefit from the similarity between the human immune system and computer network defense measures. We are going to lunch more detailed comparisons toward building ultimate ways to defend the network against worm attacks and test the impact of worm attack on computer networks. References [1] Li, M. Salour, and X. Su, A Survey of Internet Worm Detection and Containment, IEEE Communications Surveys & Tutorials, vol. 10, no. 1, pp. 20-35, 1 st quarter, 2008. [2] D. Moore, C. Shannon, and J. Brown, Code Red: a Case Study on the Spread and Victims of an Internet Worm, roc. 2 nd ACM SIGCOMM Workshop on Internet Measurement, Marseille, France, ov. 2002. [3] rotecting the Military Cyber Space: DARA Gears to Counter etwork Worms: website: http://www.defenseupdate.com/features/du-3-05/feature-worms.htm [4] F. Burckhar, Modeling Infections Deceases in Virtual Realties. [5] J. Kim, S. Radhakrishnan, S. K. Dhall Measurement and Analysis of Worm ropagation on Internet etwork Topology, roc. IEEE 13 th Intl l Conf. on Computer Communications and etworks (ICCC 04), Chicago, 2004, pp. 495-500. [6] J. Kim,. Bentley The uman Immune System and etwork Intrusion Detection, roc. 7 th European Conf. on Intelligent Techniques and Soft Computing (EUFIT 99). [7] F. Castaneda, E.C. Sezer, and J. Xu, Worm vs. Worm: reliminary Study of an Active Counter-Attack Mechanism, roc. 2003 ACM Workshop on Rapid Malcode (WORM 04), pp. 83-93, Washington, DC, Oct. 2004. [8] C.C. Zou, W. Gong, and D. Towsley, Code Red Worm ropagation Modeling and Analysis, 9 th ACM Symp. on Computer and Communication Security, pp. 138-147, Washington DC, 2002 [9] D. Moore, V. axson, S. Savage, C. Shannon, S. Staniford,, and. Weaver, Inside the Slammer Worm, IEEE Magazine of Security and rivacy, vol. 1, no. 4, pp. 33-39, 2003. [10] Ed. Skoudis, Malware, Fighting Malicious Code. Saddle River, J,earson, 2004.

54 [11] D. J. Daley and J. Gani, Epidemic Modeling: An Introduction, Cambridge, Studies in Mathematical Biology, 2001. [12] J. Kim, S. Radhakrishnan, and S.K. Dhall, Measurement and Analysis of Worm ropagation on Internet etwork Topology, roc. Int l Conf. on Computer Communications and etworks (ICCC 04), pp. 495-500, Chicago, Oct. 2004. [13] J. Li and. Knickerbocker, Functional Similarities between Computer Worms and Biological athogens, Computers & Security, 26 (2007), pp. 338-347. [14] Y. Yang, S. Zhu, and G. Cao, Improving Sensor etwork Immunity under Worm Attacks: a Software Diversity Approach, ACM Int l Symp. on Mobile Ad oc etworking and Computing (Mobioc 08), ong Kong, pp. 149-158, May 2008. [15] U.S. Department of ealth and uman Services ational Institutes of ealth Understanding the Immune System ow It Works, I ublication o. 07-5423 Sep. 2007. [16] S. eng, Y. Li, and B. Zheng, States and Critical Behavior of Epidemic Spreading on Complex etworks, 7 th World Congress on Intelligent Control and Automation, Chongqing, China, pp. 3481-3486, June 2008. [17] J. Kim, S. Radhakrishana, and J. Jang, Cost Optimization in SIS Model of Worm Infection, ETRI Journal, vol. 28, no. 5, pp. 692-695, Oct. 2006. [18] X. Yan, and Y. Zou, Optimal Internet Worm Treatment Strategy Based on the Two-Factor Model, ETRI Journal, vol. 30, no. 1, pp. 81-88, Feb. 2008. [19] Z. Jin and M. aque, The SIS Epidemic Model with Impulsive Effects, 8th ACIS Int l Conf. on Software Engineering, Artificial Intelligence, etworking, and arallel/distributed Computing (SD 2007), Qingdao, China, vol. 3, pp. 505-507, July 2007. [20]. Zhou, Y. Wen, and. Zhao, assive Worm ropagation Modeling and Analysis, roc. IEEE Int l Conf. on Computing in the Global Information Technology, Guadelope, French Caribbean, pp. 32, Mar. 2007. [21]. Zhou, Y. Wen, and. Zhao, Modeling and Analysis of Active Benign Worms and ybrid Benign Worms Containing the Spread of Worms, roc. IEEE Int l Conf. on etworking (IC'07), 2007. [22] O. Toutonji and S. M. Yoo, assive Benign Worm ropagation Modeling with Dynamic Quarantine Defense, KSII Transactions on Internet and information System vol. 3, no. 1, pp. 96-107, Feb. 2009.