Internet Worms: Reality or Hype Literature Review and Comments Shai Rubin UW Madison 2/16/2019 Security Seminar Fall 2002

Overview Background: 3 behavioral models Threat from future worms What a worm is How a worm works 3 behavioral models Threat from future worms Defending against worms (Wild and Crazy) Summary Message: What we are going to do today. Talk about Worms: Need to talk about the differences between worms and viruses. How they work How they behave (we are trying to develop models to predict how worms behave). How we can protect against them. Models: We will look on the assumptions, motivation, paramaters behind the model and not too much into their details. Transition: So let us start by looking how worms work 2/16/2019 Security Seminar Fall 2002

An Internet Worm Self propagating program Speeding Mechanism: Threats: Spreading phase DDoS attack Self propagating program Speeding Mechanism: Exploits a bug over the network (e.g., buffer overflow in IIS) Probe the net to find new machines to exploit Amazon.com Threats: Distributed denial of service attack Access to classified information on each compromised host Message: To understand how a single worm work. Talk about Illustrate how a single worm work. Initial phase. Illustrate how the Internet is getting Infected. What are the threats: Access to classify data. launching DDOS attacks. Multimedia DDoS attacks Example of worms Transition: So let see what a worm can cause Find an Internet illustration. Router Host 2/16/2019 Security Seminar Fall 2002

Code Red II Vulnerability: buffer overflow Microsoft IIS. Code Red II Behavior [DM02] Vulnerability: buffer overflow Microsoft IIS. Vulnerability published: 19 June, 2001 Started Spreading 19 July, 2001 360,000 hosts infected in 24 hours (demo) Damage: $1.2 billion [USA01] Message: Illustrate the risk/threat of worms Talk about Show Code Red II information. When the vulnerability was discovered. When Code Red II was discovered. Show a graph of infected/hour. Show interesting modeling questions: What is the infection rate? Knowing the infection rate will help us: Predict future-worm behavior. Which Infection rate is not effective? Any system that protects against worms ‘strive’ for this infection rate. What should be the immunization rate? We need to build a system that would deploy at least this rate. Transition: So, the first think to look in is the human society: how viruses spread in human society. 2/16/2019 Security Seminar Fall 2002

Overview Background: Worm behavioral models: Threat from future worms What a worm is How a worm works Worm behavioral models: Why analytical models? Simple Advance Sophisticated Threat from future worms Defending against worms Summary Message: What we are going to do today. Talk about Worms: Need to talk about the differences between worms and viruses. How they work How they behave (we are trying to develop models to predict how worms behave). How we can protect against them. Models: We will look on the assumptions, motivation, paramaters behind the model and not too much into their details. Transition: So let us start by looking how worms work 2/16/2019 Security Seminar Fall 2002

Modeling Worm Behavior Why analytical model? In general, analytical model cheaper than simulation Help us understand better: Parameters that influence behavior Use the model to explore future worm behavior Use model define the properties of defense techniques Starting point: human epidemic Many similarities: infection, immunization, viruses, etc. Message: What we are going to do today. Talk about Worms: Need to talk about the differences between worms and viruses. How they work How they behave (we are trying to develop models to predict how worms behave). How we can protect against them. Models: We will look on the assumptions, motivation, paramaters behind the model and not too much into their details. Transition: So let us start by looking how worms work 2/16/2019 Security Seminar Fall 2002

The ‘Simple’ Epidemic Model Model assumptions [SPW02, Bai75]: Homogenous population (each node has ~k neighbors) no immunization Two parameters: n – Total population size = # of susceptible hosts  - Infection rate Number of infected individuals: Known as Logistic Equation Message: Explain the simplest model for human viruses. Talk about: Homogeneously mixing group of individuals. Every individual is susceptible. No immunization. t=0, just one individual becoming infectious. Mention the name: logistic equation. Transition: The question we ask now: Do computer viruses behaves the same 2/16/2019 Security Seminar Fall 2002

Does Code Red Fit the ‘Simple’ Model? Staniford at el. [SPW02]:  = 1.8 We are done Are we really done? A match does not entail that the model is ‘correct’ Check other viruses/worms Weak model assumptions (homogenous population, no immunization) ‘Unnatural’ Code Red behavior Message: Does the model fits the data. Talk about: The parameters Yes (by XXX). Argument : We found parameters that fits the model to the real behavior, hence the model is correct. Flowed methodology. If it fits, does it means that it is OK? Transition: There are other processes involves in infection: immunization. Hosts are patched (immune). Hosts are remove from the Internet (dead). So let’s go back to human models. 2/16/2019 Security Seminar Fall 2002

‘Advance’ Epidemic Model Model assumptions [Bai75]: Homogenous population Immunization: infected individuals are removed from population Three basic parameters: n - Total population size = # of susceptible hosts  - Infection rate  - Removal rate No analytical solution1 (unlike the logistic equation for the ‘simple’ model) Epidemic Threshold exist: When the total number of susceptible individuals drops blow a certain threshold the epidemic ‘dies’ =/=effective infection rate Message: A more realistic model for human epidemic Talk about: Homogeneously mixing group of individuals. Every individual is susceptible. Immunization/recovery. t=0, just one individual becoming infectious. Main result: epidemic threshold: either the epidemic dies by itself, or almost every one is infected. Full, or K-connected graph (is that the correct term?) Transition: 2/16/2019 Security Seminar Fall 2002 1As far as I know, based on [Bai75]

Do Worms Fit the ‘Advance’ Model? Satorras at el. [SV01] : No Investigate three viruses types. Why not? because computer viruses do not die. Computer viruses have long lifetime (months) This implies, for all computer viruses: effective spreading rate is just above the epidemic threshold ‘2’ is very unlikely to occur How, we can better explain this observation? Message: We do not know. Talk about: What XXX and YYY found” Argument 1: Low # of computers infected for a log period of time. Hence, the effective spreading rate is just above the epidemic threshold. Unlikely to occur. Argument 2: Long live behavior. High removal rate. Hence, high spreading rate. Contradiction to 1. Talk about the type of viruses they explore. Transition: So, we need to explain the behavior in some other way. 2/16/2019 Security Seminar Fall 2002

‘Advance + Topology’ Model [SV01] Epidemic models do not account for the scale free topology of the Internet Model assumptions: Scale free topology: P[n has K neighbors]=K- (23) As in the ‘advance’ model: three parameters: n, ,  Intuition: individuals with higher connectivity has higher spreading rate Scale Free Topology Message: Talk about: Internet Topology. Mix group. Give details about the model? Limitation: Two types of users (humans). Transition: So, we need to explore another possibility. 2/16/2019 Security Seminar Fall 2002

Do Worms Fit the ‘Advance +Topology’ Model? Model property: epidemic never dies Seems to fit data (both of old viruses [SV01], and current worms SPW02) Code Red II does not die: Message: Talk about: Transition: Oct’ 01 Nov’ 01 Dec’ 01 Jan’ 02 Feb’ 02 2/16/2019 Security Seminar Fall 2002

The But of ‘Advance + Topology’ Is the assumption (scale free topology) valid? Viruses/worms attack ‘end’ machines (servers/hosts) Routers are the ‘highly connected’ individuals, but they are not susceptible (usually) Hence, we should consider a fully connected graph of susceptible individuals Message: Talk about: Internet Topology. Mix group. Give details about the model? Limitation: Two types of users (humans). Transition: So, we need to explore another possibility. 2/16/2019 Security Seminar Fall 2002

Current Models Summary Simple Advanced + Topology Topology K-connected Scale Free Infection/ Removal rate Constant infection rate (no removal rate) Constant Rates Analytical solution Yes Approximation Evidence that fits data Purpose: Understand what we did. Talk about What we did. What we are going to do now. Transition: 2/16/2019 Security Seminar Fall 2002

‘Sophisticated’ Epidemic Model Zou at el. [ZGT02] objects Staniford at el. [SPW02]: No removal process Model was artificially fitted. Code Red II artificially stopped spreading after 24 hours Furthermore, infection/removal rate not constant. Infection rate decreased (due to high network traffic) Removal rate increased Real population: 490,000 Message: A more realistic model for human epidemic Talk about: Homogeneously mixing group of individuals. Every individual is susceptible. Immunization/recovery. t=0, just one individual becoming infectious. Main result: epidemic threshold: either the epidemic dies by itself, or almost every one is infected. Full, or K-connected graph (is that the correct term?) Transition: 2/16/2019 Security Seminar Fall 2002

‘Sophisticated’ Epidemic Model Message: A more realistic model for human epidemic Talk about: Homogeneously mixing group of individuals. Every individual is susceptible. Immunization/recovery. t=0, just one individual becoming infectious. Main result: epidemic threshold: either the epidemic dies by itself, or almost every one is infected. Full, or K-connected graph (is that the correct term?) Transition: So, which parameters should we take into account? 2/16/2019 Security Seminar Fall 2002

Models Summary Simple Advanced + Topology Sophisticated Topology K-connected Scale Free K-Connected Infection/ Removal rate Constant infection rate (no removal rate) Constant Rates Time dependent rates Limitations Naive Questionable topology Complex Analytical solution Yes Approximation No? Evidence that fits data Common Highly virulence Purpose: Understand what we did. Talk about What we did. What we are going to do now. Transition: 2/16/2019 Security Seminar Fall 2002

Overview Background: Worm behavior models: Threat from future worms What a worm is How a worm works Worm behavior models: Simple Advance Sophisticated Threat from future worms Defending against worms The defender advantage Defense techniques Summary Message: Talk about Transition: 2/16/2019 Security Seminar Fall 2002

‘Better’ Worms Can someone implement even ‘faster’ worms? The dominant factor: start-up time Short start-up time  faster worm Purpose Talk: Transition: 2/16/2019 Security Seminar Fall 2002

Short Start-Up Time [SPW01] Technique Hit List scanning (HL) Creator prepares a list of potential susceptible machines. Worm splits the list into sub-lists as it propagates. Problem: infection rate drops after list is exhausted. Permutation scanning (PS) Each copy of the worm scans different range of addresses. Problem: sill long start up time Warhol (HL+PS) Initially use HL. Continue with PS. Problem: ??? Purpose Talk: Transition: 2/16/2019 Security Seminar Fall 2002

‘Better’ Worms - Simulation Code Red II (Initial Infection rate =1.8) Permutation scanning (Initial Infection rate =6) Warwol (Initial Infection rate =20) Purpose To understand what is a better worm. Talk: According to model ’1’ (Staniford), the time that dominates the infection time is the start. Show the graph, say that we use the model as the first step in creation of better worms. Transition: So how can we get the worm ‘off the ground’? So, is the battle lost? 2/16/2019 Security Seminar Fall 2002

Overview Background: 3 behavioral models: Threat from future worms What a worm is How a worm works 3 behavioral models: Simple Advance Sophisticated Threat from future worms Defending against worms ‘Good guy’ advantages Defense techniques Summary Message: Talk about Transition: 2/16/2019 Security Seminar Fall 2002

‘Good Guy’ Advantages Easier to patch system than implementing a new worm [CIPART] Good guys have more resources Use resources the identify/fight worms Diversify resources Models suggest: easier to slow active worm than making it faster Other? 2/16/2019 Security Seminar Fall 2002

CIPART: Eliminating Known Vulnerabilities Code Red exploited ‘known’ vulnerability: MS announce a patch on June 19, 2001 Code Red propagate on July 19, 2001 $1.2 Billion damage could have been avoided if patch was deployed Solaris Vulnerability Database What is the threat? Should I do something? If yes, what should I do? System Administrator Linux Win New vulnerability Linux Guided Patcher Win Solaris Vulnerability Exist? Vulnerability Database Formal Vulnerability Description Vulnerability Test Generator Threat Estimator Test results Administrator Report Audit Tool 2/16/2019 Security Seminar Fall 2002

Fast Worm Identification: Birds Eat Worms Deploy hidden censors (birds) in the web: Birds: machines that ‘pretend’ they run services (e.g., IIS) When someone ask ‘do you run ‘x’’, say ‘yes, I run ‘x’’. Check if the censor was ‘infected’ Eliminate worm Message: To understand how a single worm work. Talk about Illustrate how a single worm work. Initial phase. Illustrate how the Internet is getting Infected. What are the threats: Access to classify data. launching DDOS attacks. Multimedia DDoS attacks Example of worms Transition: So let see what a worm can cause Find an Internet illustration. 2/16/2019 Security Seminar Fall 2002

Defending Against Worms The defender advantage Attacker gain Defender gain Purpose Talk: Transition: So how can we keep the worm near the ground? Same effort (X3): attacker gains 9 hours, defender gains 30 hours 2/16/2019 Security Seminar Fall 2002

Summary: Reality of Hype? Do worms are a potential threat? No What is the magnitude of the threat? $1.2 Billion/worm Is that a big threat? No (car accidents in the US: $150 Billion/year) Yes Reality Hype 2/16/2019 Security Seminar Fall 2002

Bibliography [SPW02] Stuart Staniford, Vern Paxson, and Nicholas Weaver. "How to 0wn the Internet in Your Spare Time". In the Proceedings of the 11th USENIX Security Symposium, 2002. [SV01] Romualdo Pastor-Satorras and Alessandro Vespignani. "Epidemic Spreading in Scale-Free Networks". Physical Review Letters Vol 86(14), 2001. [ZGT02] Changchun Zou, Weibo Gong, and Don Towsley. "Code Red Worm Propagation Modeling and Analysis". 9th ACM Conference on Computer and Communications Security, 2002. [DM02] David Moore. “The Spread of the Code-Red Worm”. Cooperative Association for Internet Data Analysis (CAIDA), http://www.caida.org/analysis/security/code-red/coderedv2_analysis.xml, 2002. [USA01] USA Today 08/01/01. http://www.usatoday.com/life/cyber/tech/2001-08-01-code-red-costs.htm#more [Bai75] Norman T. J. Bailey . “The mathematical theory of infectious diseases and its applications”, 1975. 2/16/2019 Security Seminar Fall 2002