CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

Slides:



Advertisements
Similar presentations
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.
Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.
A VERY IMPORTANT CONCEPT Disease epidemiology is first and foremost a population biology problem Important proponents: Anderson, May, Ewald, Day, Grenfell.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.
The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Online Social Networks and Media Epidemics and Influence.
Emerging Infectious Disease: A Computational Multi-agent Model.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
National Computational Science Leadership Program (NCSLP) 1 Explorations in Computational Science: Hands-on Computational Modeling using STELLA Presenter:
Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.
Modeling Botnets and Epidemic Malware Marco Ajelli, Renato Lo Cigno, Alberto Montresor DISI – University of Trento, Italy disi.unitn.it
SIR Epidemic Models CS 390/590 Fall 2009
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
1 Modeling, Analysis, and Mitigation of Internet Worm Attacks Presenter: Cliff C. Zou Dept. of Electrical & Computer Engineering University of Massachusetts,
V5 Epidemics on networks
How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Worms, Viruses, and Cascading Failures in networks D. Towsley U. Massachusetts Collaborators: W. Gong, C. Zou (UMass) A. Ganesh, L. Massoulie (Microsoft)
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.
Sanja Teodorović University of Novi Sad Faculty of Science.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
UNCLASSIFIED Worm Spread in Scale-Free Networks 1 A Model Using Random Graph Theory PRESENTED TO: CSIIR Workshop Oak Ridge National Lab PRESENTED BY*:
1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Showcase /06/2005 Towards Computational Epidemiology Using Stochastic Cellular Automata in Modeling Spread of Diseases Sangeeta Venkatachalam, Armin.
Mathematical Modeling of Bird Flu Propagation Urmi Ghosh-Dastidar New York City College of Technology City University of New York December 1, 2007.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
National Institutes of Health Emerging and Re-emerging Infectious Diseases Part 4.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
L – Modelling and Simulating Social Systems with MATLAB © ETH Zürich | Lesson 3 – Dynamical Systems Anders Johansson and Wenjian.
An Agent Epidemic Model Toward a general model. Objectives n An epidemic is any attribute that is passed from one person to others in society è disease,
Dynamics of Infectious Diseases. Using Lotka-Volterra equations? PredatorPrey VS.
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Class 21: Spreading Phenomena PartI
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
Predicting the Future To Predict the Future, “all we have to have is a knowledge of how things are and an understanding of the rules that govern the changes.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
SIR Epidemics 박상훈.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
© ETH Zürich | L – Modeling and Simulating Social Systems with MATLAB Lecture 3 – Dynamical Systems © ETH Zürich | Giovanni Luca.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Epidemic spreading in complex networks with degree correlations
Internet Worm propagation
Effective Social Network Quarantine with Minimal Isolation Costs
Research Progress Report
Modeling Botnet Propagation Using Time Zones
Predicting the Future To Predict the Future, “all we have to have is a knowledge of how things are and an understanding of the rules that govern the changes.
Predicting the Future To Predict the Future, “all we have to have is a knowledge of how things are and an understanding of the rules that govern the changes.
Internet Worms: Reality or Hype
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
CSE551: Introduction to Information Security
Introduction to Internet Worm
Presentation transcript:

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley

Introduction  The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation.  Previous works didn’t consider two factors affecting Code Red propagation  Dynamic countermeasures taken by ISPs and users  The slowed down worm infection rate  Two factor worm model

Background on Code Red Worm  Code Red worm exploited Windows IIS vulnerability on Windows 2000  Each worm copy generated 100 threads  99 threads randomly chose one IP address to attack  Timeout: 21 seconds

Background on Code Red Worm

Using Epidemic Models to Model Code Red Worm Propagation  Computer viruses and worms are similar to biological viruses on their self-replicating and propagation behavior  Introduce two classical epidemic models as the bases of the two-factor internet worm model  Classical simple epidemic model  Kermack-Mckendrick model

Classical Simple Epidemic Model J(t): the number of infected hosts at time t : infection rate S(t): the number of susceptible hosts at time t N: size of population  At t=0: J(0) hosts are infected and other N-J(0) hosts are all susceptible

Classical Simple Epidemic Model  Let, dividing both sides by N^2 where

Classical Simple Epidemic Model  The classical epidemic model can match the beginning phase of Code Red spreading, it can’t explain the later part of Code Red propagation: during the last five hours from 20:00 to 00:00 UTC, the worm scans kept decreasing

Kermack-Mckendrick Model  Considers the removal process of infectious hosts  Once a host recovers from the disease, it will be immune to the disease forever – “removed” state I(t): the number of infections hosts at time t R(t): the number of removed hosts from previously infectious hosts at time t

Kermack-Mckendrick Model  Base on the simple epidemic model, Kermack-Mckendrick Model is: J(t): the number of infected hosts at time t : removal rate of infectious hosts : infection rate N: size of population

Kermack-Mckendrick Model  Define  If the initial number of susceptible hosts is smaller than some critical value, there will be no epidemic and outbreak

Kermack-Mckendrick Model  The Kermack-Mckendrick model improves the classical simple epidemic model by considering that some infectious hosts either recover or die after some time, but still not suitable for modeling Internet worm propagation  Removal only from the infectious hosts  Assume infection rate to be constant

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  Two factors affecting Code Red worm propagation  Human countermeasures  Decreased infection rate

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  According to the same principle in deriving the Kermack-Mckendrick Model:  In order to solve the equation, we have to know the dynamic properties of, and

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  Use the same assumption as what Kermack- McKendrick model uses:  The removal process from susceptible hosts looks similar to a typical epidemic propagation:

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  Last, we model the decrease infection rate by the equation: : initial infection rate : used to adjust the infection rate sensitivity to the number of infection hosts

A NEWINTERNET WORMMODEL: TWO-FACTOR WORM MODEL  For parameters N= , I(0)=1, =3, r=0.05, u=0.06/N, =0.8/N

Simulation

Conclusion  Considering human countermeasures taken by ISPs and users and the slowed down worm infection rate, two-factor worm model match the observed data better than previous models do  The two-factor worm model is a general Internet worm model for modeling worms by adjusting different parameters

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.