Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003."— Presentation transcript:

1 Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003

2 Outline Introduction Modeling the Spread of Active Worms Applications of the AAWP Model Conclusions

3 Outline Introduction Modeling the Spread of Active Worms Applications of the AAWP Model Conclusions

4 Aims of this paper Analytical Active Worm Propagation (AAWP) model Answer 3 questions: How to monitor the spread accurately How to detect the spread in a timely fashion How to defend against the spread effectively

5 Active Worms On the Internet, active worms infect computers and use infect computers in an automated fashion Code Red, Nimda, Morris worms, etc.

6 How active worms spread

7 Parameters while spreading Parameters Notation Explanation # of vulnerable machines NThe number of vulnerable machines Size of hitlisthThe number of infected machines at the beginning of the spread of active worms Scanning ratesThe average number of machines scanned by an infected machine per unit time Death ratedThe rate a which an infection is detected on a machine and eliminated Patching ratepThe rate at which an infected or vulnerable machine becomes invulnerable

8 Outline Introduction Modeling the Spread of Active Worms Applications of the AAWP Model Conclusions

9 AAWP model (1/2) There are m i vulnerable machines and n i infected machines at time i After time i, newly infected hosts will be While n 0 = h and i ≥ 0, there are (d+p)n i hosts become invulnerable or uninfected, so

10 Influence of infecting period Influence of patching rate Influence of hitlist size AAWP model (2/2)

11 Epidemic model The monitoring and early detection of Internet worms, 2005 IEEE INFOCOM

12 AAWP vs. Epidemical model (1) Discrete vs. Continuous time AAWP is more accurate because a host can ’ t infect others when it ’ s completely infected Something that AAWP considers while epidemical model doesn ’ t: Patching rate The time that a worm takes to infect a machine The condition that the worm can infect the same destination at the same time

13 AAWP vs. Epidemical model (2)

14 Simulating “ Code Red v2 ”

15 Outline Introduction Modeling the Spread of Active Worms Applications of the AAWP Model Monitoring the spread of active worms Detection speed Effective of the defense system Conclusions

16 Monitoring the spread of active worms If we monitor “ 32- l ” bits of IP ’ s, then the probability that an infected machine can be observed is:

17 Detection speed

18 Effectiveness of defense system

19 Outline Introduction Modeling the Spread of Active Worms Applications of the AAWP Model Conclusions

20 Presenting an “ AAWP ” model, which gives more realistic results than Epidemical model does The mentioned 3 questions are answered 2 20 ~2 24 IP ’ s are large enough to obtain realistic results 2 18 IP address are needed to detect the Code Red v2 like worms in 1 hour To defend against the Code Red v2 like worms, we need 2 18 IP addresses, by using LaBrea system

Download ppt "Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003."

Similar presentations

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,

Investigating the Impact of Real-World Factors on Internet Worm Propagation Daniel Ray, Charles Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong,
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.

1 Epidemic Spreading in Real Networks: an Eigenvalue Viewpoint Yang Wang Deepayan Chakrabarti Chenxi Wang Christos Faloutsos.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Virus Propagation Modeling Chenxi Wang, Christos Faloutsos Yang Wang, Deepayan Chakrabarti Carnegie Mellon University Center for Computer.

Virus Propagation Modeling Chenxi Wang, Christos Faloutsos Yang Wang, Deepayan Chakrabarti Carnegie Mellon University Center for Computer.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct. 2005.

The Monitoring and Early Detection of Internet Worms Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao IEEE/ACM Trans. Networking, Oct
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Similar presentations

Ads by Google