Presentation is loading. Please wait.

Presentation is loading. Please wait.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.

Published byJunior Paul Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003."— Presentation transcript:

1 Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003

2 Overview Code Red incident data & impact epidemiology models –traditional (biological) infection models –two-factor worm model related work & questions –(Weaver & Sapphire)

3 Motivation Internet great medium for spreading malicious code –Code Red & Co. renew interest in worm studies Issues: –How to explain worm propagation curves? –What factors affect spreading behavior? –Can we generate a more accurate model?

4 Background: Code Red Three versions: –CRv1.1 (bad rng) July 13, 2001 –CRv1.2 July 19, 2001 –CRv2 August, 2001 100 threads, 300k victims “maliciously crafted URL” (default.ida vulnerability)

5 Background: The Stack Smash Buffer overflows in C functions –gets(), etc –home-grown functions code injection & modify return pointer –both parts are critical: overflow alone does not allow you to execute code

6 The Stack Smashing Mechanism Insert “junk” (nop), attack code, and return value this is how many worms propagate SQL “Slammer” fits in one UDP packet. (376 bytes of assembly code)

7 Epidemic Models Deterministic vs. Stochastic –Simple epidemic model (previous paper) –general epidemic model (Kermack-Mckendrick add notion of removed hosts) good baseline, need to be adjusted to explain Internet worm data any model must be deterministic (b/c of scale)

8 Two-Factor Worm Model Two major factors affect worm spread: –dynamic human countermeasures anti-virus software cleaning patching firewall updates disconnect/shutdown –interference due to aggressive scanning Rate of infection (ß) is not constant

9 Two-Factor Worm Model (con) Two important restrictions: –consider only “continuously activated” worms –consider worms that propagate w/ort topology

10 Infection Statistics

11 Classic Simple Epidemic Model Model presented in previous paper (classic simple epidemic model, k=1.8, k=BN) a(t) = J(t) / N (fraction of population infected) Wrong! (compare to last slide)

12 Simple Epidemic Model Math Variables: infected hosts (had virus at some point) = J(t) population size = N infection rate = ß(t) dJ(t)/dt = βJ(t)[N - J(t)]

13 Two-Factor Model Math dI(t)/dt = β(t)[N - R(t) - I(t) - Q(t)]I(t) - dR(t)/dt –S(t) = susceptible hosts –I(t) = infectious hosts –R(t) = removed hosts from I population –Q(t) = removed hosts from S population –J(t) = I(t) + R(t) –C(t) = R(t) + Q(t) –J(t) = I(t) + R(t) –N = population (I+R+Q+S)

14 Two-Factor Fit Take removed hosts from both S and I populations into account non-constant infection rate (decreases) fits well with observed data

15 Results Two-factor worm model –accurate model without topology constraints –explains exponential start & end drop off –identifies 2 critical factors in worm propagation Only 60% of CR targets infected

16 The SQL Slammer (Sapphire) Infection stats: –90% in 10 minutes –pop doubled every 8.5s –>=75000 infected –1 UDP packet!

17 Questions Sapphire paper: –http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html “Previous” Code Red paper: –http://www.icir.org/vern/papers/cdc-usenix-sec02/

Download ppt "Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
Sigurnost računala i podataka

Sigurnost računala i podataka
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
In biology – Dynamics of Malaria Spread Background –Malaria is a tropical infections disease which menaces more people in the world than any other disease.

In biology – Dynamics of Malaria Spread Background –Malaria is a tropical infections disease which menaces more people in the world than any other disease.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)

Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Viruses, Worms and Spam Definitions Virus - unauthorized software, embedded in other programs and with the ability to propagate when the host program is.

Viruses, Worms and Spam Definitions Virus - unauthorized software, embedded in other programs and with the ability to propagate when the host program is.
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Similar presentations

Ads by Google