George Kesidis
Abstract
We present a simple, deterministic mathematical model for the spread of randomly scanning and bandwidth-saturating Internet worms. Such worms include Slammer and Witty, both of which spread extremely rapidly. Our model, consisting of coupled Kermack-McKendrick (a.k.a. stratified susceptibles-infectives (SI)) equations, captures both the measured scanning activity of the worm and the network limitation of its spread, that is, the effective scan-rate per worm/infective. The Internet is modeled as an ideal core network to which each peripheral (e.g., enterprise) network is connected via a single access link. It is further assumed in this note that as soon as a single end-system in the peripheral network is infected by the worm, the subsequent scanning of the rest of the Internet saturates the access link, that is, there is “instant” saturation. We fit our model to available data for the Slammer worm and demonstrate the model's ability to accurately represent Slammer's total scan-rate to the core.
- Chen, Z., Gao, L., and Kwait, K. 2003. Modeling the spread of active worms. In Proceedings of IEEE INFOCOM (San Fransisco, CA).Google Scholar
- Cooke, E., Bailey, M., Mao, Z., Watson, D., Jahanian, F., and McPherson, D. 2004. Toward understanding distributed blackhole placement. In Proceedings of ACM WORM (Washington, DC). Google ScholarDigital Library
- Daley, D. and Gani, J. 1999. Epidemic Modeling, an Introduction. Cambridge University Press, Cambridge, U.K.Google Scholar
- Kesidis, G., Hamadeh, I., and Jiwasurat, S. 2005. Coupled Kermack-McKendrick models for randomly scanning and bandwidth saturating Internet worms. In Proceedings of QoS-IP. Springer-Verlag, Berlin, Germany. Google ScholarDigital Library
- Kurtz, T. 1981. Approximation of population processes. In Proceedings of the CBMS-NSF Regional Conference Series in Applied Mathematics. Vol. 36.Google ScholarCross Ref
- Li, L., Jiwasurat, S., Hamadeh, I., Kesidis, G., Neumann, C., and Liu, P. 2006. Emulating sequential scanning worms on the DETER testbed. In Proceedings of IEEE/Create-Net TridentCom. (Barcelona, Spain).Google Scholar
- Liljenstam, M., Nicol, D., Berk, V., and Gray, R. 2003. Simulating realistic network worm traffic for worm warning system design and testing. In Proceedings of ACM WORM (Washington, DC). Google ScholarDigital Library
- Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003a. Inside the Slammer worm. IEEE Sec. Priv. 1, 4, 33--39. Google ScholarDigital Library
- Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2003b. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of IEEE INFOCOM. (San Francisco, CA).Google Scholar
- Staniford, S., Paxson, V., and Weaver, N. 2002. How to own the Internet in your spare time. In Proceedings of USENIX Security Symposium. 149--167. Google ScholarDigital Library
- Weaver, N., Hamadeh, I., Kesidis, G., and Paxson, V. 2004a. Preliminary results using scale-down to explore worm dynamics. In Proceedings of ACM WORM (Washington, DC). Google ScholarDigital Library
- Weaver, N., Staniford, S., and Paxson, V. 2004b. Very fast containment of scanning worms. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
- Zou, C., Gong, W., and Towsley, D. 2002. Code Red worm propagation modeling and analysis. In Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS'02, Washington, DC). Google ScholarDigital Library
- Zou, C., Gong, W., and Towsley, D. 2003. Worm propagation modeling and analysis under dynamic quarantine defense. In Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM'03, Washington, DC). Google ScholarDigital Library
Index Terms
- A model of the spread of randomly scanning Internet worms that saturate access links
Recommendations
Search worms
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcodeWorms are becoming more virulent at the same time as operating system improvements try to contain them.Recent research demonstrates several effective methods to detect and prevent randomly scanning worms from spreading [2, 13]. As a result, worm authors ...
Defending against hitlist worms using network address space randomization
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcodeWorms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms ...
Modeling the spread of internet worms via persistently unpatched hosts
This article considers the effects of Internet worms on persistently unpatched hosts and hosts for which vulnerabilities are refreshed. Previous models have been homogeneous; that is, all hosts transitioned through the same set of states. The model ...
Reviews
Cecilia G. Manrique
Internet worms are computer programs that are launched to infiltrate machines, and replicate themselves to infect other machines, often with code to make those machines crash or fail. This very interesting technical paper provides readers with the mathematical explanation for the spread of several known worms. The paper uses tables, graphs, figures, and mathematical equations to explain the simple mathematical model developed to show the spread of randomly scanning and bandwidth saturating worms, such as Slammer and Witty, which have been determined to spread extremely rapidly. The model uses coupled Kermack-McKendrick equations; it shows the impact that the worm would have on the core of the Internet, and applies the model to the Slammer worm, which the model seems to accurately represent. In the appendix, the authors provide the mathematical proof of the theorem. Their simulation code is also available online. The value of such studies lies in the ability to understand the spread of one of the major cyber threats to our dependence on the Internet: the use of viruses and worms to downgrade the value of technology. By constantly testing and expanding the explanations, as well as our understanding of such activities on the Internet, we may be better able to diagnose them, ward them off, and maybe even prevent their spread and impact on the many machines and users in the system-a true service to the accumulation of knowledge that has practical real-world applications. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments