Abstract
We present a simple, deterministic mathematical model for the spread of randomly scanning and bandwidth-saturating Internet worms. Such worms include Slammer and Witty, both of which spread extremely rapidly. Our model, consisting of coupled Kermack-McKendrick (a.k.a. stratified susceptibles-infectives (SI)) equations, captures both the measured scanning activity of the worm and the network limitation of its spread, that is, the effective scan-rate per worm/infective. The Internet is modeled as an ideal core network to which each peripheral (e.g., enterprise) network is connected via a single access link. It is further assumed in this note that as soon as a single end-system in the peripheral network is infected by the worm, the subsequent scanning of the rest of the Internet saturates the access link, that is, there is “instant” saturation. We fit our model to available data for the Slammer worm and demonstrate the model's ability to accurately represent Slammer's total scan-rate to the core.
- Chen, Z., Gao, L., and Kwait, K. 2003. Modeling the spread of active worms. In Proceedings of IEEE INFOCOM (San Fransisco, CA).Google Scholar
- Cooke, E., Bailey, M., Mao, Z., Watson, D., Jahanian, F., and McPherson, D. 2004. Toward understanding distributed blackhole placement. In Proceedings of ACM WORM (Washington, DC). Google ScholarDigital Library
- Daley, D. and Gani, J. 1999. Epidemic Modeling, an Introduction. Cambridge University Press, Cambridge, U.K.Google Scholar
- Kesidis, G., Hamadeh, I., and Jiwasurat, S. 2005. Coupled Kermack-McKendrick models for randomly scanning and bandwidth saturating Internet worms. In Proceedings of QoS-IP. Springer-Verlag, Berlin, Germany. Google ScholarDigital Library
- Kurtz, T. 1981. Approximation of population processes. In Proceedings of the CBMS-NSF Regional Conference Series in Applied Mathematics. Vol. 36.Google ScholarCross Ref
- Li, L., Jiwasurat, S., Hamadeh, I., Kesidis, G., Neumann, C., and Liu, P. 2006. Emulating sequential scanning worms on the DETER testbed. In Proceedings of IEEE/Create-Net TridentCom. (Barcelona, Spain).Google Scholar
- Liljenstam, M., Nicol, D., Berk, V., and Gray, R. 2003. Simulating realistic network worm traffic for worm warning system design and testing. In Proceedings of ACM WORM (Washington, DC). Google ScholarDigital Library
- Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003a. Inside the Slammer worm. IEEE Sec. Priv. 1, 4, 33--39. Google ScholarDigital Library
- Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2003b. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of IEEE INFOCOM. (San Francisco, CA).Google Scholar
- Staniford, S., Paxson, V., and Weaver, N. 2002. How to own the Internet in your spare time. In Proceedings of USENIX Security Symposium. 149--167. Google ScholarDigital Library
- Weaver, N., Hamadeh, I., Kesidis, G., and Paxson, V. 2004a. Preliminary results using scale-down to explore worm dynamics. In Proceedings of ACM WORM (Washington, DC). Google ScholarDigital Library
- Weaver, N., Staniford, S., and Paxson, V. 2004b. Very fast containment of scanning worms. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
- Zou, C., Gong, W., and Towsley, D. 2002. Code Red worm propagation modeling and analysis. In Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS'02, Washington, DC). Google ScholarDigital Library
- Zou, C., Gong, W., and Towsley, D. 2003. Worm propagation modeling and analysis under dynamic quarantine defense. In Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM'03, Washington, DC). Google ScholarDigital Library
Index Terms
- A model of the spread of randomly scanning Internet worms that saturate access links
Recommendations
Search worms
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcodeWorms are becoming more virulent at the same time as operating system improvements try to contain them.Recent research demonstrates several effective methods to detect and prevent randomly scanning worms from spreading [2, 13]. As a result, worm authors ...
Defending against hitlist worms using network address space randomization
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcodeWorms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms ...
Modeling the spread of internet worms via persistently unpatched hosts
This article considers the effects of Internet worms on persistently unpatched hosts and hosts for which vulnerabilities are refreshed. Previous models have been homogeneous; that is, all hosts transitioned through the same set of states. The model ...
Comments