Code red worm propagation modeling and analysis

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Code red worm propagation modeling and analysis

Full text

Pdf (197 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 9th ACM conference on Computer and communications security table of contents

Washington, DC, USA

SESSION: Network security table of contents

Pages: 138 - 147

Year of Publication: 2002

ISBN:1-58113-612-9

Authors

Cliff Changchun Zou	University of Massachusetts, Amherst, MA
Weibo Gong	University of Massachusetts, Amherst, MA
Don Towsley	University of Massachusetts, Amherst, MA

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 23, Downloads (12 Months): 209, Citation Count: 45

Additional Information:

abstract references cited by index terms collaborative colleagues peer to peer

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/586110.586130 What is a DOI?

ABSTRACT

The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation. In this paper we provide a careful analysis of Code Red propagation by accounting for two factors: one is the dynamic countermeasures taken by ISPs and users; the other is the slowed down worm infection rate because Code Red rampant propagation caused congestion and troubles to some routers. Based on the classical epidemic Kermack-Mckendrick model, we derive a general Internet worm model called the two-factor worm model. Simulations and numerical solutions of the two-factor worm model match the observed data of Code Red worm better than previous models do. This model leads to a better understanding and prediction of the scale and speed of Internet worm spreading.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	R. M. Anderson, R.M. May. Infectious diseases of humans: dynamics and control. Oxford University Press, Oxford, 1991.
	2	H. Andersson, T. Britton. Stochastic Epidemic Models and Their Statistical Analysis. Springer-Verlag, New York, 2000.
	3	N. T. Bailey. The Mathematical Theory of Infectious Diseases and its Applications. Hafner Press, New York, 1975.
	4	CERT Advisory CA-2001-23. Continued Threat of the "Code Red" Worm. http://www.cert.org/advisories/CA-2001-23.html
	5	CERT Advisory CA-2000-04. Love Letter Worm. http://www.cert.org/advisories/CA-2000-04.html
	6	CERT Advisory CA-1999-04. Melissa Macro Virus. http://www.cert.org/advisories/CA-1999-04.html
	7	Cisco Security Advisory: "Code Red" Worm - Customer Impact. http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
	8	Cisco Tech. notes: Dealing with mallocfail and High CPU Utilization Resulting From the "Code Red" Worm. http://www.cisco.com/warp/public/63/ts\_codred\_worm.shtml
	9	CNN news. "Code Red" worm "minimized" -- for now. http://www.cnn.com/2001/TECH/internet/08/02/code.red.worm/
	10	J. Cowie, A. Ogielski, B. Premore and Y. Yuan. Global Routing Instabilities during Code Red II and Nimda Worm Propagation. http://www.renesys.com/projects/_instability/
	11	eEye Digital Security. .ida "Code Red" Worm. http://www.eeye.com/html/Research/Advisories/AL20010717.html
	12	eEye Digital Security. CodeRedII Worm Analysis. http://www.eeye.com/html/Research/Advisories/AL20010804.html
	13	K. Eichman. Mailist: Re: Possible CodeRed Connection Attempts. http://lists.jammed.com/incidents/2001/07/0159.html
	14	eWeek news. Code Red Lessons, Big and Small. http://www.eweek.com/article2/0,3959,113815,00.asp
	15	J. C. Frauenthal. Mathematical Modeling in Epidemiology. Springer-Verlag, New York, 1980.
	16	D. Goldsmith. Maillist: Possible CodeRed Connection Attempts. http://lists.jammed.com/incidents/2001/07/0149.html
	17	T. Heberlein. Visual simulation of Code Red worm propagation patterns. http://www.incidents.org/archives/intrusions/msg00659.html
	18	Incidents.org diary archive. http://www.incidents.org/diary/july2001.php
	19	S. Junnarkar and R. Konrad. Code Red crawls back into action. http://news.cnet.com/news/0-1003-200-6738969.html
	20	J. O. Kephart and S. R. White. Directed-graph Epidemiological Models of Computer Viruses. Proceedings of the IEEE Symposimum on Security and Privacy, 343--359, 1991.
	21	Jeffrey O. Kephart , Steve R. White , David M. Chess, Computers and epidemiology, IEEE Spectrum, v.30 n.5, p.20-26, May 1993 [doi>10.1109/6.275061 ]
	22	Jeffrey O. Kephart , Steve R. White, Measuring and Modeling Computer Virus Prevalence, Proceedings of the 1993 IEEE Symposium on Security and Privacy, p.2, May 24-26, 1993
	23	R. Lemos. Virulent worm calls into doubt our ability to protect the Net. http://news.com.com/2009-1001-270471.html
	24	R. Lemos. Microsoft reveals Web server hole. http://news.com.com/2100-1001-268608.html
	25	Matlab Simulink. The Mathworks, Inc.
	26	Vishal Misra , Wei-Bo Gong , Don Towsley, Fluid-based analysis of a network of AQM routers supporting TCP flows with an application to RED, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.151-160, August 28-September 01, 2000, Stockholm, Sweden
	27	D. Moore. The Spread of the Code-Red Worm. http://www.caida.org/analysis/security/code-red/_analysis.xml
	28	C. Nachenberg. The Evolving Virus Threat. 23rd NISSC Proceedings, Baltimore, Maryland, 2000.
	29	SilentBlade. Info and Analysis of the 'Code Red'. http://www.securitywriters.org/library/texts/malware/commu/codered.php
	30	Eugene H. Spafford, The Internet Worm Incident, Proceedings of the 2nd European Software Engineering Conference, p.446-468, September 11-15, 1989
	31	Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
	32	Chenxi Wang , J. C. Knight , M. C. Elder, On computer viral infection and the effect of immunization, Proceedings of the 16th Annual Computer Security Applications Conference, p.246, December 11-15, 2000
	33	Lan Wang , Xiaoliang Zhao , Dan Pei , Randy Bush , Daniel Massey , Allison Mankin , S. Felix Wu , Lixia Zhang, Observation and analysis of BGP behavior under stress, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637231]
	34	34 N. Weaver. Warhol Worms: The Potential for Very Fast Internet Plagues. http://www.cs.berkeley.edu/nweaver/warhol.html

CITED BY 45

	Vasileios Karyotis , Symeon Papavassiliou, Risk-based attack strategies for mobile ad hoc networks under probabilistic attack modeling framework, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.9, p.2397-2410, June, 2007
	Songjie Wei , Jelena Mirkovic, A realistic simulation of internet-scale events, Proceedings of the 1st international conference on Performance evaluation methodolgies and tools, October 11-13, 2006, Pisa, Italy
	Mohamed Abdelhafez , George Riley , Robert G. Cole , Nam Phamdo, Modeling and Simulations of TCP MANET Worms, Proceedings of the 21st International Workshop on Principles of Advanced and Distributed Simulation, p.123-130, June 12-15, 2007
	Fabio Ricciato, Unwanted traffic in 3G networks, ACM SIGCOMM Computer Communication Review, v.36 n.2, April 2006
	Yun-Kai ZHANG , Yun-Kai Zhang , Fang-Wei WANG , Fang-Wei Wang , Yu-Qing Zhang , Yu-Qing ZHANG , Jian-Feng MA , Jian-Feng Ma, Worm propagation modeling and analysis based on quarantine, Proceedings of the 3rd international conference on Information security, November 14-16, 2004, Shanghai, China
	Fabio Ricciato, Some remarks to recent papers on traffic analysis: or the case for public Wiki-like platforms for commenting published papers, ACM SIGCOMM Computer Communication Review, v.36 n.3, July 2006
	Cliff C. Zou , Don Towsley , Weibo Gong , Songlin Cai, Advanced Routing Worm and Its Security Challenges, Simulation, v.82 n.1, p.75-85, January 2006
	Duc T. Ha , Hung Q. Ngo, On the trade-off between speed and resiliency of flashworms and similar malcodes, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	Fabio Ricciato , Francesco Vacirca , Philipp Svoboda, Diagnosis of capacity bottlenecks via passive monitoring in 3G networks: An empirical analysis, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.4, p.1205-1231, March, 2007
	Kristopher Hall , Randy Marchany , Nathaniel Davis, Identifying, characterizing, and controlling stealth worms in wireless networks through biological epidemiology, Proceedings of the second international workshop on Wireless traffic measurements and modeling, p.1-es, August 05-05, 2006, Boston, Massachusetts
	Qinhua Zheng , Ting Liu , Xiaohong Guan , Yu Qu , Na Wang, A new worm exploiting IPv4-IPv6 dual-stack networks, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	Dan Ellis, Worm anatomy and model, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Nicholas Weaver , Ihab Hamadeh , George Kesidis , Vern Paxson, Preliminary results using scale-down to explore worm dynamics, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
	George Kesidis , Ihab Hamadeh , Youngmi Jin , Soranun Jiwasurat , Milan Vojnović, A model of the spread of randomly scanning Internet worms that saturate access links, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-14, April 2008
	Srinivas Shakkottai , R. Srikant, Peer to peer networks for defense against internet worms, Proceedings from the 2006 workshop on Interdisciplinary systems approach in performance evaluation and design of computer & communications sytems, October 14-14, 2006, Pisa, Italy
	Songjie Wei , Jelena Mirkovic , Martin Swany, Distributed Worm Simulation with a Realistic Internet Model, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, p.71-79, June 01-03, 2005
	Sapon Tanachaiwiwat , Ahmed Helmy, On the performance evaluation and prediction of encounter-based worm interactions based on node characteristics, Proceedings of the second workshop on Challenged networks CHANTS, September 14-14, 2007, Montreal, Quebec, Canada
	Cynthia Wong , Stan Bielski , Jonathan M. McCune , Chenxi Wang, A study of mass-mailing worms, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
	Cliff Changchun Zou , Weibo Gong , Don Towsley, Worm propagation modeling and analysis under dynamic quarantine defense, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, On the impact of dynamic addressing on malware propagation, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
	Francesco Palmieri , Ugo Fiore, Automated detection and containment of worms and viruses into heterogeneous networks: a simple network immune system, International Journal of Wireless and Mobile Computing, v.2 n.1, p.47-58, May 2007
	Arno Wagner , Thomas Dübendorfer , Bernhard Plattner , Roman Hiestand, Experiences with worm propagation simulations, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	David M. Nicol, Efficient simulation of Internet worms, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-32, April 2008
	Monirul I. Sharif , George F. Riley , Wenke Lee, Comparative Study between Analytical Models and Packet-Level Worm Simulations, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, p.88-98, June 01-03, 2005
	Yang Wang , Chenxi Wang, Modeling the effects of timing parameters on virus propagation, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, Worm evolution tracking via timing analysis, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	David W. Richardson , Steven D. Gribble , Edward D. Lazowska, The limits of global scanning worm detectors in the presence of background noise, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	Insu Park , R. Sharman , H. R. Rao , S. Upadhyaya, Short Term and Total Life Impact analysis of email worms in computer systems, Decision Support Systems, v.43 n.3, p.827-841, April, 2007
	Michael Liljenstam , David M. Nicol , Vincent H. Berk , Robert S. Gray, Simulating realistic network worm traffic for worm warning system design and testing, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Cliff Changchun Zou , Lixin Gao , Weibo Gong , Don Towsley, Monitoring and early warning for internet worms, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Jianhong Xia , Sarma Vangala , Jiang Wu , Lixin Gao , Kevin Kwiat, Effective worm detection for various scan techniques, Journal of Computer Security, v.14 n.4, p.359-387, July 2006
	Jintao Xiong, ACT: attachment chain tracing scheme for email virus detection and control, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
	S. Antonatos , P. Akritidis , E. P. Markatos , K. G. Anagnostakis, Defending against hitlist worms using network address space randomization, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.12, p.3471-3490, August, 2007
	Peng Liu , Wanyu Zang, Incentive-based modeling and inference of attacker intent, objectives, and strategies, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Cliff C. Zou , Don Towsley , Weibo Gong, On the performance of internet worm scanning strategies, Performance Evaluation, v.63 n.7, p.700-723, July 2006
	Chris Fleizach , Michael Liljenstam , Per Johansson , Geoffrey M. Voelker , Andras Mehes, Can you infect me now?: malware propagation in mobile phone networks, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	Surasak Sanguanpong , Urupoj Kanlayasiri, Worm damage minimization in enterprise networks, International Journal of Human-Computer Studies, v.65 n.1, p.3-16, January, 2007
	Peng Liu , Wanyu Zang , Meng Yu, Incentive-based modeling and inference of attacker intent, objectives, and strategies, ACM Transactions on Information and System Security (TISSEC), v.8 n.1, p.78-118, February 2005
	Frank Castaneda , Emre Can Sezer , Jun Xu, WORM vs. WORM: preliminary study of an active counter-attack mechanism, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
	Seny Kamara , Darren Davis , Lucas Ballard , Ryan Caudy , Fabian Monrose, An Extensible Platform for Evaluating Security Protocols, Proceedings of the 38th annual Symposium on Simulation, p.204-213, April 04-06, 2005
	Cliff C. Zou , Weibo Gong , Don Towsley , Lixin Gao, The monitoring and early detection of internet worms, IEEE/ACM Transactions on Networking (TON), v.13 n.5, p.961-974, October 2005
	V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Gaurav S. Kc , Angelos D. Keromytis , Vassilis Prevelakis, Countering code-injection attacks with instruction-set randomization, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Angelos D. Keromytis , Janak Parekh , Philip N. Gross , Gail Kaiser , Vishal Misra , Jason Nieh , Dan Rubenstein , Sal Stolfo, A holistic approach to service survivability, Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security, p.11-22, October 31-31, 2003, Fairfax, VA
	David M. Nicol , William H. Sanders , Kishor S. Trivedi, Model-Based Evaluation: From Dependability to Security, IEEE Transactions on Dependable and Secure Computing, v.1 n.1, p.48-65, January 2004

INDEX TERMS

Primary Classification:
H. Information Systems
H.1 MODELS AND PRINCIPLES
H.1.m Miscellaneous

General Terms:
Human Factors, Security

Keywords:
epidemic model, internet worm modeling, two-factor worm model

Collaborative Colleagues:

Cliff Changchun Zou: colleagues

Weibo Gong: colleagues

Don Towsley: colleagues

Peer to Peer - Readers of this Article have also read:

Improving the granularity of access control in Windows NT Proceedings of the sixth ACM symposium on Access control models and technologies
Michael M. Swift , Peter Brundrett , Cliff Van Dyke , Praerit Garg , Anne Hopkins , Shannon Chan , Mario Goertzel , Gregory Jensenworth
Efficient, DoS-resistant, secure key exchange for internet protocols Proceedings of the 9th ACM conference on Computer and communications security
William Aiello , Steven M. Bellovin , Matt Blaze , John Ioannidis , Omer Reingold , Ran Canetti , Angelos D. Keromytis
Data structures for quadtree approximation and compression Communications of the ACM 28, 9
Hanan Samet
A hierarchical single-key-lock access control using the Chinese remainder theorem Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
Kim S. Lee , Huizhu Lu , D. D. Fisher
An intelligent component database for behavioral synthesis Proceedings of the 27th ACM/IEEE conference on Design automation
Gwo-Dong Chen , Daniel D. Gajski

Adobe Acrobat

QuickTime

Windows Media Player

Real Player