Email Worm Modeling and Defense

1
Email Worm Modeling and Defense

• Cliff C. Zou, Don Towsley, Weibo Gong
• Univ. Massachusetts, Amherst

2
Internet Worm Introduction

• Scan-based worms
• Example Code Red, Slammer, Blaster, Sasser,
• No human interaction
• Fast (automatic defense)
• Need vulnerability
• Fewer incidents
• Network-based blocking
• Modeling no (week) topological issue
• Epidemic models

• Email worms
• Example Melissa, Love letter, Sircam, SoBig,
  MyDoom,
• Human activation
• Slower
• Need no vulnerability
• More incidents
• Defense on email servers
• Modeling email address logical topology
• No math model yet

Nimda mixed infection MyDoom search engine
3
Email Topology Heavy-tailed Distributed
Complementary cumulative distribution (May 2002
gt 800,000 Yahoo groups)

• Email topology degree distr. Size
  distr. of email address books
• Popular email list one list address corresponds
  to many.
• Email worms find all addresses on compromised
  computers.
• Email address books, Web cache, text documents,
  etc.
• We study email propagation on power law
  topologies.
• Generators available best candidate to
  represent heavy-tailed topology.

4
Email Worm Simulation Model

• Discrete time simulation
• Topology undirected graph
• Power law, small world, random graph
• Modeling behavior of individual user
• Worm email attachment opening prob.
• Email checking time interval
• Following any distribution Exponential, Erlang,
  Constant.
• Modeling the entire user population
• normal distr.
• normal distr.
  

5
Propagation Stochastic Effect

• Power law network 100,000 nodes, average
  degree 8
• Nt the number of infectious at time t.
  N0 2 randomly selected
• 100 simulation runs for each experiment

• Initially infected nodes and initial infection
  are critical.
• It is possible that no one is infected except N0
• When no neighboring nodes open email attachments.

Random effect in simulation
6
Initially infected nodes with different node
degree
Avg. degree 8
Avg. degree 20

• Initially infected nodes are more important in a
  sparsely connected network than a densely
  connected network

7
Effect of email checking time variability

• Random variable
• Exponential
• 3rd-order Erlang
• Constant

• An email worm propagates faster when the email
  checking time is more stochastically variable.
• Snowball effect Before worm copies give birth to
  the next generation in the less variable system,
  worm copies in the more variable system have
  already given birth to several generations.

8
Topology Effect on Email Worm Propagation
Avg. degree of infected nodes (1000 simulation
runs)
Topology effect

• An email worm propagates faster on a power-law
  topology than on the other two.
• Highly connected nodes are infected earlier.
• They amplify worm propagation speed by shooting
  out more copies.

9
Immunization Defense against Email Worms

• Static immunization defense
• A fraction of nodes are immune to an email worm
  before its outbreak.
• No nodes will be immunized during the worms
  outbreak.
• Selective immunization
• Immunizing the mostly connected nodes.
• Effective for a power-law network
• Nodes have very variable node degrees
• 3 2000

10
Selective Immunization Defense
Power law topology
Small world topology

• Selective immunization defense is more effective
  on a power law topology than on the other two.
• Due to the percolation property of a topology.

11
Percolation and Phase Transition

• Selective percolation with p
• Removing top p percent of mostly connected nodes.
• Corresponding to selective immunization.
• Newman et al. studied uniform percolation.
• Selective percolation property
• Connection ratio
• fraction of remained nodes that are connected.
• Remaining link ratio
• fraction of remained links.
• Phase transition ? selective percolation
  threshold
• Disjoint the remaining network when

12
Percolation and Phase Transition
Small world topology
Power law topology

• Why different effect with 5 selective
  immunization?
• Power law topology removing 55.5 links
• Small world (random graph) topology removing lt
  20 links
• Email worm prevention via selective immunization
  (Phase transition)
• 30 for the power law topology
• Around 70 for the small world and random graph
  topologies.

13
Summary

• Email topology is a heavy-tailed distributed
  topology.
• The impact of a power law topology on email worm
  propagation is mixed
• Cons an email worm spreads faster than on a
  small world or a random graph topology.
• Pros static selective immunization defense is
  more effective.

14
Future Work

• Mathematical modeling
• Difficulty considering an arbitrary topology
• Directed graph for email topology
• One-way email address relationship
• Heavy tailed distr. definition? Topology
  generator?
• Dynamic immunization defense
• Short-term focus Enterprise network defense