Code%20Red%20Worm%20Propagation%20Modeling%20and%20Analysis

1
Code Red Worm Propagation Modeling and Analysis

• Cliff Changchun Zou, Weibo Gong, Don Towsley
• Univ. Massachusetts, Amherst

2
Motivation

• Code Red worm incident of July 19th, 2001
• Showed how fast a worm can spread.
• more than 350,000 infected in less than one day.
• A friendly worm?
• No real damage to compromised computers.
• Did not send out flooding traffic.
• A good model can
• Predict worm propagation and damage.
• Understand the worm spreading characteristics.
• Help to find effective mitigation technique.

3
Code Red worm background

• Sent HTTP Get request to buffer overflow Win IIS
  server.
• It generated 100 threads to scan simultaneously
• One reason for its fast spreading.
• Huge scan traffic might have caused congestion.
• Characteristics
• Uniformly picked IP addresses to send scan
  packets.

4
Epidemic modeling introduction

• infectious hosts continuously infect others.
• removed hosts in epidemic area
• Recover and immune to the virus.
• Dead because of the disease.
• removed hosts in computer area
• Patched computers that are clean and immune to
  the worm.
• Computers that are shut down or cut off from
  worms circulation.

5
Epidemic modeling introduction

• Homogeneous assumption
• Any host has the equal probability to contact any
  other hosts in the system.
• Number of contacts ? I ? S
• Code Red propagation has homogeneous property
• Direct connect via IP
• Uniformly IP scan

6
Deterministic epidemic models Simple epidemic
model

• State transition
• N population S(t) susceptible hosts I(t)
  infectious hosts
• dI(t)/dt ? S(t) I(t)
• S(t) I(t) N

• I(t) ? S(t) symmetric
• Problems
• Constant infection rate ?
• No removed state.

7
Deterministic epidemic models Kermack-McKendrick
epidemic model

• State transition
• R(t) removed from infectious ? removal rate
• dI(t)/dt ? S(t) I(t) dR(t)/dt
• dR(t)/dt ?I(t) S(t) I(t) R(t) N

• Epidemic threshold
• No outbreak if S(0) lt ? / ?.
• Problems
• Constant infection rate ?
• No

I(t)
t
8
Code Red modeling Consider human
countermeasures

• Human countermeasures
• Clean and patch download cleaning program,
  patches.
• Filter put filters on firewalls, gateways.
• Disconnect computers.
• Reasons for
• Suppress most new viruses/worms from outbreak.
• Eliminate virulent viruses/worms eventually.
• Removal of both susceptible and infectious hosts.

9
Code Red modeling Consider human
countermeasures

• Model (extended from KM model)
• Q(t) removal from susceptible hosts.
• R(t) removal from infectious hosts.
• I(t) infectious hosts.
• J(t) ? I(t)R(t) Number of infected hosts
• hosts that have ever been infected
• dS(t)/dt -? S(t) I(t) - dQ(t)/dt
• dR(t)/dt ?I(t)
• dQ(t)/dt ?S(t)J(t)
• S(t) I(t) R(t) Q(t) N

10
Code Red modeling Two-factor worm model

• Code Red worm may have caused congestion
• Huge number of scan packets with unused IP
  addresses.
• Routing table cache misses. ( about 30 of IP
  space is used)
• Generation of ICMP (router error) in case of
  invalid IP.
• Possible BGP instability.
• Effect slowing down of worm propagation rate ?
  ? ?(t)
• Two-factor worm model
• dS(t)/dt -?(t)S(t)I(t) - dQ(t)/dt
• dR(t)/dt ?I(t)
• dQ(t)/dt ?S(t)J(t)
• ?(t) ?0 1 - I(t)/N ?
• S(t) I(t) R(t) Q(t) N

11
Validation of observed data on Code Red

• Network monitor
• record Code Red scan traffic into the local
  network.
• Code Red worm uniformly picked IP to scan.
• of scans a cite received ? Size of the IP space
  of the cite.
• of scans a cite received at time t ? Overall
  scans in Internet at t.
• of infectious hosts sent scans to a cite at
  time t ? Overall infectious hosts in Internet at
  t.

• Local observation preserves global worm
  propagation pattern.

12
Observed data on Code Red worm

• Two independent Class B networks x.x.0.0/16
  (1/65536 of IP space)
• Count of Code Red scan packets and source IPs
  for each hour.
• Corresponding to infectious hosts I(t) at each
  hour, not infected hosts J(t)I(t)R(t).
• Uniformly scan IP ? Two networks, same results.

13
Code Red worm modeling Simple epidemic
modeling

• Staniford et al. used simple epidemic model
  approach.
• Conclusion from this model
• At around 2000UTC (1600 EDT), Code Red infected
  almost all susceptible hosts.
• On average, a worm infected 1.8 susceptible hosts
  per hour.

?
EDT hours (July 19)
14
Code Red worm modeling Simple epidemic
modeling

• Possible overestimation?
• Issues on using simple epidemic for Code Red
• Constant infection rate ? No considering of the
  impact of worm traffic
• No recovery removal from infectious hosts
• No patching before infection removal from
  susceptible hosts

15
Code Red modeling numerical analysis
Two-factor model
Two-factor model

• Conclusions
• At 2000UTC (1600 EDT), 60 70 have ever been
  infected.
• Simple epidemic model overestimates worm
  spreading.
• ? 0.14 14 infectious hosts would be removed
  after an hour.

16
Code Red Modeling If no congestion is
considered
If no congestion considered

• The congestion assumption is reasonable.

17
Summary

• We must consider the changing environment when we
  model virus/worm propagation.
• Human countermeasures/changing of behaviors.
• Virus/worm impact on Internet infrastructure.
• Worm modeling limitation
• Modeling worm continuously spreading part.
• Homogeneous systems.
• Future work how to predict before worms
  outbreak?
• Determine parameters of a virus/worm model.