Modeling and analysis of Internet worm propagation Modeling and analysis of Internet worm propagation

Modeling and analysis of Internet worm propagation

  • 期刊名字:中国邮电高校学报(英文版)
  • 文件大小:173kb
  • 论文作者:SU Fei,LIN Zhao-wen,MA Yan
  • 作者单位:Institute of Networking Technology,Beijing Key Laboratory of Intelligent Telecommunications Software and Multimedia
  • 更新时间:2020-11-22
  • 下载次数:
论文简介

Available online at www.sciencedirect.comScienceDirectThe Journal of ChinaUniversities of Posts andTelecommunicationsEL SEVIERAugust 2010, 17(4): 63- -68www.sciencedirect.com/science/journa/10058885htp://www.jcupt.comModeling and analysis of Internet worm propagationSU Fei(8), LIN Zhao wen', MA Yan121. Institute of Networking Technology, Bejing University ofPosts and Telecommunications, Bejjng 100876, China2. Beijing Key Laboratory of lelligeat Teommunications Software and Multimedia, Beijing University of Posts and Telecommunications, Beijing 100876, ChinaAbstractAlthough the frequency of Internet worm's outbreak is decreased during the past ten years, the impact of worm on people'sprivacy security and enterprise's eficiency is still a severe problem, especially the emergence of botnet. It is urgent to do moreresearch about worm's propagation model and secunity defense. The well-known worm models, such as simple epidemicmodel (SEM) and two-factor model (TFM), take all the computers on the intemet as the same, which is not accurate because ofthe existence of network address translation (NAT). In this paper, we first analyze the worm's functional stnucture, and then wepropose a three layer worm model named three layres worm model (TLWM), which is an extension of SEM and TFM under NATenvironment. We model the TLWM by using deterministic method as it is used in the TFM. The simulation results show that thenumber of NAT used on the Internet has effects on worm propagation, and the more the NAT used, the slower the worm spreads.So, the extensive use of NAT on the Internet can restrain the worm spread to some extent.Keywords worm propagation, model, TLWM, NAT1 Introductionfunction and auxiliary function [2]. The mainbody functionmodule is composed of four parts. That is informationA computer worm is a self-replicating computer program. Itcollection module, probe module, attack module anduses network to send copies of itself to other nodesself-propagating module. The information collection module(computers on the network) and it may do so without any userdecides which algorithm should be adopted by the worm tointervention. Unlike a virus, it does not need to attach itself tosearch information on local and remote network. The contentan existing program.of the information includes local system information, userThe first known worm appeared in the wild was the Morrisinformation, mailing list, border router's information and soworm in 1988. Since then, new worms appeared frequently [1].on. The information can be shared by other individuals, solely.In 2001, the Code Red and Nimda worms quickly infectedProbe module is responsible for the host's detection ofhundreds of thousands of computers, causing millions offrangibility, and then decides which attack mode should bedollars loss to our society [2]. The slammer worm appearedtaken. The attack module uses obtained security vulnerabilityon January 25th, 2003, and quickly spread throughout the0 build propagation route. Such module is open andInternet. Thereby, the security threats caused by networkextensible on attack method. The self-propagating module canworms have increased dramatically.y In 2007, The Stormuse different measures to generate different worm copy, andWorm began infecting thousands of (mostly privatc)transmit the worm copy to different hosts.computers in Europe and the United States. In 2008, the wormIt is necessary to study the worm's spread process fromConficker was detected. It is now believed to be the largestdifferent viewpoints. So, an analytical worm propagationcomputer worm infection since the 2003 SQL Slammer.model is needed. The DurDose of the worm model is toA functional division of Internet worm is mainbodyidentif中国煤化工preading chain andReceived daue: 21-05-2009providdYC N M H Gor the epidemiologyresearch. we can stuay ne worm s Denavior by an accurateCorresponding author: SU Fei, E mail: suf@buptnet.edu.cnDOI: 10.1016/100S- 880960489816The Joumal of China Universities of Posts and Telecommunications2010and effective worm model. The large-scale worm infestations3 Epidemic model introductionappeared in the last several years have triggered severalefforts to model worm spread. A majority of wormIn the epidemiology rescarch, the mathematic theorypropagation models are based on deterministic epidemicconcerning the infectious discase is well understood. As to themodels [3]. It can simulate the worm propagation insimilarity of infectious disease and worm propagation, we canlarge -scale network environment well. It derives from theuse the theory to study the spread of Internet worm. In thisepidemiology area. In epidemiology area, both stochasticsection, we briefly introduce three kinds of epidemic models.models and deterministic models exist for modeling theAccording to epidemiology modeling, hosts that can bespreading of infectious diseases. Stochastic models aninfected by worm are called susceptible hosts; hosts that havesuitable for small-scale network with simple virus dynamics,been infected and can infect others are called infectious hosts;while detrministic models are suitable for large-scalehosts that are immune such that they cannot be infected arenetwork under the assumption of mass action, relying on thecalled removed hosts. In this paper, we will use the samelaw of large number. Here, we only consider deterministicterminology for Internct worm modeling.We list the notations used in this paper as follows:model for worm propagation. And we do not take the network1) S(I): the number of susceptible hosts at time 1.topology into account, although it is an important aspect to2) I(): the number of ifectious hosts at time 1.rescarch the worm propagation.3) R(I): the number of removed hosts from infectious2 Related workhosts at time 1.4) Q(1): the number of removed hosts from susceptibleIn the past years, some excellent and novel worm modelshave been proposed. Zou et al. analyze two typical worm5) N: the number of hosts in the system.models SEM and Kermack-Mckendrick (KM) model, and6) J(1): the number of infectious hosts including removedpropose a new model named two-factor worm model [3]which takes human countermeasure and network congestion7) B(): the ifction rate.into account. Later, Zou et al. analyze different scan strategiesaffecting worm's propagation [4]. Chen et al. present a new3.1 Simple epidemic modeldeterministic approximation model, named analytical activeworm propagation (AAWP) model by probability theory [5].In simple epidemic model, each host stays in one of twoSu et al. propose a worm model by dividing the Intemet intostates: susceptible or infectious. The model assumes that thedifferent groups based on TFM [6], and then they analyze thesystem is homogeneous- each host has the equal probabilityeffeet of firewall on the propagation of Internet worm [7- 8].to contact any other hosts in the Internet. Once a host isWang et al [9]. study the worm propagation from theinfected by a worm, it remains in the infectious state forever.eigenvalue viewpoint, and propose a threshold value of wormThus the number of contacts between infectious hosts andoutbreak. Okamura present a Markovian model method tosusceptible hosts is proportional to S()I(t). Based 01analyze worm's spread [10]. Kamra A et al. discuss wormassumptions, the simple epidemic model for a finitepropagation in IPv6 work, and study the efet of DNS delayspopulation ison worm propagation[1],dI(): pI()N -1()](1)Most of the model considered the worm's spread from thedoverall point of view. Few models calculate the local factors'where β is called the pairwise rate of infection. At 1=0,effects to the worm propagation, such as firewall, NAT andI(0) hosts are infectious and the other S(0)= N- 1(0)intrusion detection system (IDS). With the extensive use ofbosts are all susceptible.these devices, it more or less affects the worm's propagation.Xing et al. propose a worm model under NAT environment3.2 KM modelbased on AAWP worm model [12], which can only reflect theKM model takes the removal Drocess of infectious hostsworm propagation trend. We cannot get the effects of NAT on中国煤化工ing an epidemic of athe worm spread from this model.contag.CNMHG1beeitherrecoveror.die, ana tnus uney are Immune 1o the discase forever.Issue 4.SU Fei, et al. / Modeling and analysis of Internet worm propagation_6Therefore, in this model each bhost stays in one of three states dS()-=-B()S()I(1)-dQ()at any time: susceptible, infectious, or removed. Each bhostdrdteither makes the state transition 'susceptible→infectious→dR()2= yl()removed' or remains in 'susceptible' state all the time.Based on the simple epidemic model Eq. (1), the KMdQ(1)= puS()J()(6)model isd()_= βI[()[N-J()]β()=B[1dR() .2)N= S()+ [()+ R()+ Q(0)= y/()[(0)=1。 < N; S(0)= N-l; R(0)= Q(0)=0}J()= I(1)+ R()=N- S()The dynamic curves of I[()J()S() are shown in Fig.1.where γ is the removal rate of the infectious hosts.103.3 Two-factor modelFormer worm models neglect the dynamic effect, such as大1(0human countermeasures on worm behavior and the change of+10女s(n .infection rate during infection. The two-factor worm modelconsiders the two factors: human countermeasures anddecreased infection rate.In order to consider the two factors, the change in thenumber of susceptible hosts S(1)from time t to time 1+ Ar001020304050607080follows the equation:Tlme (1)dS(1)。Fig. 1 Two-factor model= -B()S()()-(3)dand the infectious hosts fromtto 1+Or are:4 Efect of NAT on worm propagationd()= B()[N- R()- I()-2(0)U(1)-4)4.1 Infuence ofNAT on worm propagationltFrom the analysis above, we know that the two-factorworm model is more accurate. When the infection rate B(1)Network address translation is a mechanism of replacing IPbecomes constant and do not consider the removal processaddress information in packet headers while in transit across afrom susceptible population, i.e, Q(t)=0, the two-factortraffic routing device for the purpose of remapping a givenworm model can be degenerated to KM worm model. B(),address space into another. Nowadays, it is widely used inQ(t) and R() are dynamic factors. The equations ofIPv4 network. However, most of the worm models do not takeNAT into account. They assume that all the hosts on theβ(),R(), Q(), S() are as fllws:Intermet are the same. Infected hosts in the system can reach(0=1[-4O]”any vulnerable bhost directly. However, this is not the case atNall. Considering the hosts behind the NAT, an infected hostdR()=y()cannot infect this kind of hosts directly, because it cannot get5)its accurate IP address. The IP address of the hosts behindds()=- (0)S(0I()-d.NAT is private. We call this kind of host *inner host'. Thehosts except inner hosts and NAT hosts are outer hosts. TodQ(t)= us()J()compromise the inner hosts, the infected host must infect theNAT host first, and then, the NAT hosts can use some scanUsing the equations above, the complete two-factor wormstrategics to infect the inner hosts. Therefore, if we model themodel is:behavid中国煤化工)sts should be takeninto colYHCNMH GY of lhe model.The suructure or une prupagat:ou model in this case is66The Jourmal of China Universities of Posts and Telecommunications2010shown in Fig. 2. The rectangle represents the NAT hosts. The shown in Fig. 3.black circle is the inner hosts. Other circles denote the routersThe first layerand outer hosts.The outer hosts can infecet NAThosts and ouler hostsThe second layerThe NAT hosts can Infet the outer hostsNAT hosts and the certain inner hostsThe third layerThe inner hosts can Infec theouter hosts and NAT hostsFig.3 The three layers of TLWMFig. 2 The structure of NAT environmentWe define notations added in TLWM model as follows:4.2Worm model under NAT environment1) β: the infection rate of the hosts in the first layer.2) β: the ifection rate of the hosts in the second layer.From Fig. 2 we can easily understand the worm propagation3) β": the infection rate of the bosts in the third layer.with the existence of NAT. In this section, we use differential4) p: the probability a NAT host is infected.equation to model the worm propagation under this condition5) I。(): the number of infected NAT hosts at time 1.based on simple worm model and two-factor worm model.6) I:(t): the number of infected inner bosts behind the kHere, we make some assumptions about this model. The hostsNAT at time t.and routers except the inner hosts are outer hosts. The NAT7) N;: the number of hosts behind each NAT bhost.hosts are also taken as outer hosts. We assume that the NATThe definitions of each notation are given as follows:hosts distribute in the propagation system homogeneously.The NAT hosts are infected at discrete time during the wormβ=双(7)propagation. We assume that the time at which the NAT hostsbe infected is uniformly distributed after the worm's outbreak.β=p血(8)The worm propagation in inner hosts follows simple wormmodel.β"=p哑(9)We model the worm propagation under NAT environmentdI(t).)=[(0+ B1.(0+ S1(0)[N-1O)](10)named three layers worm model (TLWM). The model dividesdthe Intemnet hosts into three layers. The outer hosts belong toI= I(0+1.()+ Z40(11)the first layer. The NAT hosts and inner hosts compose thesecond and the third layer respectively. In the first layer, theWe consider infection process of worm in NAT hosts as aworm spread on the Intermet without considering NAT hostsstochastic process. We model the worm propagation on theand inner hosts. We can model this case by simple worminner bosts by the simple worm model. Note that themodel or two-factor worm model. The notations in this layerbeginning time of worm's outbreak in behind NAT isare the same as the notations in the two models. The seconddepending on if the NAT host is infected.layer describes the worm propagation in NAT hosts. NATd.0= 1(0+[ -14(0](12)hosts will be infected during the worm propagation in the firstlayer at discrete time. The third layer shows wormAccording to the same principle, we also can derivepropagation in inner hbosts after the corresponding NAT hostscorresponding equations from two-factor worm model. Weinfected. The infected hosts in three layers interact with eachuse the same definition of β, β,β". For the wormother. That is an infected hosts in the first layer can infectpropagation on outer hosts, the process of modeling is ashosts in the second layer. But it cannot infect hosts in the thirdfollows:layer. The infected hosts in the second layer can infect hostssuta-sco=-[ B(0+61.()+ 2101Sc04-in the first layer and hosts in the corresponding third layer.中国煤化工The infected hosts in the third layer can infect hosts in thethree layers. The interaction of the three layers of TLWM isMYHCNMHGIssue 4SU Fei, et al. / Modeling and analysis of Intemet worm propagation57s(+ s)-5(-=-[1(0+51()+ 2J10]Ss()Ax-For parameters N=10000, 1。=1, η=350,β=8.149 1x108 , β'=8.149 1x10-"3 , β"=8.149 1x10~1),m=d2()s=1 000, we obtain the numerical solutions for TLWM modeldand plot it in Fig. 4.d()_[()(0+/1()+ S51(0]s(o)-d20) (3)dtNote that S()+1()+ R()+Q()= N holds for any time10t. Substuting S(t)= N-I(1)-R()-Q(1) into Eq. (13)TLWMyields the differential equation describing the behavior of thenumber of infectious hosts 1(1) as业[0(091.0+9107.dR(t)[N- S()- R()-Q()]-du(14)The model of worm propagation on inner hosts carsimply use the TFM. So the TLWM based on TFM is:0 50100 150200 250 300d() [()()+81()+ 2S61.0].Time (1Fig. 4 Numerical solution ofTLWMdR(1)In order to well understand the effects of NAT on wormpropagation, the impact of the number of NAT is presented indU,()2= B'(0I4 - R(-1()-Q0)1()-'dR,()Fig, 6. The dotted line is the worm propagation curvewhenmis 10. The solid line is when m is 100. So we can get=γ/()that the more the value of m is, the faster the worm propagates.It is consistent with the conclusion in Ref. [13]. The CodedQ()2= usS()J()Red v2 worm propagation curve is shown in Fig. 5 forcomparison. We can see the TLWM model reflects the worm's_1((15)propagation trend well, and it can well explain the effects ofβ=哥lN2+4NAT on worm propagation quantitatively. What is the mostimportant is it reflccts the worm spread on a more realB=p部[network environment acurately.β"=pZL-N1-迎+乡400X10350-1=(0+1()+ SI(0)300员2005 SimulationsE 150100-In the simulation, we reflect the efects of NAT on worm50-propagation based on the model in Eq. (10). The model doesnot have analytical solution. We use Matlab simulink tosimulate the model we proposed above.0719 "、07/20Time (UTC)In order to simplify the TLWM worm model, we assumeFig.5 The propagation of Code Red v2 wormthat the number of hosts behind each NAT is the same. ThereThis model can well describe the worm propagation underare m NAT hosts in the system. Then the worm model inNAT environment. According to adjust the value of m, we canEq. (10) can be written as fllows:中国煤化工tion is mainly on the“(0)=[81()+ B1.(0+ mB1JOIN -()](16)ascendFin Ref. [12] can onlyshow 1HCN M H Grt cnot demonstate68The Journal of China Universities of Posts and Telecommunications2010worm propagation change when different number of NATAcknowledgementsused in the network.This work was supported by the Ministry of Education Science12-10’and Technology Basice Resource Data Platform (50700), the1--- m=10Ministry of Education Research Project for Returned Talents after一- m=100Studying Abroad, and the Chinese Universities Scientific Fund(2009RC0502),theIntemational Scientific and TechnologicalCooperation Program (S2010GR0902).References1. Feily M, Shahrestani A, Ramadass S. A survey of bounet and botnet2detecion. Proceedings of the 3nd Intemnational Conference on EmergingSecurity Informaion, Systems and Technologies (SECURWARE'09), Jun50 10015020025030018- 23, 2009, Athens, Greece. PiscateNI, USA: IEEE, 2009: 268- 273Tme (1). LiP, Salour M, Su x. A survey of itemnet wom detection and containment.IEEE Commnicains Survey's and Tuorials, 208,0 101):20-35Fig. 6 Effet of NAT sizes on worm propagation3. ZouC C, Gong w B, Towsley D, et al. Code Red worm propagationmodeling and analysis. Proccedings of the 9th ACM Conference onComputer and Communication Security (CCS'02)。 Nov 18 22, 2002,Washington DC, USA. New York, NY, USA: ACM, 2002:138-1476 Conclusions4. 7ouC C, Gong W B. Towsley D, et al The monitoring and early detetionof intermet worms. IEEE/ACM Transaction on Networking. 2005, 13(5):961-974In this paper, we analyze the structure of Internet worm,。 Chen z, Gao L, Kwiat K. Modeling the spread of active worms. Poeedingsand propose a three layer worm propagation model namedof the IEEE 22nd Annual Joint Cornference of the IEEE Computer andTLWM to characterize the spread of the worm. This modelCommunications Socicties (INFOCOM'03); Vol 3, Mar 30-Apr 3, 2003,San Francisco, CA, USA. Piscataway, NJ, USA: IEEE, 2003: 1890-1900represents the worm propagation under NAT environment.. SuF, Lin Z w, Ma Y. Worm propagation modeling based on two-factorThe first layer represents the hosts and routers on the Internet.model. PocedingegIntemaionalConereeonirelesthe SthInemational Conferemce on VCommunications, Networking and Mobile Compuing (WiCOM09), SepThe second layer is composed by the NAT hosts. The third24- 26, 2009, Bejig, China. Piscalaway, N, USA: IEEE, 2009: 4player is the hosts under each NAT. The infection rate between7. SuF,LinZ w. Ma Y. Efets of frewall on worm popgatin. Proceedingsdifferent layers is different. So the worm propagation underof 2009 IEEE Intemational Conference on Communications Technologyand Applications (ICCTA'09), Oct 16- 18, 2009, Beijing, China. Piscataway,this environment is quite different from the homogeneousNI, USA: IEEE Computer Society, 2009: 880- 884worm propagation.8. SuF, Lin Z W, Ma Y. A suvey of internet worm propagation modes.The purpose of the TLWM is to get useful informationProcedings of the 2nd TEEE Intemational Conference on BroadbandNctwork & Multimedia Technology (IC-BNMT*09), Oct 18- 20, 2009,about the effects of NAT on worm propagation. We can useBejing China. Piscalaway, NJ, USA: lEEE, 2009: 453- 457the corresponding parameters to simulate other worms.Wang Y, Chakrabarti D, Wang C X, et al. Epidemice spreading in realnetworks: a cigenvalue viewpoint. Proeedings of the 22nd IlnlemationalAlthough previous worm model is more general, they do notSymposium on Reliable Distributed Systems (SRDS'03), Oct 6-18, 2003,take some network device into account. We model the TLWMFlorence, Italy. Piscataway, NJ, USA: IEEE, 2003:25 -34ance tayiscatway NOSEAELOUOSESS10. Okamuna H, Kobayashi H, Dohi 1arkovian modelig and analysis ofwith the same method as it is in TFM. In order to analyze theIntemnet worm propagation. Proceedings of the 16th IEEE Intermaionaleffects of NAT on worm propagation, we simulate it withSymposium on Software Reliability Engineeing (ISSRE"05), Nov 8-11,different number of NAT hosts used in the system. The result2005, Chicago, IL, USA. Piscataway, N, USA: IEEE, 2005: 149 -158shows that the use of NAT hosts will affect the beginning time11. Kamra A, Feng H H, Misra V, et al. The ffet of DNS delays on wormpropagation in an IPv6 Entemet. Prceedings of the 24th Annual Jointof worm's outbreak.Conference of the IEEE Computer and Communications Societies(NFOCOM'05); Vol 4, Mar 13-17, 2005, Miami, FL, USA. Piscataway,NI, USA: IEE, 2005: 2405- -2414With the development of new technologies, a majority of12. Xing C Y, Yang L, Chen M. Modeling analysis of network wormNATs are realized by NAT box which owns different OS andpropagation, Joumal of University of Electronic Science and Technology ofChina, 2006, 36(3): 590- 593 (in Chinese)protocol stack. Therefore, as part of our ongoing work we are13. Rajab M A, Monrose F, Terzis A. On the impact of dynamic addressing onworking on more complicated NAT environment and themalware propagation. Proceedings of the 4th ACM Workshop on RecuringMalenda wORMS Nnwi 500 Alnwvondlin VA LISANewVork NVdevelopment of effective defense techniques using th中国煤化工knowledge of worm propagation.TYRC N M H Gror: WANG Xu-yin)

论文截图
版权:如无特殊注明,文章转载自网络,侵权请联系cnmhg168#163.com删除!文件均为网友上传,仅供研究和学习使用,务必24小时内删除。