18-08-2011, 11:18 AM
Abstract
Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormous adverse impact on the Internet. There is a great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of worms beyond its early stages. Specifically, using the branching process model, we are able to (1) provide a precise condition that determines whether the worm will eventually die out and (2) provdide the probability that the total number of hosts that the worm infects will be below a certain level. We use these insights to develop a simple automatic worm containment scheme, which is demonstrated, through simulations and real trace data, to be both effective and non-intrusive.
Keywords: Internet scanning worms, stochastic worm modeling, branching process model, early phase propagation, automatic worm containment.
1. Introduction
The Internet has become critically important to the financial viability of the national and global economy. Meanwhile, we are witnessing an upsurge in the incidents of malicious code in the form of computer viruses and worms. One class of such malicious code, known as worms, spreads itself without human intervention by using a scanning strategy to find vulnerable hosts to infect. Code Red, SQL Slammer, and Sasser are some of the more famous examples of worms that have caused considerable damage. Network ∗This work is partially supported by the National Science Foundation grant 0335247-ANI and an NSF Graduate Fellowship. worms have the potential to infect many vulnerable hosts on the Internet before human countermeasures take place. The aggressive scanning traffic generated by the infected hosts have caused network congestion, equipment failure, and blocking of physical facilities such as subway stations, 911 call centers, etc. As a representative example, consider the Code Red worm version 2 that exploited a buffer overflow vulnerability in the Microsoft IIS web servers. It was released on July 19th, 2001 and over a period of less than 14 hours infected more than 359,000 machines. The cost of the epidemic, including subsequent strains of Code Red is estimated by Computer Economics to be $2.6 billion [22]. While Code Red was particularly virulent in its economic impact (e.g., see [2, 11]) it provides an indication of the magnitude of the damage that can be inflicted by such worms. Thus, there is a need to carefully characterize the spread of worms and develop efficient strategies for worm containment. In the current literature, three broad classes of strategies have been identified for mitigating the risks of worms. (i) Prevention: This involves improving the security and heterogeneity of software on the Internet and automatically checking hosts for vulnerabilities worms could exploit, and patching them before a worm incident happens; (ii) Treatment: This involves eliminating the vulnerability exploited by the worm after the incident has become known and removing the worm from the host itself; (iii) Containment: This involves blocking or slowing down the communication between infected and uninfected hosts. These three strategies complement each other and in this paper, our focus will be on developing an effective containment strategy. The goal of our research is to provide a model for the propagation of random scanningworms and the corresponding development of automatic containmentmechanisms that prevent the spread of worms beyond its early stages
Download full report
https://engineering.purdue.edu/dcsl/publ...aready.pdf