Download Code Red Worm Propagation Modeling and Analysis Zou, Gong

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts

Infection control wikipedia , lookup

Transcript 
Code Red Worm Propagation
Modeling and Analysis
Zou, Gong, & Towsley
Michael E. Locasto
March 4, 2003
Paper # 46
Overview
• Code Red incident data & impact
• epidemiology models
– traditional (biological) infection models
– two-factor worm model
• related work & questions
– (Weaver & Sapphire)
Motivation
• Internet great medium for spreading
malicious code
– Code Red & Co. renew interest in worm studies
• Issues:
– How to explain worm propagation curves?
– What factors affect spreading behavior?
– Can we generate a more accurate model?
Epidemic Models
• Deterministic vs. Stochastic
– Simple epidemic model (paper #45)
– general epidemic model (Kermack-Mckendrick
add notion of removed hosts)
• good baseline, need to be adjusted to
explain Internet worm data
• any model must be deterministic (b/c of
scale)
Two-Factor Worm Model
• Two major factors affect worm spread:
– dynamic human countermeasures
•
•
•
•
anti-virus software cleaning
patching
firewall updates
disconnect/shutdown
– interference due to aggressive scanning
• Rate of infection (ß) is not constant
Two-Factor Worm Model (con)
• Two important restrictions:
– consider only “continuously activated” worms
– consider worms that propagate w/ort topology
Infection Statistics
Classic Simple Epidemic Model
• Model presented in
paper 45 (classic
simple epidemic
model, k=1.8, k=BN)
• a(t) = J(t) / N (fraction
of population infected)
• Wrong! (compare to
last slide)
Simple Epidemic Model Math
• Variables:
• infected hosts (had virus at some point) = J(t)
• population size = N
• infection rate = ß(t)
• dJ(t)/dt = βJ(t)[N - J(t)]
Two-Factor Model Math
• dI(t)/dt = β(t)[N - R(t) - I(t) - Q(t)]I(t) dR(t)/dt
–
–
–
–
–
–
–
–
S(t) = susceptible hosts
I(t) = infectious hosts
R(t) = removed hosts from I population
Q(t) = removed hosts from S population
J(t) = I(t) + R(t)
C(t) = R(t) + Q(t)
J(t) = I(t) + R(t)
N = population (I+R+Q+S)
Two-Factor Fit
• Take removed hosts
from both S and I
populations into
account
• non-constant infection
rate (decreases)
• fits well with observed
data
Results
• Two-factor worm model
– accurate model without topology constraints
– explains exponential start & end drop off
– identifies 2 critical factors in worm propagation
• Only 60% of CR targets infected
Related documents
Code Red Worm Propagation Modeling and Analysis Zou, Gong
Code Red Worm Propagation Modeling and Analysis Zou, Gong
File
File
Slow Worm - Scottish Environment LINK
Slow Worm - Scottish Environment LINK
ppt - NOISE
ppt - NOISE
Worms - Latter
Worms - Latter
Influenza epidemic spread simulation for Poland a large
Influenza epidemic spread simulation for Poland a large
Dreaded Diseases - inetTeacher.com
Dreaded Diseases - inetTeacher.com
Infectious Disease
Infectious Disease
Dangerous Computer Worms
Dangerous Computer Worms
Epidemics
Epidemics
CIS3360: Security in Computing (online session, Spring 2012)
CIS3360: Security in Computing (online session, Spring 2012)
Simulating Worms
Simulating Worms
Worm Defenses
Worm Defenses
Introduction CS 239 Security for Networks and System
Introduction CS 239 Security for Networks and System
Slides - University of Virginia, Department of Computer Science
Slides - University of Virginia, Department of Computer Science
Part I: Introduction - Computer Science and Engineering
Part I: Introduction - Computer Science and Engineering
Active Worms - Computer Science and Engineering
Active Worms - Computer Science and Engineering
ppt
ppt
ppt
ppt
OKL4 Microvisor
OKL4 Microvisor
16-worms
16-worms
Ir(t) - IPAM
Ir(t) - IPAM