ModelingandAnalysisofWormInteractions (WaroftheWorms) SaponTanachaiwiwat AhmedHelmy MingHsiehDepartmentofElectricalEngineering ComputerandInformationScienceandEngineering UniversityofSouthernCalifornia,CA UniversityofFlorida,FL [email protected] [email protected]

Abstract —“War of the worms” is a war between opposing 14000 computer worms, creating complex worm interactions as well as .A detrimental impact on infrastructure. For example, in 12000 .A September 2003 the Welchia worms were launched to terminate 10000

the Blaster worms and patch the vulnerable hosts. In this paper, 8000 we try to answer the following questions: How can we explain the dynamic of such phenomena with a simple mathematical Infectives 6000 model? How can one worm win this war? How do other factors 4000

such as locality preference, bandwidth, worm replication size and 2000 reaction time affect the number of infected hosts ? We propose a 0 new Worm Interaction Model (based upon and extending beyond Dec May Oct Mar Aug Jan Jun Time the epidemic model) focusing on random-scan worm Fig.1.Twoyearinfectedhostsoffamousinteractingworms: interactions. We also propose a new set of metrics to quantify Welchia.Aand.A[6] effectiveness of one worm terminating other worm. We validate our worm interaction model using extensive ns-2 simulations. . In September 2003, a network worm Welchia This study provides the first work to characterize and investigate worm interactions of random-scan worms in multi- attempted to terminate another network worm Blaster by hop networks. deleting Blaster’s process and downloading patch from website. Even with good intention, Welchia createdlargeamountoftrafficcausingseverecongestionto I. INTRODUCTION theInternetandMicrosoftwebsite.Wedefineabovescenario Since the Morris worm incident in 1988, worms have as worminteractioninwhichawormterminatesandpatches beenamajorthreattoInternetusers.Inaddition, moreand anotherworm.Moreofworminteractionsareexpectedinthe more worms carry destructive payload enabling them to future [13]. Our preliminary worm interaction concept was perform distributed denialofservice attacks, steal presentedin[14,15]. username/password or hijack victims’ files. Worms can be In this paper, we focus our study on modeling the categorized as network worms and email worms. Network interactions of random scan worms in different network wormssuchasSlammer,Witty,andCodeRedaggressively environmentsusingdifferentscanningstrategies.Wefurther scan and infect vulnerable machines. Massmailing worms’ investigate whether nonmalicious worms generated by propagationsuchasKamasutra,LoveBugs,andrely automatic reverseengineering techniques [2] or automatic onsocialengineeringtechniques.Severalwormpropagation patching [17] can be used to terminate malicious worm modelshavebeenproposed[7,8,9,18,20]toprovidethe effectively. We find that such effectiveness does not only insight into the dynamic of network worm propagations as dependonscanrateofwormsbutalsoonnetworktopologies well as effectiveness of available detection and response andtheirstrategies. mechanisms.However,thosewormpropagationmodelshave Ourcontributionsinthispaperare not considered the interaction among different worm types and,asweshallshow,areinadequatetomodelwar of the • Webuildanew accurateWormInteractionModel .We worms. validate our model through extensive simulations. We alsoproposethenetworkdelayfactor thatisthefunction The war of the worms creates unprecedented of packet size, link latency, queuing delay and dynamic and complex scenarios (fig.1) as well as bandwidth.OurWormInteractionModelcanbeeasily detrimental impact on infrastructure. extended to cover more complex multiple worm interactions. • We propose a new set of metrics to measure the effectiveness of one worm terminating another worm: totalinfectives ( forbrevity,weshallcallinfectedhosts Much of this work was performed at the University of Southern California with support from NSF awards: CAREER 0134650, as“infectives”fromnowon) andindividuallifespan of ACQUIRE0435505andIntel. terminated worm. We show the relationships of such metrics to the worm interaction. Our model can

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. accurately approximate these metrics with properly only on delaylimited worms with different type of chosennetworkdelayfactors. interactions fromoursanddidnotconsidernetworkrelated • We derive the important parameter, Epidemiological factors. Threshold , from worm’s scan rate ratio and initial The study in [7, 8, 20] investigated the propagation of infective ratio to quantify the degree of outbreak and the random scan network worm and local scan preference guidelineforeffective wormcontainment. strategy which were used by Code Red II and . Weaimatusingourproposedworminteractionmodel Extending beyond that study, our work emphasizes the as the foundation of effective security response protocol effect of preferred-local-scanning strategy as well as designthatdeploysbeneficialwormstoterminatemalicious underlying network characteristics such as reaction time, worms [14]. We explain the necessary components of this worm replication size, bandwidth on worm interaction s. protocolinSectionVII. Theimpactofrouter’sbehaviorandbackgroundtraffic Next we discuss the related work in Section II. We onthepropagationdynamicsofsingle worm typehasbeen explain the basic epidemic model and related variables in studied in [11]. This can drastically affect the dynamic of Section III and then in Section IV we explain the basic worm interactions. We discuss more on this issue in definitionsrequiredforunderstandingtheWormInteraction subsectionVI.C.a Model.AfterthatinSectionV,weextendthebasicepidemic III.EPIDEMIC M ODEL model to build the Worm Interaction Model for onesided interaction.InSectionVI,weevaluateaccuracyofourmodel From[3],thebasicsusceptibleinfectedrecovered(SIR) as well as the effectiveness of worm termination based on epidemic model which was developed for the study of proposedmetrics.WeconcludeourworkinSectionVII. biological infectious diseases has been used to explain the behaviorofselfreplicatingnetworkworms[7,9,18,20]. II. RELATED W ORK InSIRmodel,vulnerablehostsfallinoneoffollowing In [2], the authors pointed out that traditional human states in sequence—susceptible, infected and recovered. intervened responses were too slow and the worm Susceptible hostshaveneverhadthediseaseandcancatchit. terminatingworm scheme may be practical, since today’s Infected hosts have the disease and are contagious. defense(prevention,treatment,andcontainment)technology Recovered hosts have already had the disease and are still cannot cope with such spreading speed [3, 9, 18]. immuneorcured. Moore, Shannon, Voelker and Savage [9] evaluate the Let N be the size of vulnerable population, I be the effectivenessofautomatednetworklevelwormcontainment numberofinfectedhostsattimet, R betherecoveredhosts based on IPbased blacklisting and signaturebased filtering at time t, β becontactratei.e.therateofcontactbetween techniques.Interactingworms,however,donotneedtofilter hosts, γ be the removal or recovered rate and S which the opposing worms, because they will remove the replicationsandvulnerabilitiesoftheopposingwormsfrom equals to N − I − R be the number of susceptible hosts at thevulnerablehosts .Ourworkaimstoprovideaframework timet. β and γ areassumedconstant. explaining worm interactions relating to automated worm generationtocounterongoingattackingworm. βSI γI In[2],theauthorssuggestedmodifyingexistingworms such as Code Red, Slammer and Blaster to terminate the original worm types. The modified code will retain portion ofattackingmethodsoitwouldchooseandattackthesame set of susceptible hosts. In this paper, we assume the Fig.2.SIREpidemicModels existence of this technology. Other active defense such as automaticpatchingwasalsoinvestigatedin[17];theirwork The fundamental nonlinear ordinary differential assumedthepatchserverandoverlaynetworkarchitecture. equationsofSIRmodelareshownbelow, We provide the mathematical model that can explain the dS behavior of automaticgenerated beneficial worm and = −βSI (1) automatic patch distribution using onesided worm dt interaction. In [17] authors assumed patch blocking by dI worms after infection, and hence this scenario yields = βSI − γI (2) differenttypeofinteraction[14]fromwhatweemphasizein dt this paper. Our work limits only to understanding and evaluating automated worm (with patch) generation but we dR = γI .(3) do not touch upon details of vulnerabilities nor related dt software engineering techniques to generate patches or worms. Active defense using beneficial worms was also The transitions of states are shown in fig.2. An arrow mathematicallymodeledin[12];however,theauthorfocused representsaflowfromonestatetoanother.Thismodeldoes

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. not consider the birth/death of population as well as the Start spatialdistributionofsusceptiblehosts. Infected with Yes Exit From (2), the epidemic is sustainable only if predator? dI βS No > 0 whichrequires > 1;suchimportantratioiscalled Yes Infect host Remove dt γ Infected with with prey from prey? EpidemiologicalThreshold , predator host

No βS No E ≡ .(4) No 0 Scan other Patch Time out? γ hosts available?

Yes Yes We would use SIR model as the foundation of our Apply patch (to proposed Worm Interaction Model which we will discuss Exit prevent in Section V. No prey re- infection) IV.DEFINITIONS (a) In previous section, we have discussed general definitions of SIR model. However we need additional elementary definitions and concepts that we use in Worm Interaction Model. We start by examining the important conceptofthe predatorprey relationships. A. PredatorPreyRelationships For every worm interaction type, there are two basic characters: Predator and Prey .The Predator ,inourcasethe beneficial worm, is a worm that terminates and patches (b) againstanother worm.The Prey , in our case the malicious worm,isa wormthatis terminatedorbyanother Fig.3.Lifecyclesof(a)Predator(b)Prey worm. Only predator (fig.3(a)) needs to check whether prey Apredatorcanalsobeapreyatthesametimeforsome resides in the same host before it can terminate prey other type of worm. Predator can vaccinate a susceptible (fig.3(b))andpatchthehosttopreventreinfectionfromprey node, i.e., infect the susceptible node (vaccinated nodes (if patch available). Both types terminate itself after become predatorinfected nodes) and apply a patch predefinedtimeoutunlessithasbeenterminatedbyopposing afterwardstopreventthenodesfrompreyinfection.Manual wormormanualremovalprocess.Forexample,Welchiahas vaccination, however, is performed by a user or an embeddedtimeoutwhichitwilldisableandterminateitselfif administratorbyapplyingpatchestosusceptiblenodes. the year from computer system’s date is 2004 [16]. The A termination refers to the removal of prey from reason for selftermination is for reducing unnecessary infected nodes by predator; and such action causes prey workload and traffic on the host infected by Welchia. For infected nodes to become predatorinfected nodes. The simplicity, in our Worm Interaction Model (Section V), we removalbyauseroranadministrator,however,isreferredto assumethatthepatchiscontainedwithinpredator’spayload asmanualremoval. andthetimeoutperiodsforbothwormsareindefinite.Our We choose to use two generic types of interacting modelalsoassumesthatpredatoralwaysdetectspreyifprey worms,AandB,asourbasisthroughoutthepaper.AandB alreadyinfectsthevulnerablehost.Bothpredatorandprey can assume the role of predator or prey depending on the aresubjecttovaccinationandmanualremoval. typeofinteractions. C. Contactrate B. WormLifecycle AsexplainedinsubsectionIV .B,eachwormconstantly Fig.3illustratesthebasiclifecycleofpredatorandprey. scansthevulnerablehostsbyissuingnewwormreplication Predatorandpreysearchforsusceptiblehostsbyusingeither torandomlychosenaddresses.Let Pv betheprobabilityof TCP(suchasCodeRedandCodeRedII)orUDPexhaustive worm replication having a contact with a vulnerable host scan(suchasSlammerandWitty).UnlikeUDPscanworm, fromthetotaladdressspace υ i.e.forIPv4is2 32 .Wedefine TCPscan worms need to wait for its responses from valid a contact as a worm replication reaching a destined destinations. The waiting time makes its scan rate much slowerthanthescanrateofUDPscanworms. vulnerablehost.Let Ps bethefractionofavulnerablehosts reachedbyawormreplication, N P ≡ (5) v υ

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. 1 D. WormInteractionRatios P ≡ (6) s N To estimate how much relative characteristics of predatorandpreyimpactontheirpropagations,wepropose where 0 ≤ Pv ≤ 1and 0 ≤ Ps ≤1.following worm interaction ratios: scan rate ratio , initial Awormreplicationcanbesignificantlysloweddownby infectiveratio .Wefurtherdeveloptheconceptof similarity networkdelay( D)including transmissiondelay,linkdelay, and difference togaininsightintorelationshipsbetweenscan processingdelayandqueuingdelay.Let ρ and ρ bethe rate ratios, and between initial infective ratios. We also A B systemically derive minimum scan rate ratio and minimum networkdelay factor which attenuates contact rate of prey initialinfectiveratiofor effectivetermination inSectionV. andpredator. a.Scanrateratio Let υ and υ betherespectivescannedaddressspace A B Scanrateratioistheratioofscanratesofonewormtype of prey and predator, and let rA and rB be the respective tothatofanotherwormtype.Let X beascanrateratioof scan rate of prey and predator where a scan rate is a predatortoprey, frequency of a worm issuing its replication to chosen rB destinations.Thusthecontactrateofprey β A andthecontact X ≡ (8) rA rateofpredator β B are If we assume that DA = DB = D ≈ 0 and υ A = υB then ρArA βA ≡ ρArAPv Ps = (7a)contact rate ratio of predator to prey can be derived υA approximatelyas ρ r r r 1( + r D) β β ≡ ρ r P P = B B (7b)B ≈ B A = B .(9) B B B v s υ B rA rA 1( + rB D) β A where 0 ≤ ρ A ,ρB ≤ 1 . r r Bi B j Xiissimilar to Xjonly when = ,otherwiseitis Let D and D be respective network delay for prey r r A B Ai Aj andpredator.Wecanderive ρ and ρ asfollows: A B saidtobedifferent from Xjwhere iand jrepresentinteracting pairs. /1 rA −1 ρ A = = 1( + rA DA ) (7c) Forexample, X1=1:2issimilarto X2=2:4butthefirst /1 rA + DA ratio has rA =1/sec, rB = 2/sec and the latter has rA =2/sec, /1 rB −1 ρ B = = 1( + rB DB ) (7d) rB =4/sec.Todifferentiatebetween X1and X2,weusescan /1 rB + DB rateratio multiplicative factor ki, from above example we The contact rate can be dynamic according to the havek1=1.0for X1and k2=2.0forX2.Weuse X=1:1asthe networkcongestion(networkdelay),adaptivescanrate[14] absolutereference.Theimportanceofthisconceptisshown andchangeofscannedaddressrange. inSectionV. Let e be number of targeted sub networks. For sub b.InitialInfectiveratio network j,let hAj and hBjbetheprobabilityofnetwork jbeing Initial infective ratio is the ratio of infective of one scanned for prey and predator , gA and gB be the worm wormtypetothatofanotherwormtypeatinitialreleasetime replicationsizeforpreyandpredator, qAj and qBjbeaverage ofbothworms.Let Y beaninitialinfectiveratioofpredator queuelengthofoutgoinglinksforpreyandpredator, bAj and toprey, bBj be average bandwidth of outgoing links for prey and I B )0( predator, cAj and cBjbeaveragepacketdroprateforpreyand Y ≡ (10) predatorand uAj and uBjbeaveragelinkdelaysforpreyand I A )0( predator.Wecanderive DA and DB asfollows: where I A )0( and IB )0( = number of initial infectives of prey e g A (q Aj + )1 andpredatorrespectivelyattheirreleasedtimes. D = (h 1( − c )(u + )) (7e) A ∑ Aj Aj Ai j=1 bAj This ratio is only valid when there is no difference in launching time of prey and predator . We can also consider e g B (q Bj + )1 the ratio of infected hosts for any t; however, we shall D = (h 1( − c )(u + )) (7f) B ∑ Bj Bj Bi consider the delay of launching the opposing worm i.e. j=1 bBj reactiontimeinthenextsubsection. Hence,accordingtotheirstrategies, and canbe DA DB I I B )0( i B )0( j drasticallydifferentbetweenpreyandpredator.Notethat qAj , Again Yi is similar to Yj only when = , I A )0( I A )0( qBj, cAj and cBjare subjecttobackgroundtrafficsalso . i j otherwiseitissaidtobe differentfrom Yj.

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. β SI For example Y1= 1:1 is similar to Y2= 2:2 but the first B B ratiohas I = I =1andthelatterhas I = I =2.To 0(A ) 0(B ) 0(A ) 0(B ) γ I β ASI A β B I AI B B B differentiate between Y1 and Y2, we use initialhost ratio multiplicativefactor liwhich l1=1.0for Y1and l2=2.0for Y2. Weuse Y=1:1astheabsolutereference.Theimportanceof thisconceptisshowninSectionV. γ AI A V.WORM I NTERACTION M ODEL γ S S As discussed in subsection IV. B, basic operation of a Fig.4.Aggressiveonesidedinteractions wormistofindsusceptiblenodestoinfectandthemaingoal ofattackersistohavetheirwormsinfectthelargestamount Weassumethattimeoutperiodinthemodelisindefinite ofhostsintheleastamountoftime,andifpossible,remain forbothpreyandpredator.Let γ S bethemanualvaccination undetectedbyantivirusorintrusiondetectionsystems. rate and let γ A and γ B be the removal rate for prey and However, recently the goal of attackers has been predator.Hence,thesusceptiblerateis expanded to eliminate opposing worms. Thus we want to investigate the worm propagation behavior caused by this dS = −β ASI A − βBSI B − γ S S .(11) andothertypesofinteractions.Todescribetheinteraction, dt wedevelopanovelWormInteractionModelextendingthe Since prey relies on susceptible hosts to expand its epidemicmodel[5]. population,theincreaseofpreyinfectionrateisdetermined AstheconstantremovalrateinbasicSIRmodelcannot bythecontactsofthesusceptiblehostsandpreyinfectives. directlyportraysuchinteractions,ourmodelbuildsuponand Thedecreaseofpreyinfectionrateisdeterminedbymanual extends beyond the conventional epidemic model to removalandpreyterminationcausedbythecontactsofprey accommodatethenotionofinteraction.LikeSIRmodel,our infectivesandpredatorinfectiveswhosecontactsareinitiated modelassumesnochangeoftotalhostpopulation. bypredator.Hencethepreyinfectionrateis Weaimtobuildafundamentalwormpropagationmodel dI A = β SI − β I I − γ I .(12) thatcapturesworminteractionasakeyfactor.Ourproposed dt A A B A B A A model should determine what happen to susceptible hosts, preyandpredatoroverthecourseoftime. Becausepredatorcanterminatepreyaswellasvaccinate susceptible hosts, the increase of predator infection rate is Worm interaction can be categorized as onesided or determined by the contacts of predator with either the twosided interaction. Onesided interaction means one susceptible hosts or prey infectives whose contacts are wormtypeterminatingandpatchingotherwormtype.Two initiatedbypredator.Thedecreaseofpredatorinfection is, sided interaction means two worm types terminating and however,determinedonlybymanualremoval.Thus patching each other. In this paper, we only focus on dI aggressiveonesidedinteractioninwhichpredatorterminates B = β SI + β I I − γ I .(13) prey and also vaccinates vulnerable hosts. Interaction dt B B B A B B B between Welchia and Blaster can be represented as The removal rate is simply the sum of vaccination of aggressiveonesidedinteraction. susceptiblehosts,manualremovalofbothpreyandpredator. Whenthereisaprey(A)andapredator(B),weconsider dR this as onesided interaction. For ideal scenario, predator = γ S S + γ A I A + γ B I B .(14) wants to terminate prey as much as possible as well as dt preventpreyfrominfectionandreinfection.Tosatisfythat From(12),theepidemiologicalthresholdforpreyis requirement, predator requires patch or false signature of β ASI A β AS prey.Inthispaper,weonlyfocusoninteractionsofrandom EA = = .(15) scan network worms that can carry patch within their βBI AI B + γ AI A βBIB + γ A payload.Otherwise,predatorcansurelycauseanunwanted Ifwewantpreytobecontainedbypredatori.e. EA <1 distributed denialofservice attack to the patch server, and at t= 0, and we assume γ = γ = 0 (because of user’s henceslowdownitsowninfection. A B unawareness of worms’ presence at the early stage of Detailsofotheronesidedworminteractionthatdoesnot propagation) and β , β , I )0( , I )0( > 0, werequiresthat incorporate patch or false signature, including conservative A B A B interaction,friendlyinteraction,canbefoundin[14]. theminimumscanrateratiotobe In aggressive onesided interaction, as shown in fig.4, β S )0( S )0( B = X > = (16) susceptible hosts’ decrease rate is determined by manual β A IB )0( YIA )0( vaccination and the contact of susceptible hosts with prey causing prey infection or with predator causing predator orminimuminfectiveratiotobe vaccination.

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. S )0( Otherimportantfindinghereinfig.5(b)isthat similar Y > .(17) XI )0( scan rate ratios with different ki in fixed population yields A equal maximum of prey infectives ; however, times that From(13),theepidemiologicalthresholdforpredatoris take to reach the exact number of infectives between similar scan rate ratios decrease proportionally with the βBSIB + βBI AIB βB (S + I A) EB = = .(18) increase of ki. Tobespecific,weshallexplainanexample γ BIB γ B fromfig.5(b)whereX1=1:1, X2=2:2,…, X5=5:5. Wecan With the same assumption as for (16), predator can observe that the time required to reach maximum of prey always spread with γ B = 0 ( EB = ∞). Note that after infectivesforX1is1.3185 secondswhichis 0.2 (or k1/k 5)of predator or prey terminate themselves because of the time time required to reach maximum of prey infectives for X5 whichis6.5927seconds.Thisobservationisalsoappliedto out(asshowninSection IV .B), I B and I A becomezero. anyother Xi. Thisalsohintsthat automatedgeneratingworm Toseetheimportanceofscanrateratioandinitialhost that preserve the characteristic of original worm i.e. same ratio, weplotnumerical solutions fromouraggressiveone scanratewilloptimallylimitthemaximumpreyinfectivesto sided interaction model using four sets of variables in this 20%ofvulnerablepopulationsnomatterwhatoriginalscan model: (1) similar scan rate ratios with a fixed initial host rateis . ratio where k1 = ,1 k 2 = ,2 …, k5 = 5 . (fig. 5(b)), (2) Furthermore, this observation also applies to sets of similar initialhostratios withafixed scanrateratio where similar initial infective ratio for equal maximum of prey l1 = ,1 l2 = ,2 …, l5 = 5 .(fig.5(d)),(3) different scanrate infectivesasshowninfig.5(d).However,inthisfigure,we ratios with a fixed initial host ratio (fig.5(a)), and (4) keep the ratio of susceptible hosts to initial predator different initial host ratios with a fixed scan rate ratio infectives to initial prey infectives similar, e.g. Y1=1:1 with (fig.5(c)). S1=998, Y2=2:2with S2=1996,…,Y5=5:5 with S5=4990.We canobservethatallinfectivefractionsofpreyfordifferent l This can be observed from fig.5 that the change of i overlapping exactly at the same positions for all t. This predator scan rate causes multiplicative change in prey means that the number of total vulnerable hosts does not infection rate while the change of predator initial infected affect the relative fraction of infections as long as the host ratio only causes additive changes in prey infection ratio of susceptible hosts to predator infectives to prey rate. In other words, change of predator scan rate is infectives are similar . repetitively applied to prey infection rate while change of initial predator infected hosts is only applied once to prey To understand the unique characteristics of the worm interactions better, in fig.6, we compare the instantaneous infectionrate(atinitialrelease). Notethatextremelylarge Xi cancauseadverseeffectonthepredatorcontactratebecause preyinfectivesoftheSIRmodelusing6different removal of excessive network congestion (with large D and hence rates with those of the aggressive onesided interaction B model ( γ = 0.004, 0.002, 0.04, 0.02, 0.4 and 0.2 and low β )andpossiblyarouteroutage[11]. B β = 0.004). For the aggressive onesided interaction model 1 1 X=2:3 X=1:1 ( β A = βB = 0.004), we assume that manual removal is 0.8 X=3:3 0.8 X=2:2 negligible ( γ = γ = 0).Wecansee muchshaperdropof X=4:3 X=3:3 A B 0.6 X=5:3 0.6 X=4:4 instantaneous prey infectives in aggressive onesided X=6:3 X=5:5 0.4 0.4 interaction model than those of SIR model. Those chosen removalratesintheSIRmodelare constantmultipliers with 0.2 0.2 Infective Fraction (A) Infective Fraction (A) the prey infectives; while the aggressive onesided 0 0 0 5 10 15 0 5 10 15 interaction model has an increasing multiplier which is the Time Time (a)(b) product of the predator infectives and the predator contact 1 1 rate. Y=2:3 Y=1:1 1.0 0.8 Y=3:3 0.8 Y=2:2 Y=4:3 Y=3:3 0.8 0.6 Y=5:3 0.6 Y=4:4 SIR Gamma=4E-3 Y=6:3 Y=5:5 0.4 0.6 SIR Gamma=2E-3 0.4 SIR Gamma=4E-2 SIR Gamma=2E-2 0.2 0.2 0.4 SIR Gamma=4E-1 Infective Fraction (A)

Infective Fraction (A) SIR Gamma=2E-1 0 WIM Beta=4E-3 0 0 5 10 15 0.2 0 5 10 15 Infectives Fraction Time Time (c)(d) 0 0 10 20 30 Fig.5.Preyinfectivesofaggressiveonesidedinteractionwith(a)different Time (Sec) scanrateratio(b)similarscanrateratio( Y=1:1for(a)and(b))(c)different initialinfectiveratio(d)similarinitialinfectiveratio( X=1:1for(c)and(d)) Fig.6.NumberofinfectedhostsbetweentheSIRmodelandtheWorm InteractionModelarecompared.

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. Earlier we make implicit assumption that predator is EachwormuseUDPscantotransferwormreplicationto launched at the same time as prey is (reaction time =0). randomchosenvulnerablehostsofthenetwork.Thedefault However, the realistic reaction time which is the time after packet size is 404 bytes which similar to Slammer worms. preyislaunchedcanbesignificantbasedonhowpredatoris Theresultsarebasedontheaverageofatleast10simulation generatedi.e.manuallyorautomatically.Automatedpredator runs. generation should be several orders faster than the manual A.ModelAccuracy predator generation is. Hence reaction time depends significantly on how soon prey is detected and how early In this section, we compare the simulation results with predatorisgenerated. our proposed model. We use the X = 2:2 for every model Fornonzeroreactiontime,whenpredatorhasnotbeen evaluation. We assume Pv =1.0 (the perfect probability of dI worm replication having a contact with a vulnerable host generatedyetattimet,thepreyinfectionrate A = β SI dt A A fromthetotaladdressspace υ i.e.thevulnerablehostaddress (weassumethatmanualremovalrateisnegligibleduringthis range is exactly the same as scan address range) for both period).Afterafirstpredatorgeneratedattime t+∆t(given prey and predator. This assumption makes the worm propagatemuchfasterthantherealwormpropagationinthe dI A reactiontime= ∆t)then = β A SI A − β B I A .Beyondthis Internet. We will investigate the scenario that P is much dt v pointandbeforethetimeoutofbothpreyandpredator,the lessthan1.0insubsectionVI. C. preyinfectionrateshouldsimplyfollow(12).Theimpactof Fig.7 shows that our numerical solution of our reactiontimeisinvestigatedindepthinVI. C.a. aggressive onesided interaction mathematical model with ρ A =0.65 and ρB =0.65 closely matches with simulation VI.SIMULATION R ESULTS results,especiallytotheresultsofworminteractionintransit TovalidateourWormInteractionModel,weinvestigate stubtopology.Although,fromoursimulation,usingequation network worm propagation using ns2 simulation [10]. 7(c)and7(d),ourestimationfor ρ A and ρ B oftransitstub Instead of using highlevel simulation, we choose ns2 topologyaround0.64basedon D and D =0.284second because we want to investigate the impact of network A B congestion caused by worm propagations on the worm derivedfrom90%ofscanningtrafficsgoingoutsidethelocal interactions. networkandaveragequeuesizeis49foroutboundlink. Our main goal is to verify the accuracy of our Hence,thisfiguresuggeststhatdifferenttopologiescan mathematicalmodelandhavebetterunderstandingofworm yield different interaction characteristics. The reason that interaction in a rich set of environments. We choose the simulatedpropagationintransitstubtopologyisslowerthan Slammerlike worm characteristic as basic behavior of a that of star topology (estimated from simulation, ρ A =0.98 worminthissimulation.Slammerischosenbecause,despite and ρB =0.98, DA and DB = 0.0084 second) because of itssimplicity,itstillholdstheworldrecordoffastestspread higher average number of packets in queues and higher wormyet[6]. average number of hops; even local network bandwidth in We simulate prey (A) and predator (B) which may have the transit stub topology is much higher than bandwidth of different scan rates and initial infectives. Even weconsider star topology but, based on address range, local network the manual removal earlier in the model; we do not model trafficonlyaccountsfor10%ofalltraffic. When compared humaninteractionbecause weonly wanttofocuson worm with simulation results in the transit-stub topology, our interaction. model estimation for prey infectives are almost perfect We simulate 1000 vulnerable hosts in following (<1% error) for aggressive one-sided interaction. topologies: Such congestion of outbound scan can be significantly 1. Starshaped topology: we want to test our model with reduced if prey and predator scan localnetwork addresses network having small number of hops (12 hops) that has more than outsidenetwork addresses [10]. To see the moderateconstantbandwidth(512kbps)andconstantdelay advantageofchoosinglocalnetworkpreferenceeffectively, (1ms)betweenhosts. wewillinvestigatetheeffectoflocalnetworkpreferenceon worminteractioninsubsectionVI. C. 2.Transitstubtopology:thistwoleveltopologywillhelp 1 us test our model with bottleneck network having large Model A 0.8 Model B numberofhops(14hops)thathasmoderatebandwidth(512 Star A 0.6 Star B kbpsaccesslink,10Mbpslocalnetwork)anddelaybetween Trans A Trans B hosts(average1ms).Thereare10localnetworks;eachlocal 0.4 network has100hosts with oneofthemactingasarouter. 0.2 One AS can have one or two local networks. The links InfectivesFraction 0 0 5 10 15 20 between routers in this topology are generated by BRITE Time Internettopologygenerator[1]. Fig.7.Comparisonbetweenmathematicalmodelandsimulationresults fromns2star,andtransitstubtopologies

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. B.EffectivenessofTermination InsubsectionVI.Awehaveshownthatourmodelshows goodapproximationifwecanestimatenetworkdelayfactor Theeffectivenessofterminationisdefinedasameasure properly. of how efficient predator can terminate prey in aggressive onesided interaction. In other words, how much damage Here, we focus on the imperfection caused by doespreycausestothenetworkafterpredatorislaunchedto deployment scenarios that affect the aggressive onesided terminateprey. interaction. Effect of following factors on our proposed

We quantify such effectiveness as two important metrics T and L are investigated. We still assume Pv =1.0 characteristicsofprey: (thevulnerablehostaddressrangeisexactlythesameasscan addressrange)forpreyandpredatorinsubsectionVI. C.aand  Totalinfectives( T):thenumberofhostseverinfectedby VI. C.b. preyincludingpreyinfectivesthathavebeenremoved. Totalinfectivesofpreycanbederivedfrom a. Reactiontime Thereactiontimeisthetimerequiredbeforelaunching ∞ predator by automated wormgeneration or programmer. T = ∫ β ASI Adt .(19) Automated worm [2] or patch generation [9] should take t=0 much less time compared to manual process. Our model assumesthatpredatorstartsscanningimmediatelyassoonas Wehavementionedmaximuminfectivesearlierbut T it vaccinate susceptible hosts or terminate prey; hence the isthe real damagewhilethemaximuminfectivesisonly delayofpatchapplyingwillnotbeconsideredinourmodel. the maximum of instantaneous number of prey Furthermore,wealsoassumethatpatchtakeseffectinstantly infectives at that time. From (12), we can see that withoutneedofrebootingthemachineandbothpredatorand T ≥ maximuminfectives. preyhavethesamescanningrate.  Individual life span ( L): the time between the start of Asshownin fig.8(a),prey individuallifespangrows infection and the end of infection i.e. infectious period exponentially with reaction time. In addition, the lower for individual replication of prey caused by prey outboundbandwidthcausesdropsincontactrateofbothprey termination. Individual life span is derived from and predator. Hence the slow down of worm interaction weightedaverageofinstantaneouslifespanthatweighs causespreytosurvivelonger. on number of terminated node Wt by predator at that 6 1000 timeinstant. Individual Life Span 2 Mbps 5 900 Individual Life Span 1 Mbps 800 From(13),wecanderivetheinstantaneouslifespanat 4 Individual Life Span 512 Kbps Model 700 time t of each terminated prey from the inverse of 3 Total Infectives 2 Mbps 600 c 2 Total Infectives 1 Mbps productofpredatorcontactrateandpredatorinfectives 500

Total Infectives Total Infectives 512 Kbps 1 400 attime t,i.e. (1/(β B I B ))t .Thesumofproductofthat Individual Life Span (Sec) Model 0 300 termandnumberofterminatedpreygivesthetotallife 0 1 2 3 4 5 0 1 2 3 4 5 Reaction Time (Sec) Reaction Time (Sec) span for all prey infectives, and hence we divide that (a) (b) term by total infectives to get average individual life Fig.8.Effectofreactiontimeon(a)preyindividuallifespanand(b)total span. infectives Infig.8(b),thereactiontimecausessignificantincrease 1 ∞ L = W (1/(β I )) (20) oftotalinfectionsonlyinlowreactiontimerange.Weknow ∑ t B B t that three outbound bandwidth links have the same T t=o maximum infective (because of same scan rate ratios)

where Wt = (β BI A I B ) − I A implyingequaloftotalpreyinfectives. Furthermore because the total infectives is the non We will investigate the effect of deployment scenarios decreasing function of time, for slower reaction time, such onthesemetricsaswellasverifytheaccuracyofthemodel number can be extremely high; but since it cannot grow withmetricsobservedfromthesimulationnext. beyondthenumberofvulnerablehostsandhence,itcauses C.DeploymentScenarios thegraduallydropinthegrowthrateoftotalinfectivesand Wesimulatetheaggressiveonesidedworminteraction finallysaturateatlevelofpopulationsize. in different deployment scenarios which we shall discuss Surprisingly, even reaction time is zero with equal next. We deploy two worms in transitstub topology as scan rate ( X=1.0); the prey’s total infectives can be as shown earlier. In addition, now we have 3 outbound high as 35% of total population (if X=2.0, prey’s total bandwidths for the same transitstub topology: 512 kbps, 1 infectivesisonly2%oftotalpopulation ) andindividuallife Mbpsand2Mbps. spanis1.5second .To contain the prey within 50% total

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. infectives, the predator’s reaction time needs to be less Pv and hence on β A and β B . If a worm uses i different than 0.5 second. strategies to scan vulnerable hosts, we can derive Pv , the Fromthemodelwithreactiontime=0,using ρ =0.65 A probability of worm replication having a contact with a and ρ B =0.65, ourestimationsinworminteractionmodelare vulnerablehost,basedonlocalpreferenceasfollows. onlyoffby4%forsimulatedtotalinfectedhostsand9%for thesimulatedinfectiousperiodwhenvaryingreactiontimes . Pv = ∑ fi pi (21) Wecanobservethatourmodelhasbetterapproximationfor i total infectives in the slow reaction time range. We expect where fi is the fraction of strategy i being used, pi is the thecloserestimationifweconsiderthedropofcontactrate probability of worm replication having a contact with a modelingcausedbycongestedoutboundlink[19].Notethat withlargereactiontime,prey’srandomscancancause the vulnerablehostaddressfromthechosenaddressspace υi of router outage [11]. Thus it may prevent predator from strategy i which has ni vulnerable hosts in such address reaching majority of hosts and significantly slow down the range.Forexample, υ ofwormpreferringvulnerablehosts predatorinfection. i 16 32 b. Wormreplicationsize inthesame/16addresshasaddresssize= 2 insteadof 2 , 14 This factor is a transmission overhead reflecting the furthermore, if in that address range, there are only 2 efficiency of coding and compression technique that vulnerablehoststhen pi =0.25. automaticgenerationorprogrammeruses.Someexamplesof Inoursimulation,eachwormuses2strategiesand the wormreplicationsizesandcompressionmechanismscanbe valid addresses only occupy 10% of its scanned address found[13,16].Weassumethatthepredator’sreactiontime range(earlierweassumethatallthescannedaddresses are iszeroforthispartofexperiment. valid).Twostrategiesareassignedasfollowing: Theincreaseofwormreplicationsizeinfig.9(a)causes (1)randomscan( p = 0.099with f ) thelinearincreaseofprey’sindividuallifespan;theeffectis 1 1 clearlyseeninhighlycongestedaccesslinkednetworksi.e. (2)preferredlocalscan( p2 = 0.99with f2 ). 512kbpslink(50%individuallifespanincreasewith200% Weassumethatallofreactiontimeiszeroandtheworm increase of predator replication size). The increase of replicationsizeofbothwormsis404bytes. replication size slightly increases total infectives(fig.9(b)) even in the highly congested accesslinked networks. It InFig.10(a)and(b),wevary f1 and f2 ofbothwormsto suggests that the delay caused by any size of packet slows see how this factor affects the interaction between two downonbothpreyreplicationandpredatorreplication. worms.Givenpreylocalpreference=0(withpurelyrandom Fromthemodel,ifpatchsizeis1212bytesin512kbps scanningstrategy), predator can terminate prey effectively according to individual life span if its local preference is accesslink,with ρ =0.6and ρ =0.575, ourestimationsin A B between 0.6 and 0.8. worm interaction model are only off by 8% for simulated 6 1200 total infected hosts and 9% for the simulated infectious Model X=15:30 f2=0 5 1000 periodwhenvaryingwormreplicationsize . Sim X=15:30 f2=0 4 800 2.6 1000 Model X=15:30 f2=0.5 3 600 Model X=15:30 f2=0 2.4 Individual Life Span 2 Mbps 900 Total Infectives 2 Mbps (Sec) Sim X=15:30 f2=0.5 Sim X=15:30 f2=0 800 2.2 Individual Life Span 1 Mbps 2 400 700 Total Infectives 1 Mbps Model X=15:30 f2=0.5 Individual Life Span 512 Kbps 2 Total Infectives 512 Kbps 1 Infectives Total Prey 200 600 Sim X=15:30 f2=0.5

1.8 Model 500 Model Span Life Individual Prey 0 0 1.6 400 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 300 Predator Local Preference Predator Local Preference 1.4 Infectives Total 200 1.2Individual Life Span (Sec) 100 (a) (b) 1 0 404 606 808 1010 1212 404 606 808 1010 1212 Fig.10.Effectoflocalpreferenceon(a)preyindividuallifespanand(b)on Worm Replication Size (Bytes) Worm Replication Size(Bytes) totalinfectives (a) (b) Thetotalinfectivesofthepreycanbelimitedtoaslow Fig.9.Effectofwormreplicationsizeon(a)preyindividuallifespan as2.2%ofthetotalpopulationwithpredatorlocalpreference and(b)totalinfectives =0.6.Howeverifpreylocalpreferenceis0.5,predatorcan c. Localpreference merely,atbest,containpreyat80%ofthetotalpopulation. By focusing on scanning the hosts in the same subnet Hence predator should always utilize the local addresses, worm can avoid scanning invalid addresses and preference appropriately since majority of worms in the reducingthepacketdropscausedbybottleneckofoutbound Internetexploitlocalpreferencescanningaswell. access of local network to the Internet. Since majority of addresses in IPv4 are not fully utilized, appropriate local Our estimations in worm interaction model are off by preference must be an important factor. Many network 36% for simulated total infected hosts and 33% for the worms already try to minimize the probability of scanning simulatedindividuallifespanwhenvaryinglocalpreference . invalid addresses by using this technique [8, 16]. In We expect these errors occur because we have not particular, the local preference has significant impact on incorporatedthereductionofscannedaddressspacecaused

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply. byexcessivepredator’slocalscanningstrategy.Predatorcan integrated. After predator is launched, predator infectives alsofurtherenhancethecontactratebyusingtheknowledge maycollaborateamongotherstoreduceoverlappedscanning ofdomainsuchasthecurrentlyusedaddressspace[8]and addressspaceusinginterpredatorprotocol.Distributednon the topology of networks [7]. This is subject to future overlappedsequentialscancanbedeployedifknowledgeof investigation. ASisknowntopredator.Otherinfrastructurebaseddefenses suchas[3,9]mustalsobeawareofandadapttopredator’s VII.SUMMARY AND F UTURE W ORK characteristics. Our future work will focus on such Basedonourworminteractionstudy,wefindthatworm architecture and protocol design and evaluation to support interaction causes drastic change in the worm propagation thisnewsecurityparadigm. model.Suchinteractioncannotbeexplainedbyearlierworks basedontheepidemicmodelevenwhentheremovalprocess REFERENCES is used. We mathematically model and explain aggressive [1]BRITE:BostonRepresentativeInternetTopologyGenerator onesidedinteraction.Inaddition,weproposetheimportant [2]F.Castaneda,E.C.Sezer,J.Xu,“WORMvs.WORM:preliminarystudy of an active counterattack mechanism,” ACM WORM 2004 The 2 nd metricstoquantifytheeffectivenessofthewormtermination WorkshoponRapidMalcode,2004 which can also be used as a guideline for other security [3] R. Dantu, J. Cangussu, and A. Yelimeli, "Dynamic Control of Worm responses. The predator reaction time reduction and the Propagation," ProceedingsoftheInternationalConferenceonInformation effective local preference utilization are the key factors to Technology:CodingandComputing(ITCC'04) Volume2Volume22004 [4] C. Douligeris, and A. Mitrokotsa, "DDoS attacks and defense containthenumberofpreytotalinfectives. mechanisms: classification and stateoftheart," Computer Networks : The Our new worm interaction model is validated through International Journal of Computer and Telecommunications Networking extensivesimulations.Wefindthatscanrateratiohasmuch 2004 [5] J. C. Frauenthal. Mathematical Modeling in Epidemiology . Springer more impact on worm propagation pattern than initial Verlag,NewYork,1988 infected host ratio does. With similar scan rate ratios, it [6]AnalysisoftheSapphireWormAjointeffortofCAIDA,ICSI,Silicon always results in the same maximum prey infectives. Our Defense, UC Berkeley EECS and UC San Diego CSE model shows promising accuracy in estimating individual (http://www.caida.org/analysis/security/sapphire [7] A. Ganesh, L. Massoulie and D. Towsley, “The Effect of Network lifespanandtotalinfectivesfordifferentscenarios. TopologyontheSpreadofEpidemics ,”in IEEEINFOCOM 2005 . Our worm interaction models can be used as a major [8]Z.Chen,L.Gao,andK.Kwiat,“ModelingtheSpreadofActiveWorms,” ,IEEEINFOCOM 2003 component in designing an effective protocol of [9] D. Moore, C. Shannon, G. M. Voelker, and S. Savage, "Internet controlled worm deployment to counter ongoing worm Quarantine:RequirementsforContainingSelfPropagatingCode,"in IEEE attacks.Forexample,ifthereare50,000vulnerablehosts, INFOCOM 2003. and p = 1E2, p = 1E6, f = f =0.5andpreyscanrate [10]NS2:thenetworksimulator(http://www.isi.edu/nsnam/ns/) 1 2 1 2 [11] D. M. Nicol, M Lijenstam, and J. Liu, “Multiscale Modeling and is100/secwithsamenetworkdelayasoursimulatedtransit Simulation of Worm Effects on the Internet Routing Infrastructure,” stub networks with reaction time = 30 seconds, to contain Proceedings of the Performance Tools 2003 Conference Urbana, IL, prey total infectives within 70%, 50% or 20% of total September2003 [12] D. M. Nicol, “Models and Analysis of Active Worm Defense,” vulnerablehosts,predatorrequiresscanrateatleast500/sec, Proceeding of Mathematical Methods, Models and Architecture for 1000/sec,or1500/sec,respectively. ComputerNetworksSecurityWorkshop 2005. [13]P.Szor, TheArtofComputerVirusResearchandDefense (Symantec Using our model can avoid deploying underestimated Press)2005 predator’s scan rate which causes predator to lose to prey [14]S.Tanachaiwiwat,A.Helmy,"VACCINE:WaroftheWormsinWired (hightotalinfectivesandlongindividuallifespanofprey), and Wireless Networks," Technical Report CS 05859, Computer Science oroverestimatedpredator’sscanratewhichcausesexcessive Department,USC [15] S. Tanachaiwiwat, A. Helmy, "Analyzing the Interactions of Self congested networks deteriorating both regular traffic and Propagating Codes in Multihop Networks," Eighth International predator contact rate. Our model, however, does not Symposium on Stabilization, Safety, and Security of Distributed Systems incorporate the router misbehavior when experiencing (SSS)acceptedasBriefAnnouncement,November2006,Dallas,Texas excessive scan frompreyas wellasthebackground traffic [16]TrendMicroAnnualVirusReport2004http://www.trendmicro.com [17] M. Vojnovic and A. J. Ganesh, “On the Effectiveness of Automatic which affects network delay factor. We also have not Patching ,” ACM WORM 2005, The 3rd Workshop on Rapid Malcode , modeledotherinplacesecuritydefenses. GeorgeMasonUniversity,Fairfax,VA,USA,Nov11,2005. Thebasicarchitecturesupportingourapproachshouldat [18] N. Weaver, S. Staniford, V. Paxson, “Very Fast Containment of ScanningWorms,”13th USENIXSecuritySymposium ,Aug2004 least contain prey detection, predator generation, predator [19] N. Weaver, I. Hamadeh, G. Kesidis, and V. Paxson. “Preliminary updates, interpredator communication protocol and Results Using ScaleDown to Explore Worm Dynamics,” ACM WORM prey/predator network access control. Prey detection is the 2004,WorkshoponRapidMalcode(WORM),Fairfax,VA,Oct.2004 firstnecessarycomponenttoactivatethepredatorgeneration. [20] C. C. Zou, W. Gong and D. Towsley, "Code red worm propagation modelingandanalysis,"Proceedingsofthe9th ACMCCS 2002 Hencepreydetectionneedstohavelowfalsenegative.Host level [13] and networklevel detection [8] can be tightly

Authorized licensed use limited to: University of Florida. Downloaded on November 28, 2008 at 22:46 from IEEE Xplore. Restrictions apply.