Sarah Sellke, Ness B. Shroff, and Saurabh BagchiSchool of Electrical and Computer EngineeringPurdue University
Self-propagating codes, called worms, such as CodeRed, Nimda, and Slammer, have drawn significant attentiondue to their enormous adverse impact on the Internet. Thereis a great interest in the research community in modeling thespread of worms and in providing adequate defense mecha-nisms against them.In this paper, we present a (stochastic) branching pro-cess model for characterizing the propagation of Internetworms. This model leads to the development of an auto-matic worm containment strategy that prevents the spreadof worms beyond its early stages. Specifically, using thebranching process model, we are able to (1) provide a pre-cise condition that determines whether the worm will even-tually die out and (2) provdide the probability that the to-tal number of hosts that the worm infects will be below acertain level. We use these insights to develop a simple au-tomatic worm containment scheme, which is demonstrated,through simulations and real trace data, to be both effectiveand non-intrusive.Keywords: Internet scanning worms, stochastic wormmodeling, branching process model, early phase propaga-tion, automatic worm containment.
The Internet has become critically important to the finan-cial viability of the national and global economy. Mean-while, we are witnessing an upsurge in the incidents of ma-licious code in the form of computer viruses and worms.One class of such malicious code, known as worms, spreadsitself without human intervention by using a scanning strat-egy to find vulnerable hosts to infect. Code Red, SQL Slam-mer, and Sasser are some of the more famous examplesof worms that have caused considerable damage. Networkworms have the potential to infect many vulnerable hostson the Internet before human countermeasures take place.The aggressive scanning traffic generated by the infectedhosts have caused network congestion, equipment failure,and blocking of physical facilities such as subway stations,911 call centers, etc. As a representative example, con-sider the Code Red worm version 2 that exploited a bufferoverflow vulnerability in the Microsoft IIS web servers. Itwas released on July 19th, 2001 and over a period of lessthan 14 hours infected more than 359,000 machines. Thecost of the epidemic, including subsequent strains of CodeRed is estimated by Computer Economics to be $2.6 billion. While Code Red was particularly virulent in its eco-nomic impact it provides an indication ofthe magnitude of the damage that can be inflicted by suchworms. Thus, there is a need to carefully characterize thespread of worms and develop efficient strategies for worm containment.
In the current literature, three broad classes of strategieshave been identified for mitigating the risks of worms.(i) Prevention: This involves improving the security andheterogeneity of software on the Internet and automaticallychecking hosts for vulnerabilities worms could exploit, andpatching them before a worm incident happens; (ii) Treat-ment: This involves eliminating the vulnerability exploitedby the worm after the incident has become known and re-moving the worm from the host itself; (iii) Containment:This involves blocking or slowing down the communicationbetween infected and uninfected hosts. These three strate-gies complement each other and in this paper, our focus willbe on developing an effective containment strategy.The goal of our research is to provide a model for thepropagation of random scanning worms and the correspond-ing development of automatic containment mechanisms thatprevent the spread of worms beyond its early stages.Several early worm warning and detection systems havebeen proposed [10, 20, 21]. Most models of worm propaga-tion are based on deterministic epidemic models.They are acceptable for modeling worm propagation whenthe number of infected hosts is large. However, it is generally accepted that they are inadequate to model the earlyphase of worm propagation accurately because the numberof infected hosts earlier on is very small . The reason isthat epidemic models capture only expected or mean behav-ior, while not being able to capture the variability aroundthis mean, which could be especially dramatic during theearly phase of worm propagation. While stochastic epi-demic models can be used to model this early phase, theyare generally too complex to provide useful analytical solu-tions.