Abstract

In recent years, fast spreading worms, such as Code Red, Slammer, Blaster and Sasser, have become one of the major threats to the security of the Internet. In order to defend against future worms, it is important to first understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In this paper, we systematically model and analyze worm propagation under various scanning strategies, such as uniform scan, routing scan, hit-list scan, cooperative scan, local preference scan, sequential scan, divide-and-conquer scan, target scan, etc. We also provide an analytical model to accurately model Witty worm’s destructive behavior. By using the same modeling framework, we reveal the underlying similarity and relationship between different worm scanning strategies. In addition, based on our simulation and analysis of Blaster worm propagation and monitoring, we provide a guideline for building a better worm monitoring infrastructure.

Keywords: Worm modeling; Worm scanning strategy; Network security; Network monitoring

Nomenclature

c₁,c₂

c₁=Ω_e/Ω, c₂=N_e/N

C(t)

cumulative number of infected hosts observed by a monitoring system at time t

d(t)

density of vulnerable hosts in the unscanned IP space for a cooperative scan worm

D(t)

number of infected hosts that are destroyed by Witty worm by time t

I(t)

number of infected hosts at time t

I_e(t),I_o(t)

number of infected hosts in the target (other) domain(s) at time t, I(t)=I_o(t)+I_e(t)

I_k(t)

number of infectious hosts in the k-th “/n” prefix network at time t, k=1,2,…,K

K

number of “/n” prefix networks in the worm scanning space Ω, Ω=K2⁽³²⁻ⁿ⁾

m

number of “/n” prefix networks that contain vulnerable hosts (m≤K)

N

total number of vulnerable hosts in the Internet before worm infection

N_e,N_o

number of initially vulnerable hosts in the target (other) domain(s), N=N_e+N_o

N_k

number of initially vulnerable hosts in the k-th “/n” prefix network, k=1,2,…,K

p

probability of a local preference scan worm to scan locally

q

probability of a worm scanning a specific address in a time interval δ, q=ηδ/Ω

Z(t)

number of worm scans observed by a monitoring system in a unit time at time t

Greek letters

β

pairwise rate of infection in worm propagation model, β=η/Ω

β^′,β^″

pairwise rate of infection in local(remote) scan for a local preference scan worm

δ

the small time interval used in infinitesimal analysis

time delay in worm propagation (considered in idealized worms)

η

a worm’s average scan rate

Ω

number of IP addresses contained in a worm’s scanning space

Ω_e,Ω_o

size of worm scanning space in the target (other) domain(s) for a selective attack worm, Ω=Ω_e+Ω_o

λ

average destruction rate of Witty worm

Article Outline

Nomenclature

1. Introduction

2. Related work

3. Modeling basis: uniform scan worm model

3.1. Uniform scan worm model

3.2. Modeling assumption and justification

4. Modeling and analysis of worm scanning strategies

4.1. Uniform scan worm and its variants

4.1.1. Uniform scan worms that scan the entire IPv4 space

4.1.2. Hit-list worm

4.1.3. Routing worm

4.1.4. Comparison of Code Red, a hit-list worm and routing worms

4.1.5. Divide-and-conquer scan worm

4.2. Idealized worm

4.2.1. Cooperative scan worm

4.2.2. Flash worm

4.3. Local preference scan worm

4.4. Sequential scan worm

4.5. Selective attack worm

5. Modeling destructive worm: Witty

6. Worm monitoring system design

7. Conclusion

Acknowledgements

References

Vitae