ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Code red worm propagation modeling and analysis
Full text PdfPdf (197 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 9th ACM conference on Computer and communications security table of contents
Washington, DC, USA
SESSION: Network security table of contents
Pages: 138 - 147  
Year of Publication: 2002
ISBN:1-58113-612-9
Authors
Cliff Changchun Zou  University of Massachusetts, Amherst, MA
Weibo Gong  University of Massachusetts, Amherst, MA
Don Towsley  University of Massachusetts, Amherst, MA
Sponsors
ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 20,   Downloads (12 Months): 165,   Citation Count: 63
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/586110.586130
What is a DOI?

ABSTRACT

The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation. In this paper we provide a careful analysis of Code Red propagation by accounting for two factors: one is the dynamic countermeasures taken by ISPs and users; the other is the slowed down worm infection rate because Code Red rampant propagation caused congestion and troubles to some routers. Based on the classical epidemic Kermack-Mckendrick model, we derive a general Internet worm model called the two-factor worm model. Simulations and numerical solutions of the two-factor worm model match the observed data of Code Red worm better than previous models do. This model leads to a better understanding and prediction of the scale and speed of Internet worm spreading.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
R. M. Anderson, R.M. May. Infectious diseases of humans: dynamics and control. Oxford University Press, Oxford, 1991.
 
2
H. Andersson, T. Britton. Stochastic Epidemic Models and Their Statistical Analysis. Springer-Verlag, New York, 2000.
 
3
N. T. Bailey. The Mathematical Theory of Infectious Diseases and its Applications. Hafner Press, New York, 1975.
 
4
CERT Advisory CA-2001-23. Continued Threat of the "Code Red" Worm. http://www.cert.org/advisories/CA-2001-23.html
 
5
CERT Advisory CA-2000-04. Love Letter Worm. http://www.cert.org/advisories/CA-2000-04.html
 
6
CERT Advisory CA-1999-04. Melissa Macro Virus. http://www.cert.org/advisories/CA-1999-04.html
 
7
Cisco Security Advisory: "Code Red" Worm - Customer Impact. http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
 
8
Cisco Tech. notes: Dealing with mallocfail and High CPU Utilization Resulting From the "Code Red" Worm. http://www.cisco.com/warp/public/63/ts\_codred\_worm.shtml
 
9
CNN news. "Code Red" worm "minimized" -- for now. http://www.cnn.com/2001/TECH/internet/08/02/code.red.worm/
 
10
J. Cowie, A. Ogielski, B. Premore and Y. Yuan. Global Routing Instabilities during Code Red II and Nimda Worm Propagation. http://www.renesys.com/projects/_instability/
 
11
eEye Digital Security. .ida "Code Red" Worm. http://www.eeye.com/html/Research/Advisories/AL20010717.html
 
12
eEye Digital Security. CodeRedII Worm Analysis. http://www.eeye.com/html/Research/Advisories/AL20010804.html
 
13
K. Eichman. Mailist: Re: Possible CodeRed Connection Attempts. http://lists.jammed.com/incidents/2001/07/0159.html
 
14
eWeek news. Code Red Lessons, Big and Small. http://www.eweek.com/article2/0,3959,113815,00.asp
 
15
J. C. Frauenthal. Mathematical Modeling in Epidemiology. Springer-Verlag, New York, 1980.
 
16
D. Goldsmith. Maillist: Possible CodeRed Connection Attempts. http://lists.jammed.com/incidents/2001/07/0149.html
 
17
T. Heberlein. Visual simulation of Code Red worm propagation patterns. http://www.incidents.org/archives/intrusions/msg00659.html
 
18
Incidents.org diary archive. http://www.incidents.org/diary/july2001.php
 
19
S. Junnarkar and R. Konrad. Code Red crawls back into action. http://news.cnet.com/news/0-1003-200-6738969.html
 
20
J. O. Kephart and S. R. White. Directed-graph Epidemiological Models of Computer Viruses. Proceedings of the IEEE Symposimum on Security and Privacy, 343--359, 1991.
 
21
Jeffrey O. Kephart , Steve R. White , David M. Chess, Computers and epidemiology, IEEE Spectrum, v.30 n.5, p.20-26, May 1993  [doi>10.1109/6.275061]
 
22
Jeffrey O. Kephart , Steve R. White, Measuring and Modeling Computer Virus Prevalence, Proceedings of the 1993 IEEE Symposium on Security and Privacy, p.2, May 24-26, 1993
 
23
R. Lemos. Virulent worm calls into doubt our ability to protect the Net. http://news.com.com/2009-1001-270471.html
 
24
R. Lemos. Microsoft reveals Web server hole. http://news.com.com/2100-1001-268608.html
 
25
Matlab Simulink. The Mathworks, Inc.
26
Vishal Misra , Wei-Bo Gong , Don Towsley, Fluid-based analysis of a network of AQM routers supporting TCP flows with an application to RED, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.151-160, August 28-September 01, 2000, Stockholm, Sweden
 
27
D. Moore. The Spread of the Code-Red Worm. http://www.caida.org/analysis/security/code-red/_analysis.xml
 
28
C. Nachenberg. The Evolving Virus Threat. 23rd NISSC Proceedings, Baltimore, Maryland, 2000.
 
29
SilentBlade. Info and Analysis of the 'Code Red'. http://www.securitywriters.org/library/texts/malware/commu/codered.php
 
30
Eugene H. Spafford, The Internet Worm Incident, Proceedings of the 2nd European Software Engineering Conference, p.446-468, September 11-15, 1989
 
31
Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
 
32
Chenxi Wang , J. C. Knight , M. C. Elder, On computer viral infection and the effect of immunization, Proceedings of the 16th Annual Computer Security Applications Conference, p.246, December 11-15, 2000
33
Lan Wang , Xiaoliang Zhao , Dan Pei , Randy Bush , Daniel Massey , Allison Mankin , S. Felix Wu , Lixia Zhang, Observation and analysis of BGP behavior under stress, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637231]
 
34
34 N. Weaver. Warhol Worms: The Potential for Very Fast Internet Plagues. http://www.cs.berkeley.edu/nweaver/warhol.html

CITED BY  64
Chris Fleizach , Michael Liljenstam , Per Johansson , Geoffrey M. Voelker , Andras Mehes, Can you infect me now?: malware propagation in mobile phone networks, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
Gaurav S. Kc , Angelos D. Keromytis , Vassilis Prevelakis, Countering code-injection attacks with instruction-set randomization, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
Yang Wang , Chenxi Wang, Modeling the effects of timing parameters on virus propagation, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
Cliff Changchun Zou , Weibo Gong , Don Towsley, Worm propagation modeling and analysis under dynamic quarantine defense, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
Michael Liljenstam , David M. Nicol , Vincent H. Berk , Robert S. Gray, Simulating realistic network worm traffic for worm warning system design and testing, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
Dan Ellis, Worm anatomy and model, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
Cliff Changchun Zou , Lixin Gao , Weibo Gong , Don Towsley, Monitoring and early warning for internet worms, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
Nicholas Weaver , Ihab Hamadeh , George Kesidis , Vern Paxson, Preliminary results using scale-down to explore worm dynamics, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
Jintao Xiong, ACT: attachment chain tracing scheme for email virus detection and control, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
Yun-Kai ZHANG , Yun-Kai Zhang , Fang-Wei WANG , Fang-Wei Wang , Yu-Qing Zhang , Yu-Qing ZHANG , Jian-Feng MA , Jian-Feng Ma, Worm propagation modeling and analysis based on quarantine, Proceedings of the 3rd international conference on Information security, November 14-16, 2004, Shanghai, China
Peng Liu , Wanyu Zang , Meng Yu, Incentive-based modeling and inference of attacker intent, objectives, and strategies, ACM Transactions on Information and System Security (TISSEC), v.8 n.1, p.78-118, February 2005
Angelos D. Keromytis , Janak Parekh , Philip N. Gross , Gail Kaiser , Vishal Misra , Jason Nieh , Dan Rubenstein , Sal Stolfo, A holistic approach to service survivability, Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security, p.11-22, October 31-31, 2003, Fairfax, VA
Cynthia Wong , Stan Bielski , Jonathan M. McCune , Chenxi Wang, A study of mass-mailing worms, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
Arno Wagner , Thomas Dübendorfer , Bernhard Plattner , Roman Hiestand, Experiences with worm propagation simulations, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, Worm evolution tracking via timing analysis, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
Frank Castaneda , Emre Can Sezer , Jun Xu, WORM vs. WORM: preliminary study of an active counter-attack mechanism, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA
Cliff C. Zou , Weibo Gong , Don Towsley , Lixin Gao, The monitoring and early detection of internet worms, IEEE/ACM Transactions on Networking (TON), v.13 n.5, p.961-974, October 2005
David W. Richardson , Steven D. Gribble , Edward D. Lazowska, The limits of global scanning worm detectors in the presence of background noise, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
David M. Nicol , William H. Sanders , Kishor S. Trivedi, Model-Based Evaluation: From Dependability to Security, IEEE Transactions on Dependable and Secure Computing, v.1 n.1, p.48-65, January 2004
Peng Liu , Wanyu Zang, Incentive-based modeling and inference of attacker intent, objectives, and strategies, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
Cliff C. Zou , Don Towsley , Weibo Gong, On the performance of internet worm scanning strategies, Performance Evaluation, v.63 n.7, p.700-723, July 2006
Francesco Palmieri , Ugo Fiore, Automated detection and containment of worms and viruses into heterogeneous networks: a simple network immune system, International Journal of Wireless and Mobile Computing, v.2 n.1, p.47-58, May 2007
Marc Lelarge , Jean Bolot, Network externalities and the deployment of security features and protocols in the internet, ACM SIGMETRICS Performance Evaluation Review, v.36 n.1, June 2008
Duc T. Ha , Hung Q. Ngo, On the trade-off between speed and resiliency of flashworms and similar malcodes, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
Fabio Ricciato, Unwanted traffic in 3G networks, ACM SIGCOMM Computer Communication Review, v.36 n.2, April 2006
Fabio Ricciato, Some remarks to recent papers on traffic analysis: or the case for public Wiki-like platforms for commenting published papers, ACM SIGCOMM Computer Communication Review, v.36 n.3, July 2006
V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, On the impact of dynamic addressing on malware propagation, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
Srinivas Shakkottai , R. Srikant, Peer to peer networks for defense against internet worms, Proceedings from the 2006 workshop on Interdisciplinary systems approach in performance evaluation and design of computer & communications sytems, October 14-14, 2006, Pisa, Italy
Cliff C. Zou , Don Towsley , Weibo Gong , Songlin Cai, Advanced Routing Worm and Its Security Challenges, Simulation, v.82 n.1, p.75-85, January 2006
S. Antonatos , P. Akritidis , E. P. Markatos , K. G. Anagnostakis, Defending against hitlist worms using network address space randomization, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.12, p.3471-3490, August, 2007
Songjie Wei , Jelena Mirkovic, A realistic simulation of internet-scale events, Proceedings of the 1st international conference on Performance evaluation methodolgies and tools, October 11-13, 2006, Pisa, Italy
Surasak Sanguanpong , Urupoj Kanlayasiri, Worm damage minimization in enterprise networks, International Journal of Human-Computer Studies, v.65 n.1, p.3-16, January, 2007
Fabio Ricciato , Francesco Vacirca , Philipp Svoboda, Diagnosis of capacity bottlenecks via passive monitoring in 3G networks: An empirical analysis, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.4, p.1205-1231, March, 2007
Kristopher Hall , Randy Marchany , Nathaniel Davis, Identifying, characterizing, and controlling stealth worms in wireless networks through biological epidemiology, Proceedings of the second international workshop on Wireless traffic measurements and modeling, p.1-es, August 05-05, 2006, Boston, Massachusetts
Vasileios Karyotis , Symeon Papavassiliou, Risk-based attack strategies for mobile ad hoc networks under probabilistic attack modeling framework, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.9, p.2397-2410, June, 2007
Jianhong Xia , Sarma Vangala , Jiang Wu , Lixin Gao , Kevin Kwiat, Effective worm detection for various scan techniques, Journal of Computer Security, v.14 n.4, p.359-387, July 2006
Mohamed Abdelhafez , George Riley , Robert G. Cole , Nam Phamdo, Modeling and Simulations of TCP MANET Worms, Proceedings of the 21st International Workshop on Principles of Advanced and Distributed Simulation, p.123-130, June 12-15, 2007
Songjie Wei , Jelena Mirkovic , Martin Swany, Distributed Worm Simulation with a Realistic Internet Model, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, p.71-79, June 01-03, 2005
Monirul I. Sharif , George F. Riley , Wenke Lee, Comparative Study between Analytical Models and Packet-Level Worm Simulations, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, p.88-98, June 01-03, 2005
Seny Kamara , Darren Davis , Lucas Ballard , Ryan Caudy , Fabian Monrose, An Extensible Platform for Evaluating Security Protocols, Proceedings of the 38th annual Symposium on Simulation, p.204-213, April 04-06, 2005
Shigang Chen , Yong Tang, DAW: A Distributed Antiworm System, IEEE Transactions on Parallel and Distributed Systems, v.18 n.7, p.893-906, July 2007
Qinhua Zheng , Ting Liu , Xiaohong Guan , Yu Qu , Na Wang, A new worm exploiting IPv4-IPv6 dual-stack networks, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
David M. Nicol, Efficient simulation of Internet worms, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-32, April 2008
George Kesidis , Ihab Hamadeh , Youngmi Jin , Soranun Jiwasurat , Milan Vojnović, A model of the spread of randomly scanning Internet worms that saturate access links, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-14, April 2008
Sapon Tanachaiwiwat , Ahmed Helmy, On the performance evaluation and prediction of encounter-based worm interactions based on node characteristics, Proceedings of the second workshop on Challenged networks CHANTS, September 14-14, 2007, Montreal, Quebec, Canada
Vasileios Karyotis , Symeon Papavassiliou , Mary Grammatikou , Vasilis Maglaris, A novel framework for mobile attack strategy modelling and vulnerability analysis in wireless ad hoc networks, International Journal of Security and Networks, v.1 n.3/4, p.255-265, December 2006
Cliff C. Zou , Don Towsley , Weibo Gong, Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms, IEEE Transactions on Dependable and Secure Computing, v.4 n.2, p.105-118, April 2007
Wei Yu , Sriram Chellappan , Xun Wang , Dong Xuan, Peer-to-peer system-based active worm attacks: Modeling, analysis and defense, Computer Communications, v.31 n.17, p.4005-4017, November, 2008
Ram Dantu , Joao W. Cangussu , Sudeep Patwardhan, Fast Worm Containment Using Feedback Control, IEEE Transactions on Dependable and Secure Computing, v.4 n.2, p.119-136, April 2007
Marc Lelarge , Jean Bolot, A local mean field analysis of security investments in networks, Proceedings of the 3rd international workshop on Economics of networked systems, August 22-22, 2008, Seattle, WA, USA
Yong Tang , Shigang Chen, An Automated Signature-Based Approach against Polymorphic Internet Worms, IEEE Transactions on Parallel and Distributed Systems, v.18 n.7, p.879-892, July 2007
Xiaohong Guan , Wei Wang , Xiangliang Zhang, Fast intrusion detection based on a non-negative matrix factorization model, Journal of Network and Computer Applications, v.32 n.1, p.31-44, January, 2009
Frank Akujobi , Ioannis Lambadaris , Evangelos Kranakis, Modeling host-based detection and active worm containment, Proceedings of the 11th communications and networking simulation symposium, April 14-17, 2008, Ottawa, Canada
Thomas Gamer , Michael Scharf, Realistic simulation environments for IP-based networks, Proceedings of the 1st international conference on Simulation tools and techniques for communications, networks and systems & workshops, March 03-07, 2008, Marseille, France
Spiros Antonatos , Periklis Akritidis , Vinh The Lam , Kostas G. Anagnostakis, Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure, ACM Transactions on Information and System Security (TISSEC), v.12 n.2, p.1-38, December 2008
Tao Gong, Anti-virus security and robustness of heterogeneous immune static network, Proceedings of the 5th International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, July 28-31, 2008, Hong Kong
Tao Gong, Anti-virus security and robustness of heterogeneous immune static network, Proceedings of the 5th International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, July 28-31, 2008, Hong Kong
Sapon Tanachaiwiwat , Ahmed Helmy, Encounter-based worms: Analysis and defense, Ad Hoc Networks, v.7 n.7, p.1414-1430, September, 2009
H. B. Kekre , Sudeep D. Thepade , Anant Shah , Prathamesh Verlekar , Suraj Shirke, Network vaccination architecture, Proceedings of the International Conference on Advances in Computing, Communication and Control, January 23-24, 2009, Mumbai, India
Thomas Gamer , Christoph P. Mayer, Large-scale evaluation of distributed attack detection, Proceedings of the 2nd International Conference on Simulation Tools and Techniques, March 02-06, 2009, Rome, Italy
Karthik Channakeshava , Deepti Chafekar , Keith Bisset , V. S. Anil Kumar , Madhav Marathe, EpiNet: a simulation framework to study the spread of malware in wireless networks, Proceedings of the 2nd International Conference on Simulation Tools and Techniques, March 02-06, 2009, Rome, Italy
Insu Park , R. Sharman , H. R. Rao , S. Upadhyaya, Short Term and Total Life Impact analysis of email worms in computer systems, Decision Support Systems, v.43 n.3, p.827-841, April, 2007
Xiaohu Li , T. Paul Parker , Shouhuai Xu, Towards an analytic model of epidemic spreading in heterogeneous systems, The Fourth International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness & Workshops, August 14-17, 2007, Vancouver, Canada

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.m Miscellaneous


General Terms:
Human Factors, Security


Keywords:
epidemic model, internet worm modeling, two-factor worm model

Collaborative Colleagues:
Cliff Changchun Zou: colleagues
Weibo Gong: colleagues
Don Towsley: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player