A model of the spread of randomly scanning Internet worms that saturate access links

Authors:
George Kesidis;Ihab Hamadeh;Youngmi Jin;Soranun Jiwasurat;Milan Vojnović
Affiliations:
Pennsylvania State University, University Park, PA;Pennsylvania State University, University Park, PA;Pennsylvania State University, University Park, PA;Pennsylvania State University, University Park, PA;Microsoft Research, Cambridge, U.K
Venue:
ACM Transactions on Modeling and Computer Simulation (TOMACS)
Year:
2008

Citing 9
Cited 5

Code red worm propagation modeling and analysis

Proceedings of the 9th ACM conference on Computer and communications security
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Inside the Slammer Worm

IEEE Security and Privacy
Simulating realistic network worm traffic for worm warning system design and testing

Proceedings of the 2003 ACM workshop on Rapid malcode
Worm propagation modeling and analysis under dynamic quarantine defense

Proceedings of the 2003 ACM workshop on Rapid malcode
Toward understanding distributed blackhole placement

Proceedings of the 2004 ACM workshop on Rapid malcode
Preliminary results using scale-down to explore worm dynamics

Proceedings of the 2004 ACM workshop on Rapid malcode
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Coupled kermack-mckendrick models for randomly scanning and bandwidth-saturating internet worms

QoS-IP'05 Proceedings of the Third international conference on Quality of Service in Multiservice IP Networks

A Stochastic Epidemiological Model and a Deterministic Limit for BitTorrent-Like Peer-to-Peer File-Sharing Networks

Network Control and Optimization
A simple reputation model for BitTorrent-like incentives

GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
A taxonomy of biologically inspired research in computer networking

Computer Networks: The International Journal of Computer and Telecommunications Networking
A survey on bio-inspired networking

Computer Networks: The International Journal of Computer and Telecommunications Networking
Toward early warning against Internet worms based on critical-sized networks

Security and Communication Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present a simple, deterministic mathematical model for the spread of randomly scanning and bandwidth-saturating Internet worms. Such worms include Slammer and Witty, both of which spread extremely rapidly. Our model, consisting of coupled Kermack-McKendrick (a.k.a. stratified susceptibles-infectives (SI)) equations, captures both the measured scanning activity of the worm and the network limitation of its spread, that is, the effective scan-rate per worm/infective. The Internet is modeled as an ideal core network to which each peripheral (e.g., enterprise) network is connected via a single access link. It is further assumed in this note that as soon as a single end-system in the peripheral network is infected by the worm, the subsequent scanning of the rest of the Internet saturates the access link, that is, there is “instant” saturation. We fit our model to available data for the Slammer worm and demonstrate the model's ability to accurately represent Slammer's total scan-rate to the core.