23/4/10

The Analysis of Internet Worm Modeling in IPv4 and IPv6 Networks

SU Fei suf@buptnet.edu.cn

Outline

Introduction to the development of Internet Worm Modeling

1

2

Worm Model in IPv6 Network3

Worm Model in IPv4 Network

Introduction to the development of Internet Worm Modeling

• An accurate and effective worm propagation model can show well of the worm’s behavior

• The purpose of modeling is to identify the weakness in the worm spreading chain and provides accurate defending measure for the epidemiology research

• A majority of worm propagation models are based on deterministic epidemic models in IPv4 network

– Classical epidemic model– Kermack-Mckendrick model– Two-Factor worm model

• Due to the huge address space of IPv6 network, it is really hard to fast scan active hosts in a short time by random scan strategy

• It is not totally safe in IPv6 networks to defend against Internet worm.

Worm Model in IPv4 Network

1. Classical Internet worm propagation model• each host stays in one of two states: susceptible or infectious• the system is homogeneous• the classical simple epidemic model is:

( )( )[ ( )]

dI tI t N I t

dt

Worm Model in IPv4 Network2. KM Internet worm propagation model• takes the removal process of infectious hosts into consideration• Each host either makes the state transition “susceptible →

infectious → removed” or remains in “susceptible” state all the time.

• The KM model is:( )

( )[ ( )]

( )( )

( ) ( ) ( ) ( )

dI tI t N J t

dtdR t

I tdtJ t I t R t N S t

　 　 　 　 　 　 　

Worm Model in IPv4 Network

3. Two-Factor Model• Considers two factors: Human countermeasures and Decreased

infection rate

0

( ) ( )( ) ( ) ( )

( )( )

( )( ) ( )

( ) [1 ( ) / ]

( ) ( ) ( ) ( )

dS t dQ tt S t I t

dt dtdR t

I tdtdQ t

S t J tdt

t I t N

N S t I t R t Q t

Worm Model in IPv6 Network

• we use a three-layer worm model named Worm6 to analyze the worm propagation in IPv6 network

The first layer is used by the worm when scanning across subnets

In the second layer, once a domain name host is infected, it will scan more susceptible hosts in its own subnets by corresponding local-area scanning strategies.

The worm avoids the repeated infection according to the function of the third layer.

Worm Model in IPv6 Network• The model of Worm6 is shown in the picture below.• In the first layer, It uses DNS scanning strategy to find out hosts

having vulnerabilities in the middle of different subnets.• In the second layer, the infected host probes active susceptible

hosts by using adaptive scanning strategies which is suitable to use in local area network.

• The function of the third layer is used to decrease the number of repetitive infections. All the infected hosts will compose a p2p network to share the information of all the infected IP addresses

subnet1subnet2

subnet3

subnet4 subnet5

subnet6 subnet7 subnet8 subnet9

Worm Model in IPv6 Network• Fig.4 illustrates the comparison of

Worm6 and CodeRed worm. CodeRed worm is a worm in IPv4 and adopts random scanning. From the Fig4, we can draw the conclusion that the Worm6 can spread faster than the CodeRed worm even Worm6 is in IPv6 network.

• Fig.5 shows the comparison of different hit-rate of domain names generator on the propagation of Worm6 propagation. The blue curve represents the worm propagation when the value of hit-rate is 0.00005. The largest hit-rate is 0.00001 which is denoted by the write green line. It is easily to get that Worm6 spreads faster with higher hit-rate.

Fig.4

Fig.5

Worm Model in IPv6 Network• The effect of the size of the hit-list on Worm6

propagation is shown in Fig.6. The brown line represents the Worm6 propagation when the size of hit-list is 50, and the red line demonstrates the Worm6 propagation when the size of hit-list is10. We can find that if the worm has increased initial number of infected hosts, it will greatly accelerate the speed of worm propagation. Therefore, the initial number of infected hosts determines the infection rate in its subsequent spread.

• Fig.7 illustrates the effect of repetition infection on Worm6 propagation. The result is apparent that the Worm6 has a higher rate of propagation without repetition. It has great impact of the propagation trend of the Worm6. Hereby, Internet worms should be as much as possible to reduce duplicated infection in order to form large-scale propagation.

Fig.6

Fig.7

Conclusions • In this paper, we analyze typical worm models in IPv4 network, and

use a three-layer worm model named Worm6 to study the worm propagation in IPv6 network.

• The result shows that worms in IPv6 network by all means use some new scanning strategies in order to form large-scale propagation.

• By the comparison of Worm6 and IPv4 worm CodeRed, we got the conclusion that the propagation of Worm6 is faster than CodeRed with the same group of parameters.

• • We use simulations to study the Worm6, and demonstrate how the

model can be used to study the impact of various worm/network parameters on the propagation.

• In the future, we plan to extend present work by adding more parameters that affect worm propagation and take network topology into consideration.