PowerPoint Presentation

1

Email Worm Modelingand Defense

Cliff C. Zou, Don Towsley, Weibo Gong

Univ. Massachusetts, Amherst

2

Internet Worm Introduction

Scan-based worms:

Example: Code Red, Slammer,Blaster, Sasser, …

No human interaction

Fast (automatic defense)

Need vulnerability

Fewer incidents

Network-based blocking

Modeling: no (week)topological issue

Epidemic models

Email worms:

Example: Melissa, Love letter,Sircam, SoBig, MyDoom, …

Human activation

Slower

Need no vulnerability

More incidents

Defense on email servers

Modeling: email addresslogical topology

No math model yet

Nimda: mixed infection

MyDoom: search engine

3

Email Topology —Heavy-tailed Distributed

Email topology degree distr. Size distr. of email address books

Popular email list: one list address corresponds to many.

Email worms find all addresses on compromised computers.

Email address books, Web cache, text documents, etc.

We study email propagation on power law topologies.

Generators available ; best candidate to represent heavy-tailed topology.

Complementary cumulativedistribution

(May 2002: > 800,000 Yahoo groups)

4

Email Worm Simulation Model

Discrete time simulation

Topology: undirected graph

Power law, small world, random graph

Modeling behavior of individual user

Worm email attachment opening prob.

Email checking time interval

Following any distribution: Exponential, Erlang, Constant.

Modeling the entire user population

 normal distr.

 normal distr.

$D:\paper\presentation\txp_fig.png$

$D:\paper\presentation\txp_fig.png$

$D:\paper\presentation\txp_fig.png$

5

Propagation Stochastic Effect

Power law network: 100,000 nodes, average degree = 8

Nt : the number of infectious at time t. N0 = 2 randomly selected

100 simulation runs for each experiment

Random effect in simulation

Initially infected nodes and initialinfection are critical.

It is possible that no one isinfected except N0

•When no neighboring nodesopen email attachments.

6

Initially infected nodeswith different node degree

Initially infected nodes are more important in asparsely connected network than a densely connectednetwork

Avg. degree = 8

Avg. degree = 20

7

Effect of emailcheckingtime variability

An email worm propagates faster when the email checkingtime is more stochastically variable.

Snowball effect: Before worm copies give birth to the nextgeneration in the less variable system, worm copies in the morevariable system have already given birth to several generations.

$D:\paper\presentation\txp_fig.png$

Random variable

Exponential

3rd-order Erlang

Constant

$D:\paper\presentation\txp_fig.png$

8

Topology Effect onEmail Worm Propagation

An email worm propagates faster on a power-law topologythan on the other two.

Highly connected nodes are infected earlier.

They amplify worm propagation speed by shooting out more copies.

Topology effect

Avg. degree of infected nodes

(1000 simulation runs)

9

Immunization Defenseagainst Email Worms

Static immunization defense:

A fraction of nodes are immune to an email worm before itsoutbreak.

No nodes will be immunized during the worm’s outbreak.

Selective immunization:

Immunizing the mostly connected nodes.

Effective for a power-law network

Nodes have very variable node degrees

3 ~ 2000+

10

Selective Immunization Defense

Selective immunization defense is more effectiveon a power law topology than on the other two.

Due to the percolation property of a topology.

Power law topology

Small world topology

11

Percolation and Phase Transition

Selective percolation with p:

Removing top p percent of mostly connected nodes.

Corresponding to selective immunization.

Newman et al. studied uniform percolation.

Selective percolation property:

Connection ratio:

fraction of remained nodes that are connected.

Remaining link ratio:

fraction of remained links.

Phase transition  selective percolation threshold

Disjoint the remaining network when

$D:\paper\presentation\txp_fig.png$

$D:\paper\presentation\txp_fig.png$

12

Why different effect with 5% selective immunization?

Power law topology: removing 55.5% links

Small world (random graph) topology: removing < 20% links

Email worm prevention via selective immunization (Phase transition) :

30% for the power law topology

Around 70% for the small world and random graph topologies.

Power law topology

Small world topology

Percolation and Phase Transition

13

Summary

Email topology is a heavy-tailed distributedtopology.

The impact of a power law topology on emailworm propagation is mixed:

Cons: an email worm spreads faster than on a smallworld or a random graph topology.

Pros: static selective immunization defense is moreeffective.

14

Future Work

Mathematical modeling

Difficulty: considering an arbitrary topology

Directed graph for email topology

One-way email address relationship

Heavy tailed distr. definition? Topology generator?

Dynamic immunization defense

Short-term focus: Enterprise network defense