Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Analysis and countermeasures of worm propagations and interactions in wired and wireless networks
(USC Thesis Other)
Analysis and countermeasures of worm propagations and interactions in wired and wireless networks
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
ANALYSIS AND COUNTERMEASURES OF WORM PROPAGATIONS AND
INTERACTIONS IN WIRED AND WIRELESS NETWORKS
by
Sapon Tanachaiwiwat
A Dissertation Presented to the
FACULTY OF THE GRADUATE SCHOOL
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF PHILOSOPHY
(COMPUTER ENGINEERING)
December 2007
Copyright 2007 Sapon Tanachaiwiwat
ii
Dedication
To my lovely family Primrose, Patima and my parents
for their everlasting love and support
iii
Acknowledgements
I would like to express my deepest appreciation and gratefulness to my advisor, Ahmed
Helmy. Not even single accomplishment in this dissertation would have been possible
without Dr.Helmy’s advice. He has encouraged me not only in research, but also life, and
career, which made me overcome many obstacles during my PhD program.
My wife Patima supported me in every aspects of life with her everlasting love. I want to
thank you my daughter, Primrose for her lovable support in my life. My daughter, who was
born during my PhD program, is another great accomplishment during my PhD program.
I also would like to thank members on my defense and qualifying exam committee,
including Prof.Bhaskar Krishnamachari, Prof.Ramesh Govindan, Prof. C.-C. Jay Kuo, and
Prof. Christos Papadopoulos. They have offered many useful feedbacks that finally bring the
completion of this dissertation.
I feel so lucky because I could meet very good and considerate colleagues at NOMADS
Lab, at USC. They stimulated my research and also made my PhD student life much more
enjoyable.
My dissertation is in part supported grants from National Science Foundation (NSF)
Career Award, and NSF ACQUIRE project.
iv
Table of Contents
Dedication ii
Acknowledgements iii
List of Tables vii
List of Figures viii
Abstract xii
Chapter 1: Introduction 1
1.1. Worm taxonomy 5
1.2. Contributions of the Dissertation 7
1.3. Organization of the Dissertation 9
Chapter 2: Related Work 10
2.1. Overview 10
2.2. SIR model and its variation for contagious disease modeling 10
2.3. Worm propagation models extended from the basic SIR model 12
2.4. Worm interactions and war of the worms 16
2.5. Security mechanism taxonomy 18
2.6. Worm propagation in wireless ad-hoc networks 21
2.7. Epidemic routing and analysis in delay-tolerant networks 25
2.8. Our work and related work 26
Chapter 3:Basic Definitions 28
3.1. Overview 28
3.2. Definitions 28
Chapter 4: Worm Ecology 37
4.1 Overview 37
4.2 Aggressive one-sided interaction 37
4.3 Conservative one-sided interaction 42
4.4 Two-sided interaction 45
4.5 Metric Analysis 49
v
Chapter 5: Network Characteristics 53
5.1 Overview 53
5.2 Random-scan network worms 53
5.3 Encounter-based worms 58
Chapter 6: Node Characteristics 74
6.1 Overview 74
6.2 Cooperation 74
6.3 Immunization 75
6.4 On-off behavior 75
6.5 Delay 75
6.6 Aggressive one-sided interaction based on node characteristics 76
6.7 Evaluation 78
Chapter 7: General Worm Interaction Models 85
7.1. Overview 85
7.2. General Worm Interaction Models 85
7.3. Model Analysis 93
Chapter 8: VACCINE Architecture 95
8.1 Overview 95
8.2 Random-scan network worms 95
8.3 Encounter-based worms 105
Chapter 9: Experiments on Worm Interactions in Encounter-based
Networks 128
9.1 Overview 128
9.2 Experiment set up and devices 128
9.3 Population of exposed Bluetooth devices 129
9.4 Encounter characteristics 130
9.5 File exchange capability 132
9.6 Proof-of-concept Worm Interactions 133
9.7 Summary and future experiments 145
Chapter 10: Conclusion and Future Research Direction 147
10.1 Conclusion 147
10.2 Future Research Direction 150
References 152
Appendix A 157
Appendix B 159
vi
Appendix C 164
Appendix D 167
vii
List of Tables
Table 7.1: Parameters and Definition Summary 92
Table 8.1: Distributed Dynamic Incremental Scan Rate Protocol (DDIS) 99
Table 9.1: Spatial and Time distribution of exposed Bluetooth devices 130
Table 9.2: Pair-wised Contact Rate and Encounter rate (per day) 131
Table 9.3: Pair-wised Contact Duration (hours) 132
Table 9.4: Relationships of file sizes and distance between users 133
Table 9.5: Relationships of file sizes and velocity between users 133
Table 9.6: Metrics for Aggressive One-sided Interactions with static topologies
(TI and MI as a fraction of total population, TL, AL, TA and TR in seconds) 140
Table 9.7: Metrics for Aggressive One-sided Interactions with human encounters
(TI and MI as a fraction of total population, TL, AL, TA and TR in seconds) 140
Table 9.8: Metrics for Conservative One-sided Interactions and Aggressive
Two-sided Interactions 141
Table 9.9: Encounter-Then-Generate-Seed Architecture 141
Table 9.10: Metrics for one static node and one super node for one worm
type propagation 143
Table 9.11: Metrics for four static nodes with one super node for one
worm type propagation 144
Table 9.12: Metrics for aggressive one-sided interactions with two super nodes 145
viii
List of Figures
[Figure 1.1] Two-year infected hosts of famous interacting worms: 2
[Figure 1.2] Worm Taxonomy 5
[Figure 2.1] The basic SIR Epidemic Model 11
[Figure 3.1] Life cycles of (a) Predator (b) Prey 30
[Figure 4.1] Aggressive one-sided interactions 38
[Figure 4.2] Prey infected nodes of aggressive one-sided interaction
(random-scan network worms) 40
[Figure 4.3] Prey infected nodes of aggressive one-sided interaction
(encounter-based worms) 41
[Figure 4.4] Conservative one-sided interactions 42
[Figure 4.5] Prey infected nodes of conservative one-sided interaction
(random-scan network worms) 44
[Figure 4.6] Prey infected nodes of conservative one-sided interaction
(encounter-based worms) 45
[Figure 4.7] Two-sided Interaction 46
[Figure 4.8] Prey infected nodes of two-sided interaction (random-scan network worms) 48
[Figure 4.9] Prey infected nodes of two-sided interaction (encounter-based worms) 49
[Figure 4.10] Relationships of worm characteristics with X (random-scan network worm) 50
[Figure 4.11] Relationships of worm characteristics with Y (encounter-based worms) 51
[Figure 4.12] Relationships of aggressive one-sided interaction with Y 52
[Figure 5.1] Effect of worm replication size 54
[Figure 5.2] Effect of local preference 58
[Figure 5.3] Relationships of β with metrics 60
ix
[Figure 5.4] Relationships of N with metrics 61
[Figure 5.5] One-worm-type Multi-group Propagation 62
[Figure 5.6] Two-group, aggressive one-sided Interaction 63
[Figure 5.7] Two groups of population: slow and fast encountered groups 65
[Figure 5.8] Two groups of population: slow and fast encountered groups 68
[Figure 5.9] Two-group, one-sided Interaction with group transition 70
[Figure 5.10] Effects of group size in two-group population: slow group and fast groups 71
[Figure 5.11] Effects of initial-prey-infected-node group’s contact rate
in two group population 72
[Figure 5.12] Effects of contact rate between groups of two-group population:
slow group and fast encountered groups 73
[Figure 6.1] Aggressive one-sided interaction with node characteristics 76
[Figure 6.2] Effects of cooperation (c), immunization (i), on-off behavior (p)
and delay (d) on uniform-encounter worm interactions 80
[Figure 6.3] Trace-based encounter characteristics (a) Total encounters
(b) Unique encounters and (c) Batch arrival pattern 81
[Figure 6.4] Trace-based simulation results: effects on cooperation (c),
and immunization (i) 84
[Figure 7.1] General worm interaction model state diagram 91
[Figure 8.1] VACCINE Architecture 98
[Figure 8.2] DDIS Flowchart 100
[Figure 8.3] DDIS model with feedback controls for 2 adaptable predator scan rates 101
[Figure 8.4] Effects of distributed dynamic incremental scan rate (DDIS) on
aggressive one-sided patch with non-zero reaction time 103
[Figure 8.5] Effects of distributed dynamic incremental scan rate (DDIS)
on aggressive one-sided patch with non-zero reaction time from k = 2 to 6 104
[Figure 8.6] Effect of prey high scan rate on total infected nodes (TI) 105
x
[Figure 8.7] VACCINE architecture for encounter-based networks
(a) off-line-seed (b) encounter-then-generate-seed 108
[Figure 8.8] Characteristics of ETGS architecture 109
[Figure 8.9] Super node architecture 110
[Figure 8.10] One-sided Interaction with π super nodes 111
[Figure 8.11] Aggressive one-sided interaction model with super nodes 112
[Figure 8.12] Effect of number of super node on aggressive one-sided interaction 113
[Figure 8.13] Batch arrival pattern and one-type worm infection for USC and Dartmouth 115
[Figure 8.14] Evolution of encounter graph over time 116
[Figure 8.15] Average (a) cluster coefficient (b) distance from reachable nodes
(one-month period) 117
[Figure 8.16] Histogram of total encounters in USC and Dartmouth Wireless LAN traces 118
[Figure 8.17] Histogram of unique encounters in USC and Dartmouth Wireless
LAN traces 119
[Figure 8.18] Histogram of visited locations in USC and Dartmouth Wireless LAN traces 120
[Figure 8.19] Subset of graph that shows the strong edges (>100 encounters) between
top-10-encountered nodes themselves and them with other nodes which are
connecting them together 120
[Figure 8.20] CCDF of nodes based on ranking systems 124
[Figure 8.21] Comparison of effect of increasing number of initial predators 126
[Figure 8.22] Immunization effect on timing strength and encounter strength in
USC trace 127
[Figure 8.23] Non-cooperative effect on timing strength and encounter strength in
USC trace 127
[Figure 9.1] Encounter characteristics between graduate students in one week period 131
[Figure 9.2] The block diagram of proof-of-concept worms. 136
[Figure 9.3] One worm type scenario (a) the line topology (b) human encounters 137
xi
[Figure 9.4] One worm type propagation with (a) static line topology
(b) human encounter 138
[Figure 9.5] Scenarios for aggressive one-sided interaction: static topologies with
5 nodes (a) line (b) star (c) random topology with 5 nodes, and mobile networks
with 3 nodes (d) human encounters 139
[Figure 9.6] Aggressive One-sided Interaction where R1, R2 and R3 are the
sample run number 1, 2 and 3 respectively (total number of runs = 10) for
(a) straight line topology (b) star, and (c) random topology 139
[Figure 9.7] Devices for the experiments (a) iPAQ PDA and Smartphone
(b) radio-controlled trucks (super nodes), each carrying an iPAQ PDA on top 142
[Figure 9.8] One static node and one super node for one worm type propagation 143
[Figure 9.9] Four static nodes with one super node for one worm type propagation 144
[Figure 9.10] One static node with two super nodes for aggressive one-sided interaction 144
xii
Abstract
“War of the worms” is a war between opposing computer worms, creating complex
worm interactions as well as a detrimental impact on infrastructure. For example, in
September 2003 the Welchia worms were launched to terminate the Blaster worms and patch
the vulnerable hosts. We propose a new Worm Interaction Model (based upon and extending
beyond the epidemic model) focusing on random-scan network worm interactions and
encounter-based worm interactions.
Motivated by “war of the worms”, we propose a worm interaction approach that relies
upon automated beneficial worm generation aiming to alleviate problems of worm
propagations in such networks. We also propose a new set of metrics to quantify the
effectiveness of one worm terminating other worm. To understand the dynamic of worm
interactions and its performance, we mathematically model worm interactions based on
major worm interaction factors including worm interaction types, network characteristics,
and node characteristics using ordinary differential equations and analyze their effects on our
proposed metrics. Our study provides the first work to characterize and investigate worm
interactions of random-scan worms in multi-hop networks.
For encounter-based worms, we validate our proposed model using extensive synthetic
and trace-driven simulations. We find that, all the above worm interaction factors
significantly affect the pattern of worm propagations. For example, immunization linearly
decreases the infection of susceptible nodes while on-off behavior only impacts the duration
of infection. Using realistic mobile network measurements, we find that encounters are
“bursty”, multi-group and non-uniform. The trends from the trace-driven simulations are
consistent with the model, in general. Immunization and timely deployment seem to be the
most effective to counter the worm attacks in such scenarios while cooperation may help in a
xiii
specific case. These findings provide insights that we hope would aid in developing counter-
worm protocols in future encounter-based networks.
1
1. Chapter 1: Introduction
Since the Morris worm incident in 1988, worms have been a major threat to Internet
users. While more vulnerabilities in operating systems are exposed to malicious attackers,
new types of worms as well as other malwares are launched at alarming rate. In addition,
more and more worms carry destructive payload enabling them to perform distributed
denial-of-service attacks (DDoS), steal username/password or hijack victims’ files. Internet
worms can be categorized as network worms and email worms. Network worms such as
Slammer, Witty, and Code Red aggressively scan and infect vulnerable machines. Mass-
mailing worms’ propagation such as Kamasutra, Love Bugs, and NetSky rely on social
engineering techniques.
Because of the serious nature of the worms’ behavior as well as their impacts to the
networks, several worm propagation models have been previously proposed [20, 31, 36, 37,
39, 60]. The main goal was to provide the insight into the dynamic of network worm
propagations and support effective worm detection and response mechanisms. However,
those worm propagation models have not considered the interaction among different worm
types and, as we shall show, are inadequate to model “war of the worms”. The war of the
worms creates unprecedented dynamic and complex scenarios (Fig.1.1) as well as
detrimental impact on infrastructure. In September 2003, a network worm Welchia
attempted to terminate another network worm Blaster by deleting the Blaster’s process and
downloading a corresponding patch from Microsoft website. Even with good intention,
Welchia created large amount of traffic causing severe congestion to the Internet and
2
Microsoft website. We define the above scenario as worm interaction in which a worm
terminates and patches another worm. More worm interactions are expected in the future
[36].
[Figure 1.1] Two-year infected hosts of famous interacting worms: Welchia.A and
Blaster.A [47]
In addition, many worms are shifting their attack targets to the wireless mobile phone.
The characteristics of worms in mobile networks are different from random-scan network
worms which randomly scan (probe) susceptible hosts (in the Internet) whose IP addresses
are within the worms’ targeted IP address ranges. Unlike random scan network worms,
which are limited by network bandwidth or link delay, worms in mobile networks are limited
by encounter (a scenario where a device moves within a radio range of another device)
patterns influenced by human mobility patterns. Many of those worms rely on Bluetooth to
broadcast their replications to vulnerable phones, e.g. Cabir and ComWar.M [39, 47, 51].
Since Bluetooth radios have very short range e.g. 10-100 meters, the worms need neighbors
in close proximity to spread out their replications. Hence, we call this “encounter-based
Dec May
Oct
Mar Aug Jan Jun
0
2000
Time
Infected Hosts
Blaster.A
Welchia.A
8000
14000
12000
10000
6000
4000
3
worms”. This spreading pattern is very similar to spread of packet replications in encounter-
based networks [26, 49, 58], i.e., flooding the copies of messages to all close neighbors. An
earlier study in encounter-based networks actually used the term “epidemic routing” [49] to
describe the similarity of this routing protocol to disease spreading.
Unlike the Internet, the encounter-based network is a frequently-disconnected wireless
ad-hoc network requiring immediate neighbors to store and forward aggregated data for
information dissemination. Using traditional approaches such as gateways or firewalls for
worm propagation in encounter-based networks is inappropriate. Because this type of
network is highly dynamic and has no specific boundary, we need a fully distributed security
response mechanism. We propose the worm interaction approach that relies upon automated
beneficial worm generation [8]. This approach uses an automatically generated beneficial
worm to terminate malicious worms and patch the vulnerable hosts to prevent re-infection by
malicious worms. We define this type of worm interaction as aggressive one-sided
interaction [40-46]. Before we can use this approach at full potential, we need to understand
the worm interaction in this environment. To achieve this goal, we choose to model such
worm behavior mathematically.
Our goal in this dissertation is to provide a framework to understand the worm
interaction in the Internet and encounter-based networks. We want to be able to model the
worm interactions mathematically and identify the key components that affect the worm
interaction the most. We want to define metrics that measure the effectiveness of worm
containment caused by worm interactions and being able to enhance such effectiveness
based on the understanding of worm interactions. In addition to worm interaction types and
node characteristics, this dissertation focuses on modeling the interactions of random-scan
network worms with different wired-network environments using different scanning
4
strategies as well as encounter-based worm with different encounter characteristics. We
further investigate whether non-malicious worms generated by automatic reverse-
engineering techniques [8] or automatic patching [50] can be used to terminate malicious
worms effectively.
We find that, in wired networks, such effectiveness does not only depend on scan rate of
worms but also on network topologies and their strategies.
In encounter-based networks, however, the effectiveness depends greatly on initial nodes
selection based on their encounter characteristics. There are many important node
characteristics to be considered, but we focus only a fundamental subset including
cooperation, immunization, on-off behavior and delay. We shall show that these are key
node characteristics for worm propagation in encounter-based networks. Other
characteristics such as energy consumption and buffer capacity are modeled for anti-packet
schemes for epidemic routing in [58]. Trust and other social implications between users are
subject to further study.
The majority of routing studies in encounter-based networks usually assume ideal node
characteristics including full node cooperation and always-on behavior. However, in realistic
scenarios, nodes do not always cooperate with others and may be off most of the time [25].
In worm propagation studies, many works also assume all nodes to be susceptible (i.e., not
immune) to worm infection. An immune node does not cooperate with infected nodes and is
not infected. To investigate more realistic scenarios, we propose to study the mobile node
characteristics and analyze the impact of cooperation, immunization and on-off behavior on
the worm interactions. Cooperation and on-off behavior are expected to have impact on the
timing of infection. Intuitively, cooperation makes the network more susceptible to worm
attacks. Immunization, however, may help reduce overall infection level. This paper
5
examines the validity of these expectations, using the overall infection level and timing of
infection as metrics.
We consider several important network characteristics for encounter-based networks
such as network sizes, contact rate, group behaviors and batch arrival. Using realistic mobile
network measurements, we find that encounters are “bursty”, multi-group and non-uniform.
We have explained the motivation and overview of the worm interactions in the Internet
and encounter-based networks. Next, we discuss fundamental concepts and characteristics of
worms.
[Figure 1.2] Worm Taxonomy
1.1. Worm taxonomy
Worm is a self replicating code that can transport its own copy to new location via
networks. By definition, it usually does not require users’ activation unless it is a mass
mailing worm. Unlike virus, worm is a complete program and does not need to infect
6
specific file or program to be functional. Worm can be classified based on its propagation
types (vectors), types of payload, types of networks and types of interactions.
According to propagation types, worm can be a mass mailing, networks (multi hops) or
encounter (single hop) based (in Fig.1.2). Mass mailing worm relies on user’s action to open
the attachment which is usually disguised as a picture or video files to install the worm and
is activated at later time. Mass mailing worms are the most prevalent worms in the wild
(active in the Internet) right now but the speed of propagation is not as high when compared
with the network worms (days or months to infect most of susceptible hosts). Network
worms or multi-hop connected network worms can propagate up to speed of network delay
(delay-limited) or bandwidth (bandwidth-limited) depending on its nature of transport layer.
Code red and Code Red II are delay-limited worms that their infections saturate most of
susceptible in hours [59, 60]. Bandwidth-limited worm such as Slammer [7] and Witty can
even infect most of susceptible hosts in the matter of minutes. The speed of the propagation
of bandwidth-limited worm can be increased multiple folds if each worm copy avoid
scanning to the overlapped network address space, such worm, which was called “ flash
worm”, can infects all infected hosts in just seconds [38]. In our study, we show the impact
of scanning strategy in Chapter 5.
Worm can also propagate through wireless connections such as multi-hop ad hoc
networks or encounter-based (single-hop) networks. Major determining factors of worm
propagation in those networks are mobility patterns. We assume that worm that propagates
in multi-hop ad-hoc networks [1, 11, 12] still use the random scanning strategy to find the
possible susceptible hosts. In the encounter-based networks, however, worm will
aggressively assume that every encounter node is susceptible and will try to transfer the copy
7
of worm to node which it encounters [43-46]. More details of basic assumptions for worm
that propagates in those networks will be clarified in Chapter 5.
Worm’s payload can be destructive or non-destructive. For non-destructive worm,
sometimes it is defined as Bacteria [39]. Although with non-destructive payload, its own
replication mechanism can cause serious side effect to the systems. Destructive payload can
range from removing/modifying/hijacking the user’s or system files, embedding remote
control to perform DDoS attack to some websites as well as attacking other types of worms
residing in the same host.
Worm can have different kind of interaction among themselves. One worm can exploit
other worm’s weakness to gain possession of the other worm’s infected hosts or even using
other worm help download its own code. This type of interaction is denoted as “friendly”
interaction. On the other hand, if one worm tries to terminate other worms, then we call this
as “competitive” interaction, in which the owner of the worm infecting more hosts is the
winner. More details of worm interaction types are explained in Chapter 4.
Fundamental concepts of worms have been explained in this section. The contributions
of this dissertation are explained next.
1.2 Contributions of the Dissertation
The contributions of this dissertation are listed below:
• We build a new accurate general Worm Interaction Model based on worm interaction
types, network characteristics and node characteristics for both random-scan network
worms and encounter-based worms. We validate our model through extensive
simulations (network simulation, uniform-encounter-based simulation, trace-driven
simulation). For the random-scan network worm interaction, we propose the network-
delay factor that is the function of packet size, link latency, queuing delay and
8
bandwidth. For encounter-based networks, we model the worm interaction based on
contact rate, group behavior and batch arrival. Our Worm Interaction Model can be
easily extended to cover more complex multiple worm interactions.
• We propose a new set of metrics to measure the effectiveness of one worm terminating
another worm: total prey infected hosts, maximum prey infected hosts, total prey
lifespan, average individual prey lifespan, time to secure all, time to remove all preys.
We show the relationships of such metrics to the worm interaction. Our model can
accurately approximate these metrics for the random-scan network worm interaction
(with properly chosen network-delay factors) and for encounter-based worm interaction.
Our proposed metrics are applicable to study any worm-response mechanism. We also
provide the first study of worm propagation and interaction based on real mobile
measurements.
• We derive the important parameter, Epidemiological Threshold, from worm’s scan rate
ratio and initial infected host ratio to quantify the degree of outbreak and guideline for
effective worm containment.
• We propose the preliminary design and analysis of VACCINE architecture for the
random-scan network worms and encounter-based worms based on the understanding of
their characteristics. The novel concept of super node and power node are presented as
part of VACCINE architecture of encounter-based networks.
This dissertation provides a framework that is necessary for building the understanding of
worm interactions in different types of environments of networks, node characteristics and
worm interaction types. We aim to distinguish the intrinsic differences of worm propagation
and interaction in the Internet and encounter-based networks. These findings in this
dissertation can provide insight that we hope would aid to develop counter-worm protocols
9
in future encounter-based networks in which its necessary components and analysis of this
protocol and supporting architecture are discussed. Our proposed metrics can be
effectiveness indicators of any worm countermeasure. In addition, our Worm Interaction
Model can accommodate current and future type of worm interactions. This work is also
applicable for information propagation applications that having multiple types of messages
that may interact among themselves. Our study of worm interactions in encounter-based
networks considered both uniform and realistic encounter mobility patterns and our
understanding of their differences can help model the realistic mobility or routing in any
mobile ad hoc networks.
1.3 Organization of the Dissertation
The dissertation is organized as follows: we discuss the related work in Chapter 2. In
Chapter 3, we explain the basic definitions including proposed metrics required for
understanding the Worm Interaction Model. After that in Chapter 4, we extend the basic
epidemic model to build the Worm Interaction Model based on worm interaction types. In
Chapter 5, we explain the network characteristics for the random-scan network worms and
for the encounter-based worms, and how can we apply network characteristics to Worm
Interaction Model. We discuss node characteristics and Worm Interaction Model based on
node characteristics, in Chapter 6. In Chapter 7, we build the general Worm Interaction
Model to address worm interaction types, network characteristics and node characteristics.
We design and evaluate the preliminary VACCINE architecture and protocols, in Chapter 8.
In Chapter 9, we explain our experiments and implementation of proof-of-concept worm
interaction in mobile devices. We conclude our work and discuss future work in Chapter 10.
10
2 Chapter 2: Related Work
2.1 Overview
Worm interaction is a phenomenon caused by two or more worms terminate and/or
patch each other. Related studies of worm interactions include of:
• The basic Susceptible-Infected-Recovered (SIR) model [28] and its variations for
contagious disease modeling
• Worm propagation models extended from the basic SIR model
• The worm interactions incidences in the Internet.
• Worm defensive mechanisms
• Worm propagation in wireless networks
• Epidemic routing in encounter-based networks
• Simulations of worm propagation based on traces.
Let us start with the SIR model and its variations.
2.2 SIR model and its variation for contagious disease modeling
Epidemic models, a set of ordinary differential equations (ODE), were used to describe
the contagious disease spread including SI, SIS, SIR SIRS, SEIR , MSIR, SEIRS and carrier
models [18, 28, 48] in which S, I, E, R, M stand for Susceptible, Infectious, Exposed,
Recovered , Maternally-derived Immune states, respectively. Carrier model means that some
of the infected patients may never fully cover (as in tuberculosis) and continue to carry the
infection. For maternally-derived immune, new born babies have temporary immunization
for several months due to the maternal antibodies.
11
There’s an analogy between computer worm infection and disease spread in that both
depend on node’s state and encounter pattern (as one node is physically close to another
node).
SIR model is used as a simple model to predict the epidemic of measles, mumps, and
rubella (MMR). This model explains the infection dynamic of the populations that are born
susceptible, and can become infected as well as infectious simultaneously. For Susceptible-
Exposed-Infectious-Recovered (SEIR) model, after a susceptible subject becomes infected
(exposed), the infected subject (patient) only become infectious after incubation periods.
In the SIR model, vulnerable hosts fall in one of the following states in sequence—
susceptible, infected and recovered. Susceptible hosts have never had the disease and can
catch it. Infected hosts have the disease and are contagious (infectious). Recovered hosts
have already had the disease and are immune or cured and cannot catch the disease again.
Following are definitions of the basic SIR model.
Let N be the size of vulnerable population, I be the number of infected hosts at time t,
R be the recovered hosts at time t, β be contact rate i.e. the rate of pair-wise contact between
hosts, γ be the removal or recovered rate and S which equals to R I N − − be the number of
susceptible hosts at time t. β and γ are assumed constant.
SI β I γ
[Figure 2.1] The basic SIR Epidemic Model
12
The fundamental nonlinear ordinary differential equations of SIR model are shown
below,
SI
dt
dS
β − =
, (Eq.2-1)
I SI
dt
dI
γ β − =
, (Eq.2-2)
I
dt
dR
γ =
. (Eq.2-3)
The transitions of states are shown in Fig.2.1. An arrow represents a transition from one
state to another. This model does not consider the birth/death of population as well as the
spatial distribution of susceptible hosts.
From (Eq.2-2), the epidemic is sustainable only if 0 >
dt
dI
which requires 1 >
γ
βS
; such
important ratio is called the Epidemiological Threshold,
γ
βS
E ≡
0
. (Eq.2-4)
We would use the basic SIR model as the foundation of our proposed Worm Interaction
Model which we will discuss in Chapter 4.
2.3 Worm propagation models extended from the basic SIR model and
its variants
Because of its similarity to disease epidemic, numbers of network worm propagation
models are built based on SI, SIS, and SIR models as well as its variations such as SIDR
13
(where D stands for Detected). In addition to constant contact rate (discussed in details in
Chapter 3), most of the models simply ignore the differences in processor speed, network
bandwidth and the location of infected nodes [35].
2.3.1 Susceptible-Infected (SI) model
This model is used to explain either the initial phase of worm propagation or the worst-
case scenario where no worm countermeasure is available. Examples studies that use this
model include [38], [52], [53] and [60].
In [38], authors analyze the Code Red I worm propagations. They start by defining a
global constant β as the initial compromise rate (number of vulnerable hosts can be found
and compromised per hour) and it is estimated from the trace collected the incident at
Chemical Abstracts Service during the initial outbreak of Code Red I on July 19
th
, 2001.
i i N
dt
di
) 1 )( 1 ( − − = β
, (Eq.2-5)
where i = I/N , i(0) > 0 (i(0) is a fraction of infected node at time t=0) and the solution to
find i at any given time t (logistic equation) is
t N
t N
e i i
e i
i
) 1 (
) 1 (
) 0 ( ) 0 ( 1
) 0 (
−
−
+ −
=
β
β
. (Eq.2-5)
The authors use number of scans per hour instead of trying to fit the number of infected
nodes (which are harder to obtain) and their model prediction. The observed maximum scan
rate is 510,000 scans/hours and the estimated ) 1 ( − N β is 1.8. Because Code Red I using
TCP scan (as opposed to UDP scan), its IP addresses retrieved from its scanning attempt are
likely to be valid.
In [35], authors propose the use of average node degree ( D ) to create the general case
where each individual node may not be treated as a node in a complete graph where it can
14
reach any body in the network. We believe such case may occur if firewalls or worms’
scanning strategies (which we also address in our work in Chapter 5) confine infected nodes
to be able to scan only in such limited IP address range D . Here is the general case with
node degree D :
i i D
dt
di
) 1 ( − = β
. (Eq.2-6)
Hence the solution for (Eq.2-6) is
t D
t D
e i i
e i
i
β
β
) 0 ( ) 0 ( 1
) 0 (
+ −
=
. (Eq.2-7)
Note that in Erdös-Renyi random graph with edge density e, ) 1 ( − = N e D .
2.3.2 Susceptible-Infected-Susceptible (SIS) model
This model explains the dynamic of infection process in which after a node becomes
infected, it can be recovered and become a susceptible host again. This scenario can happen
if worms reside in the memory then infected hosts become susceptible again after rebooting
the machine (without patch) [35, 54]. Let α be the re-susceptible rate hence
i i i D
dt
di
α β − − = ) 1 (
, (Eq.2-8)
Then the necessary condition to make the epidemic sustainable is
0
/ E D s = > β α , (Eq.2-9)
where we define E as epidemiological threshold which we will also use in our model in
Chapter 4.
The solution for this model is
t D
e i i E i
i E
i
) (
0
0
) 0 ( )) 0 ( 1 ( ) 0 (
) 0 ( ) 1 (
α β − −
− − +
−
=
. (Eq.2-10)
15
The effect of incubation time ε [53] between node become infected and infectious can be
applied as follows:
i t i i D
dt
di
α ε β − − − = ) ( ) 1 (
, (Eq.2-11)
where ) ( ε − t i is the fraction of infected nodes at time ε − t that start to become infected but
not yet infectious which ) ( ε − t i =0 for ε < t (we can also define this as SEIS model).
For scale free network with α =1, authors in [36] propose that since the scale-free
degree distribution does not center around its mean, hence it is better to model for each
individual group based on its node degree k, and the model becomes:
k
D
D k
k k
k
i i k kP
D
i k
dt
di
− − =
∑
=
) ) (
1
)( 1 (
max
min
β
, (Eq.2-12)
where D k kP / ) ( is the probability that an edge is incident on a node with degree k and
∑
=
max
min
) (
1
D
D k
k
i k kP
D
is the probability that a susceptible node with degree k is adjacent to an
infected node.
2.3.3 Susceptible-Infected-Recovered (SIR) and its variations
The model is the extension of SI model by adding the scenario that the infected nodes
can be permanently removed (patches are applied or permanently damaged after infection)
and cannot become susceptible again.
i i i D
dt
di
γ β − − = ) 1 (
, (Eq.2-13)
i
dt
dr
γ =
. (Eq.2-14)
16
This model has been extended to support the notion of dynamic β [59] in which it is
affected by the network traffic. In addition, authors also add the removal of susceptible
nodes (which we also address in this dissertation). Here is their model:
dt
dr
i r i D
dt
di
− − − = ) 1 ( β , (Eq.2-15)
i
dt
dr
γ = , (Eq.2-16)
) )( 1 ( i r r r i
dt
dr
s s
s
+ − − − = γ , (Eq.2-17)
η
β
β
) 1 )( 0 ( i
dt
d
− = , (Eq.2-18)
where η is a congestion factor caused by the network, r is a fraction of once-infected nodes
being removed from the network,
s
r is a fraction of susceptible node being vaccinated, γ is a
removal rate of once-infected nodes, and
s
γ is vaccination rate of susceptible nodes.
Interestingly, as shown in (Eq.2-17), their model assumes that the more number of infected
nodes, the faster the vaccination rate will be. For our work, we approximate the network
delay factor based on the topology and network scanning strategy only.
2.4 Worm interactions and war of the worms
In July 2001, a German programmer launched a worm Code Green [6] which patches
vulnerable systems and removed backdoors left by Code Red II. Code Green randomly scans
the Internet for NT servers that infected with the Code Red variant. After Code Green infects
the machine, it downloads the patch from the Microsoft website. At the same time, CRClean,
another anti-worm, reactively spreads itself to the systems attacking machines running
CRClean.
17
Later in September 2003, a network worm Welchia attempted to terminate another
network worm Blaster by deleting Blaster’s process and downloading patch from Microsoft
website. Even with good intention, Welchia created a large amount of traffic causing severe
congestion in the Internet and Microsoft website [39].
A similar scenario occurred between Linux-based worms Li0n worm and Cheese worm
where Cheese worm patched a vulnerability exploited by the Li0n worm in 2001 [20].
Cheese worm scans for machines with a secure root shell listening on TCP port 10008, as set
up by a variant of the Li0n worm (which exploits a BIND vulnerability). If the shell exists,
Cheese worm infect the machine and rewrite inetd.conf. It keeps scanning class B networks
until its process is terminated. It is the first worm to automatically exploit the compromise
and not the existing vulnerability. We also define this as a conservative one-sided worm
interaction and we also model this scenario in Chapter 3.
In 2004, majority of worm outbreaks are caused by the “War of the Worms” between
mass mailing worms NetSky, Bagle and MyDoom. The Bagle worms caused 15 outbreaks,
NetSky 7 and MyDoom is 3 [47]. This war caused the highest outbreaks in one quarter with
12 outbreaks. Between February to April 2004, the authors of the Bagle worms have
released nine separate variants (Worm/Bagle.C-K). Over the same period of time, the
author(s) of the NetSky worms released three versions of their own (Worm/NetSky.D-F).
NetSky’s goal is to disable the Bagle and MyDoom worms. The author(s) of MyDoom have
responded with the release of MyDoom.G which is immune to NetSky.
We define the above scenario as worm interaction in which a worm terminates and
patches another worm. More worm interactions are expected in the future [39]. We discuss
the security mechanisms to fight worms next.
18
2.5 Security mechanism taxonomy
A “security mechanism is a tool, method, or procedure to enforce security policy” where
security policy is a statement of what is “allowed” and “not allowed” [4]. We will only focus
on security mechanisms for worm attacks which can be classified as detection, protection
and response.
• Detection: Detection is a security mechanism detecting the attempt to break the security
systems or the presence of on going attacks. Detection is the first step towards proper
response (described later). Accuracy and promptness is the key of this mechanism.
Worm detection is usually accomplished through the anti-virus software in the host-
based approach, or through the intrusion detection systems in the network-based
approach. Both host-based and network-based worm detection can be built on to catch
known and unknown worms. To catch unknown worms (anomaly detection), the
mechanism needs to learn the behavior of systems and user’s usage patterns. Unknown
attacks can cause more damages to the systems because they are more difficult to be
detected especially if they are “zero-day” attacks in which the vulnerability is unknown
or has never been released to the public. The inaccuracy of this approach is higher than
that of known attacks especially high false positive (benign actions are identified as
attacks) and possibly high false negative (ongoing attacks are not detected). Some types
of attacks are not designed to be hidden such as DoS (Denial-of-Service) or DDoS
attacks. It is usually trivial to detect the attacks but difficult to trace back to the origin of
attacks. DDoS attacks are usually generated by worm-infected hosts. To detect known
worms, network intrusion detection systems such as Snort or host-based detection
systems anti-virus software are built based on known characteristic of worms, i.e.,
signatures which are periodically updated via centralized servers. Although accuracy of
19
this approach is usually much higher than that of anomaly detection but the delay before
obtaining signatures are usually significant. Most of the worm detection systems fall
within this category.
• Protection: Protection is a security mechanism preventing the systems from being
attacked. It can also be classified as host-level or network-level protection. For the
network-level protection, the mechanism must only allow the packets destined to
appropriate services. An example of the network-level protection is a firewall. A firewall
can control the flow of incoming or outgoing packets towards specific domains. It can be
in a position to protect individual system or the whole networks, commonly regarded as
the first line of defense and necessary mechanisms for all levels of systems. However, it
is certainly not an absolute defense. Some worms can rely on well-known ports such as
incoming web traffic or email services to evade the firewall filtering. For the host-level
mechanism, the common mechanism is operating systems’ authorization which prevents
unauthorized attempts to modify or execute particular files such as kernel-level files.
However by exploiting vulnerability of the systems, worms can bypass such mechanism.
The best practice is to make the systems up-to-date with patches for operating systems
and applications. They are usually accumulated before being released to users as a patch
batch. Hence, sometimes patches cannot be applied to systems in a timely fashion.
Automated and customized patch distribution can be used to solve this problem. Our
approach in this paper will focus on patch distributions via the propagation of benign
worms.
• Response: After attacks are detected, users or system administrators will respond to such
attacks either by trying to remove or contain as well as recover from the attack.
Responses can be manual or automatic. Most of the responses today are still manually
20
executed. Our work focuses on the analysis of an automated response mechanism by
deploying a benign worm to counter a detected malicious worm.
An Internet-scale mechanism, Cyber-Center for Disease Control (CDC) [38], has been
proposed to counter rapid worm propagations that are beyond the human capability to
response. It is envisioned to perform the following tasks: identifying outbreaks (detection),
rapidly analyzing pathogens, fighting infections (response), anticipating new vectors,
proactively devising detectors for new vectors and resisting future threats (protection). The
CDC response mechanism is to propagate worms’ signatures using “agents” including their
traffic patterns to the entire backbone of the infrastructure to detect, terminate and isolate the
infected hosts. Their mechanism requires coordination, authentication, and resilience in the
presence of targeted attack. The authors also raise the question of how to manage “agents”
for performing such tasks as well as ensure the integrity and security. Our work focuses on
fighting infections in the scale of Intranet based on automated worm/outbreak detections and
using worm interaction to suppress ongoing attacks.
Digital Immune System [27] is another similar advanced approach to counter ongoing
worm attacks. Its goal is to provide rapid response time as soon as new worms enter
protected systems. It relies heavily on the ability of automated worm analysis machine to
discover new worm strains. In Chapter 8, we propose and discuss on the VACCINE
architecture that can be one mechanism being used with CDC infrastructure or Digital
Immune System.
In [8], the authors suggest modifying existing worms such as Code Red, Slammer and
Blaster to terminate the original worm types. In our work, we model this as aggressive one-
sided worm interaction. Other active defenses, such as automatic patching, are also
investigated in [50]. Their work assumes a patch server and overlay network architecture for
21
Internet defense. We provide a mathematical model that can explain the behavior of
automatically-generated beneficial worm and automatic patch distribution using one-sided
worm interaction in encounter-based networks. Effect of Immunization on Internet worms
was modeled in [28] based on the SIR model
Active defense using beneficial worms was also mathematically modeled in [34];
however, the study focuses only on delay-limited worms with only one type of interaction
(which can be derived from our model) and does not consider network-related factors.
2.6 Worm propagation in wireless ad-hoc networks
In June 2004, Cabir [47], the first wireless worm running in Symbian mobile phone
1
was
discovered. Cabir worm can only reach Bluetooth mobile phones in discoverable mode.
This worm was created as “proof-of-concept” with no real threat but can deplete the phone
battery quickly due to aggressive scan for other vulnerable Bluetooth devices. It still needs
users to accept the “worm” before the phone can be infected. Cabir can only infect one
device per activation (after being powered off and then on). Lasco worm [51] (discovered in
January, 2005) is a variant of Cabir. In addition to Cabir normal vector, it also infects every
.sis file in the infected device but those files are not automatically sent to other devices.
Unlike Cabir, Skulls, another Bluetooth worm, once downloaded and installed on the
phone, disables all of the phone’s built-in programs such as calendar, clock and notepad
functions and replaces icons with images of skulls. Skulls was discovered in Nov, 2004.
In March 2005, Commwarrior [47] is another worm replicates on Symbian phones,
spreading via Multimedia Messaging Service (MMS) and Bluetooth as a randomly named
.sis file. Hence, unlike Cabir, it can infect phones by sending a MMS message with .sis file
1
See www.symbian.com
22
as an attachment to the phone number from the device’s phonebook. It resets the device if it
is the first hour of the 14
th
of any month. Other Symbian-based worms include Locknut,
Dampig and Qdial [51].
In addition to the above Symbian-based worms, Duts and Brador [31, 51] which
discovered in 2006, are Windows-CE-based viruses targeting PDAs. Duts is the first worm
for devices running under Windows CE .NET including following operating systems: Pocket
PC 2000, 2002, 2003. The virus infects executable files that are larger than 4KB in size (the
virus itself is 1.5 KB). Unlike Duts, Bradir is a full-scale malicious program that once
installed from email-attachment or from the Internet; it installs itself as a 5KB program on
the device and then open TCP port 2989 to wait for further instruction.
Many studies have attempted to foresee how worm may propagate in mobile ad-hoc
networks. In [11], the study models worm propagation in mobile ad-hoc networks
(MANETs) based on the SI model similar to a random-scan network worm in which each
node in the network is identified by IP address. Furthermore, the study also incorporates the
congestion of networks that was first introduced by [59] to the model. The worm
propagation model is validated using ns-2 simulations with the AODV routing protocols and
random-way point mobility. The results show that even with the reaction time to counter
attack as low as 12 sec, the probability of infection is still as high as 0.3. Later in [12], the
study also shows the effects of mitigation on worm propagation on mobility (speed),
congestion, and network delay. In [1], MANET TCP worms are also model and simulated
based on the SI model which the relationships of worm propagation with various payload
sizes and transmission rates are studied. The main differences in characteristics between
worm in MANETs and in the Internet are that the network size of MANET is smaller and
network can become easily congested. However, a slight delay in propagation is due to
23
packet loss caused by congestion, channel condition and mobility. In addition to AODV, we
also study worm propagations and interactions in DSDV and DSR. Our results show that
worm can propagate fastest in DSR (see Appendix C)
Trace-based worm propagation simulations are used in [2] using Dartmouth syslog for
more than 6,000 users. The authors focus on the realistic worm propagation and containment
effectiveness in the Wi-Fi environments. They propose several access-point-based defense
schemes to use when users join the network such as Unpatched User Shunning, (warning to
vulnerable users before globally blocking from the networks), Infected/Unpatched User
Shunning, (in addition to vulnerable users, infected users are also warned before they are
globally blocked from the networks), Active Disinfect/Patch (infected users are disinfected
and vulnerable nodes are patched), and Proactive Patching (scheduled patching to users in
advance). Only Active Disinfect/Patch combined with Proactive Patching are effective.
Deploying active disinfection and patching by beneficial worm, our schemes are expected to
be more effective when compared to the location-based access schemes.
Large-scale simulations based on EpiSim are carried out to see the effect of disease
spread [17]. The authors estimate mobility pattern based on census and land-use data. They
find that the contact graph between people is a strongly connected small-world-like graph.
At the same time, the graph between locations shows the hierarchical scale-free properties
suggesting the possibility of effectively deploying outbreak detection in the hubs of the
location networks. They conclude that early mass vaccination is the key to suppress the
disease outbreak. Removing or containing only high degree people is not sufficient due to
the strongly connected graph property. These findings are also consistent with our study
even with much smaller scale, i.e., 5,000 nodes and 130 buildings in our case to more than
24
1,500,000 nodes and 1,800 locations in their case (Portland, Oregon). Hence small targeted
vaccination will not be efficient in both cases.
In [37], authors investigate the possibility of city-scale Bluetooth worm infection in the
city environment (in Toronto city). From their experiments, they find that the populations of
Bluetooth devices are rather homogenous (based on manufacturer) and many of them are
discoverable, causing high probability of major outbreaks. In addition, small files (< 256
KB) can be easily transferred with walking speeds (1-2 m/s). Our experiments also indicate
that even with large file (1 MB), most of the file transfers (close to 100%) are also successful
with walking speeds (see Chapter 9). They also simulate worm propagation using Reality-
Mining project trace [16] in which 100 students carrying Bluetooth-enable cell phone to
discover all nearby Bluetooth devices for 18 months during 2004-2005. From their
experiments, it shows that the numbers of initial infected nodes are not as important as the
time the initial worms are launched. For example, the worm released in weekday and day
time spreads more rapidly when compared with those launched in weekend and night time.
Our findings are also consistent with their conclusion by showing the weekly dynamic of
clustering coefficient and distance between nodes (see Chapter 8). We find worms are likely
to spread faster only in specific days during a week. In addition, the speeds of worm
propagations are significantly influenced by the batch arrival pattern.
In addition to mobility speed effects on worm propagation in realistic traces, the study in
[57] focuses on the effect of synthetic mobility models such as random walk, random way
point, random direction and random landmarks on Bluetooth worm propagations using ns-2
network simulations with Bluetooth extension. A worm propagates four-time faster with
random landmarks mobility than the worm with random walk mobility does. Similar to
IMPORTANT [3], authors conclude that such effect causes by node spatial distribution, link
25
duration distribution and burstiness of successive link duration during each encounter and
model it into their worm propagation model. Our work focuses on the uniform encounter
pattern that is the outcome of a specific synthetic mobility pattern. For realistic encounter
patterns, we also show the burstiness of new node arrival to the network and its effects on
worm interactions.
2.7 Epidemic routing and analysis in delay-tolerant networks
Worm-like message propagation or epidemic routing has been studied for delay tolerant
network applications [26, 49, 58]. As in worm propagation, a sender in this routing protocol
spreads messages to all nodes in close proximity, and those nodes repeatedly spread the
copies of messages until the messages reach a destination, similar to flooding. This epidemic
routing approach is called “store-carry-forward”, minimizing the time for distributing the
packets from a source to a destination in dynamic sparse networks with no existing complete
paths [56] at the expense of increased buffer space, bandwidth, delay and transmission
energy.
Performance modeling for epidemic routing in delay tolerant networks [56] based on
ordinary differential equations (ODE) is proposed to evaluate the delivery delay, buffer
occupancy, number of nodes that has packets buffered, loss probability and power
consumption. The epidemic routing is modeled as SI model with A V E wR *]) [ ( 2 = β [21] for
random way point and random direction model where w = constant for each mobility model,
R = radio range, V* = relative speed between two nodes and A = area of node’s movement.
The average delivery delay from a source to a destination is )) 1 ( /( ln − N N β . In our case,
however, we are more interested in the delay from source(s) to all vulnerable nodes and
infected nodes (our metrics are explained in Chapter 3).
26
Also the concept of anti-packet is proposed to stop unnecessary overhead from
forwarding extra packets copies after the destination has received the packets. In their
IMMUNE scheme, the nodes that carry the buffered packets will remove the packets after
they encounter with destinations. For IMMUNE_TX scheme, to stop unnecessary overhead
forwarding, this scheme uses direct encounters between nodes and the destination as well as
relies on the anti-packets which transferred during those encounters which are spread out to
other nodes that carry the buffered packets. Their VACCINE scheme, similar to
IMMUNE_TX, but the anti-packets are generated by the encounters between the destination
and any node in the network.
These can be considered as a special case of a single group conservative one-sided
interaction with fixed predators for their IMMUNE scheme, a single group conservative one-
sided interaction for their IMMUNE_TX scheme and a single group aggressive one-sided
interaction for their VACCINE scheme which we consider in our model. Note that their
ODEs explain the behaviors after the packets reach destination. The extended models for 2-
Hop forwarding, Probabilistic forwarding and Limited-Time forwarding are also presented
in their study.
The study in [26] focuses on the performance analysis of epidemic routing under
contentions including “finite bandwidth” which limits the number of exchanged packets
between encountered nodes, “schedule of transmission” between encountered nodes to avoid
interferences and also “interference” itself. Their model is based on random walk mobility.
The delay of a packet from source to a destination is derived from a Markovian model.
2.8 Our work and related work
Our study proposes a frame work of worm interactions of random-scan network worms
and encounter-based worms. Unlike other studies of worm modeling, we focus on worm
27
interactions, study and analyze it in-depth. For the random-scan network worms, to our
knowledge, we provide the first study to propose the model of bandwidth-limited random-
scan network worm interactions where we can derive the contact rate based on network
conditions. For encounter-based worms, we start by modeling worm interactions based on
uniform encounter between nodes and extending it towards realistic encounter patterns
including batch arrival patterns. Our theoretical/mathematical analysis is validated through
extensive systematic simulations, based on realistic (trace-based) mobility and encounters
patterns, and is complemented by the implementation. We also provide guidelines and initial
protocol designs for the VACCINE architecture to support effective worm countermeasure
for both worm types.
28
3 Chapter 3: Basic Definitions
3.1 Overview
We aim to build a fundamental worm propagation model that captures worm interaction
as a key factor in both the Internet and uniform encounter-based networks. In this chapter,
important descriptions that are required for understanding the worm interaction model are
discussed.
We start by explaining the fundamental elements of worm interaction including basic
predator-prey relationships and their life cycles. Then, we discuss and model the contact rate
in which the derivation of contact rate of random-scan networks is shown in details. After
that, we explain the concept of worm interaction ratios including scan rate ratio and initial
infected node ratio. We explain the definitions of our proposed metrics and their importance
for worm interaction measurement. We conclude this chapter by discussing the worm
interaction factors which are modeled and investigated in Chapter 4 to 7.
3.2 Definitions
3.2.1 Predator-prey relationships
For every worm interaction type, there are two basic characters: Predator and Prey. The
Predator, in our case the beneficial worm, is a worm that terminates and patches against
another worm. The Prey, in our case the malicious worm, is a worm that is terminated or
patched by another worm.
29
A predator can also be a prey at the same time for some other type of worm. Predator
can vaccinate a susceptible node, i.e., infect the susceptible node (vaccinated nodes become
predator-infected nodes) and apply a patch afterwards to prevent the nodes from prey
infection. Manual vaccination, however, is performed by a user or an administrator by
applying patches to susceptible nodes.
A termination refers to the removal of prey from infected nodes by predator; and such
action causes prey-infected nodes to become predator-infected nodes and immune to future
infection by the prey. The removal by a user or an administrator, however, is referred to as
manual removal. We choose to use two generic types of interacting worms, A
and B, as our
basis throughout the paper. A
and B
can assume the role of predator or prey depending on the
type of interactions.
3.2.2 Worm life-cycle
Fig.3.1 illustrates the basic life cycle of predator and prey. For the random-scan network
worms, predator and prey search for susceptible nodes by using either TCP (such as Code
Red and Code Red II) or UDP exhaustive scan (such as Slammer and Witty). Unlike UDP-
scan worm, TCP-scan worms need to wait for its responses from valid destinations. The
waiting time makes its scan rate much slower than the scan rate of UDP-scan worms.
However, for the encounter-based worms, instead of scanning for susceptible nodes,
predator and prey simply rely on encounters of nodes to create the opportunity to propagate
its own copy to other nodes.
30
Infect host
with
predator
Infected with
predator?
Yes
No
Remove
prey from
host
Exit
Patch
available?
Scan other
hosts
Yes
Apply
patch (to
prevent
prey re-
infection)
Start
No
Time out?
No
Exit
No
Infected with
prey?
Yes
Yes
No
(a) (b)
[Figure 3.1] Life cycles of (a) Predator (b) Prey
Only predator (Fig.3.1a) needs to check whether prey resides in the same node before it
can terminate prey (Fig.3.1b) and patch the node to prevent re-infection from prey (if patch
is available). Both types self-terminate after predefined timeout unless it has been terminated
by the opposing worm or a manual removal process. For example, Welchia has embedded
timeout which it will disable and self-terminate if the year from computer system’s date is
2004 [47]. The reason for self-termination is for reducing unnecessary workload and traffic
on the host infected by Welchia. For simplicity, in our Worm Interaction Model, we assume
that the patch is contained within predator’s payload and the time-out periods for both
worms are indefinite. Our model also assumes that predator always detects prey if prey
already infects the vulnerable host. Both predator and prey are subject to vaccination and
manual removal.
3.2.3 Contact rate
For the random-scan network worms, as explained in Section 3.2.2, each worm
constantly scans the vulnerable hosts by issuing new worm replication to randomly chosen
31
address. Let
v
P be the probability of worm replication having a contact with a vulnerable
host from the total address space υ , i.e., for IPv4 is 2
32
(this also includes the multicast and
reserved addresses). We define a contact as a worm replication reaching a destined
vulnerable host. Let
s
P be the fraction of a vulnerable hosts reached by a worm replication,
υ
N
P
v
≡ (Eq.3-1)
N
P
s
1
≡ (Eq.3-2)
where 1 0 ≤ ≤
v
P and 1 0 ≤ ≤
s
P .
A worm replication can be significantly slowed down by network delay (D) including
transmission delay, link delay, processing delay and queuing delay. Let
A
ρ and
B
ρ be the
network-delay factor which attenuates contact rate of prey and predator.
Let
A
υ and
B
υ be the respective scanned address space of prey and predator, and let
A
r
and
B
r be the respective scan rate of prey and predator where a scan rate is a frequency of a
worm issuing its replication to chosen destinations. Thus the contact rate of prey
A
β and the
contact rate of predator
B
β are
s v A A A
P P r ρ β ≡
A
A A
r
υ
ρ
= (Eq.3-3-a)
s v B B B
P P r ρ β ≡
B
B B
r
υ
ρ
= (Eq.3-3-b)
where 1 , 0
B A
≤ ≤ ρ ρ .
Let
A
D and
B
D be respective network delay for prey and predator. We can derive
A
ρ
and
B
ρ as follows.
1
) 1 (
/ 1
/ 1
−
+ =
+
=
A A
A A
A
A
D r
D r
r
ρ (Eq.3-3-c)
32
1
) 1 (
/ 1
/ 1
−
+ =
+
=
B B
B B
B
B
D r
D r
r
ρ (Eq.3-3-d)
The contact rate can be dynamic according to the network congestion (network delay),
adaptive scan rate, change of scanned address range and its scanning strategies such as using
hit lists [38].
Let e be number of targeted sub networks. For sub network j, let h
Aj
and h
Bj
be the
probability of network j being scanned for prey and predator, g
A
and g
B
be the worm
replication size for prey and predator, q
Aj
and q
Bj
be average queue length of outgoing links
for prey and predator, b
Aj
and b
Bj
be average bandwidth of outgoing links for prey and
predator, c
Aj
and c
Bj
be average packet drop rate for prey and predator and u
Aj
and u
Bj
be
average link delays for prey and predator. We can derive
A
D and
B
D as follows:
∑
=
+
+ − =
e
j Aj
Aj A
Ai Aj Aj A
b
q g
u c h D
1
))
) 1 (
)( 1 ( ( (Eq.3-3-e)
∑
=
+
+ − =
e
j Bj
Bj B
Bi Bj Bj B
b
q g
u c h D
1
))
) 1 (
)( 1 ( ( (Eq.3-3-f)
Hence, according to their strategies,
A
D and
B
D can be drastically different between
prey and predator. Note that q
Aj
, q
Bj ,
c
Aj
and c
Bj
are subject to background traffics also.
For the encounter-based worm, the contact rate is the frequency of encounter for pairs of
nodes, where an encounter occurs when the 2 nodes are within radio range. We assume a
uniform contact rate for all pairs of nodes and their encounter behavior does not directly
impact each other and both predator and prey share the same set of susceptible nodes. We
assume that in one encounter, worm is successfully transferred from one node to another.
Note that our model assumes
B A
β β = for encounter-based worms (we relaxed this
33
assumption later on the trace-based simulations), but it is not necessary true for random-scan
network worms.
3.2.4 Worm interaction ratios
To estimate how much relative characteristics of predator and prey impact on their
propagations, we propose following worm interaction ratios: scan rate ratio, initial infective
ratio. We further develop the concept of similarity and difference to gain insight into
relationships between scan rate ratios, and between initial infective ratios. We also
systemically derive minimum scan rate ratio and minimum initial infective ratio for effective
termination in Chapter 4.
3.2.4.1 Scan rate ratio
Scan rate ratio is the ratio of scan rates of one worm type to that of another worm type.
Let X be a scan rate ratio of predator to prey,
A
B
r
r
X ≡ (Eq.3-4)
If we assume that 0 ≈ = = D D D
B A
and
B A
υ υ = then contact rate ratio of predator to prey
can be derived approximately as
=
+
+
≈
) 1 (
) 1 (
D r r
D r r
r
r
B A
A B
A
B
A
B
β
β
. (Eq.3-5)
X
i
is similar to X
j
only when
j
j
i
i
A
B
A
B
r
r
r
r
= , otherwise is said to be different from X
j
where i
and j represent interacting pairs. For example, X
1
= 1:2 is similar to X
2
= 2:4 but the first
ratio has
A
r =1/sec,
B
r = 2/sec and the latter has
A
r =2/sec,
B
r = 4/sec. To differentiate
between X
1
and X
2
, we use scan-rate-ratio multiplicative factor k
i
, from above example we
have k
1
=1.0 for X
1
and k
2
=2.0 for X
2
. We use X= 1:1 as the absolute reference. Note that scan
34
rate ratio is only applicable to random-scan network worms but not to encounter-based
worms.
3.2.4.2 Initial-infected-node ratio
Initial-infected-node ratio is the ratio of infected node of one worm type to another
worm type at initial release time of both worms. Let Y be an initial-infected-node ratio of
predator to prey,
) 0 (
) 0 (
A
B
I
I
Y ≡ (Eq.3-6)
where ) 0 (
A
I and ) 0 (
B
I = number of initial infectives of prey
and predator respectively at their
released times.
This ratio is only valid when there is no difference in launching time of prey
and
predator
.
We can also consider the ratio of infected nodes for any t; however, we shall
consider the delay of launching the opposing worm, i.e., reaction time in Chapter 6.
Again Y
i
is similar to Y
j
only when
j
j
i
i
A
B
A
B
I
I
I
I
) 0 (
) 0 (
) 0 (
) 0 (
= , otherwise is said to be different from
Y
j
. For example Y
1
= 1:1 is similar to Y
2
= 2:2 but the first ratio has
) 0 ( A
I =
) 0 ( B
I =1 and the
latter has
) 0 ( A
I =
) 0 ( B
I =2. To differentiate between Y
1
and Y
2
, we use initial-infected-node-
ratio multiplicative factor l
i
which l
1
=1.0 for Y
1
and l
2
=2.0 for Y
2
. We use Y=1:1 as the
absolute reference. This ratio is applicable to both random-scan network worms and
encounter-based worms.
3.2.5 Metrics
To gain insight and better quantify the effectiveness of worm interaction, we propose to
use the following metrics:
35
(1) Total Prey-infected Nodes (TI): the number of nodes ever infected by prey.
(2) Maximum Prey-infected Nodes (MI): the peak of instantaneous number of prey-infected
nodes where TI MI I
A
≤ ≤ ) 0 ( .
(3) Total Prey Lifespan (TL): the sum of time of individual nodes ever infected by prey. It
can be interpreted as the total damage by prey.
(4) Average Individual Prey Lifespan (AL): the average lifespan of individual prey-infected
nodes where TL AL ≤ .
(5) Time to Secure All Nodes (TA): the time required for predator to infect all susceptible
and prey nodes. Its inverse can be interpreted as average predator infection rate.
(6) Time to Remove All Preys (TR): the time required for predator to terminate all preys
where TA TR ≤ . Its inverse can be interpreted as prey termination rate.
TI and MI are indicators of the level of prey infection, TL and AL are the indicators of
the duration of prey infection and TA and TR are the indicators of protection and recovery
rate, respectively. Our goal is to find the conditions to minimize these metrics based on worm
interaction factors of which details are discussed next.
3.2.6 Worm interaction factors
Worm interaction factors are major factors that can significantly impact the worm
interactions including worm interaction types, network characteristics, and node
characteristics. Worm can behave differently based on types of interactions (or their
behaviors): aggressive one-sided interaction, conservative one-sided interaction or
aggressive two-sided interaction. In addition, for the encounter-based networks, our analysis
shows that underlying network characteristics including network size, contact rate, group
behaviors and arrival process (e.g., batch arrivals) are keys to the understanding and control
of worm propagation. Finally, node characteristics: cooperation, immunization, on-off
36
behaviors and delay, can significantly affect the worm interaction patterns. Worm interaction
types (worm ecology), network characteristics, and node characteristics are presented in
Chapter 4, 5 and 6, respectively.
37
4. Chapter 4: Worm Ecology
4.1 Overview
When there is a prey, A, and a predator, B, we consider this as a one-sided interaction. If
both A and B are predators, it is denoted as a two-sided interaction. For ideal scenario, the
predator wants to terminate its prey as much as possible as well as prevent its preys from
infection and re-infection. To satisfy that requirement, the predator requires a patch or a false
signature of its prey. There are three types of interactions considered: aggressive one-sided,
conservative one-sided and two-sided (for other types of interactions including two-sided
without patch and friendly interaction are briefly discussed in Appendix D and general worm
interactions in general worm interaction models are discussed in Chapter 7) . They are
presented respectively in this chapter; for each worm interaction type, we start by explaining
the model, and then compare the model plots with the network-level simulation results for
random-scan network worms and with encounter-level simulation results for encounter-
based worm. Simulation details are given Appendix A.
4.2 Aggressive one-sided interaction
In this interaction type, a beneficial worm, predator has the capability to terminate and
patch a malicious worm, prey, as well as vaccinate susceptible nodes. Simplified interaction
between Welchia and Blaster and between Code Green and Code Red can be represented by
this model.
38
A A
SI β
B A B
I I β
B B
SI β
[Figure 4.1] Aggressive one-sided interactions
As shown in Fig.4.1, susceptible nodes’ decrease rate is determined by the contact of
susceptible nodes with the prey (
A A
SI β ) causing the prey infection or with the predator
(
B B
SI β ) causing the vaccination. Hence, the susceptible rate is
) (
B B A A
I I S
dt
dS
β β + − = . (Eq.4-1)
Since the prey relies on susceptible nodes to expand its population, the increase of prey
infection rate (
dt
dI
A
) is determined by the contacts of susceptible nodes and prey (
A A
SI β ).
The decrease of prey infection rate is determined by prey termination caused by the contacts
of prey infected nodes and predator (
B B
SI β ). Hence the prey infection rate is
) (
B B A A
A
I S I
dt
dI
β β − = . (Eq.4-2)
Because the predator can terminate its prey as well as vaccinate susceptible nodes, the
increase of predator infection rate (
dt
dI
B
) is determined by the contacts of predator with
either the susceptible nodes (
B B
SI β ) or prey infected nodes (
B A B
I I β ).
) (
A B B
B
I S I
dt
dI
+ = β . (Eq.4-3)
Susceptible Infected with Infected with
worm A, prey worm B, predator
Immune to prey
39
From (Eq.4-2), the epidemiological threshold for prey is
B B
A
A
I
S
E
β
β
= =
rate decrease prey
rate increase prey
. (Eq.4-4)
If we want the prey to be contained by its predator, i.e.,
A
E < 1 at t=0, we
assume ) 0 (
A
I and > ) 0 (
B
I 0, we requires that the minimum product of contact rate ratio and
infected host ratio to be
XY
) 0 (
) 0 (
A
I
S
≥ . (Eq.4-5)
To see the importance of initial infected node ratio, we plot numerical solutions from our
aggressive one-sided interaction model. For random-scan network worm, we simulate 1,000
nodes with different contact rate ratios in Fig. 4.2a, with similar contact rate ratios in
Transit-stub topology in Fig.4.2b and different initial infected node ratios in Fig. 4.2c and
similar initial infected node ratios in Fig.4.2d. For encounter-based worms, we simulate
different initial infected node ratios of 1000 nodes in Fig. 4.2c and similar initial infected
node ratios of 500 nodes (for Y=1:1), 1000 nodes (for Y=2:2), 2000 nodes (for Y=4:4) in
Fig.4.2d where network size (N) scaled up with Y.
In Fig.4.2c, we can observe the significant drop of maximum infected nodes (MI) as X
increases. As X increases from 1:3 to 5:3, MI drops from more than 90% to less than 5% of
total population. However, as Y increases from 1:3 to 5:3, MI only drops 35% to 10% of total
population. We can conclude from these results that X is more important than Y is for
random-scan network worms; because the change of predator scan rate causes multiplicative
40
change in prey infection rate while the change of predator initial infected host ratio only
causes additive changes in prey infection rate. In other words, change of predator scan rate is
repetitively applied to prey infection rate while change of initial predator infected hosts is
only applied once to prey infection rate (at initial release phase). Note that extremely large X
can cause adverse effect on the predator contact rate because of excessive network
congestion (with large
B
D and hence low
B
β ) and possibly a router outage [33].
0 5 10 15 20
0
0.2
0.4
0.6
0.8
1.
Time (Sec)
Prey Infected Host (Fraction)
X=1:3 sim
X=2:3 sim
X=3:3 sim
X=4:3 sim
X=5:3 sim
X=1:3 model
X=2:3 model
X=3:3 model
X=4:3 model
X=5:3 model
0 5 10 15 20
0
0.05
0.10
0.15
0.20
Time (Sec)
Prey Infected Host (Fraction)
X=1:1 sim
X=2:2 sim
X=3:3 sim
X=4:4 sim
X=5:5 sim
X=1:1 model
X=2:2 model
X=3:3 model
X=4:4 model
X=5:5 model
(a) (b)
0 5 10 15 20 25
0.0
0.1
0.2
0.3
0.4
Time (Sec)
Prey Infected Hosts (Fraction)
Y=1:3 sim
Y=2:3 sim
Y=3:3 sim
Y=4:3 sim
Y=5:3 sim
Y=1:3 model
Y=2:3 model
Y=3:3 model
Y=4:3 model
Y=5:3 model
0 5 10 15 20 25
0.0
0.05
0.10
0.15
0.20
Time (Sec)
Infected Hosts (Fraction)
Y=1:1 sim
Y=2:2 sim
Y=3:3 sim
Y=4:4 sim
Y=5:5 sim
Y=1:1 model
Y=2:2 model
Y=3:3 model
Y=4:4 model
Y=5:5 model
(c) (d)
[Figure 4.2] Prey infected nodes of aggressive one-sided interaction (random-scan
network worms) with (a) different scan rate ratio (b) similar scan rate ratio ((a) and (b) prey
scan rate = 3/sec, predator scan rate = 1 to 5/sec in Transit-stub topology, initial prey
infected node = 1, initial predator infected node = 1) (c) different initial infected node ratio
and (d) similar initial infected node ratio ((c) and (d) scan rate = 1/sec, initial prey infected
node = 1, initial predator infected node = 1 to 5)
41
With similar X and similar Y, the time to reach at the peak of infection is reduced
proportionally to k
i
. and l
i
, respectively. However, with similar Y, MI slightly decline but
with similar X, MI does not change.
Similar to random-scan network worms, we can observe that the increase of initial
infected nodes reduce the maximum of prey infected nodes from 25% to 10% of total
population as shown in Fig.4.3a. In Fig 4.3b, we keep the ratio of susceptible nodes to initial
predator infected nodes to initial prey infected nodes similar, e.g., Y
1
=1:1 with S
1
=498,
Y
2
=2:2 with S
2
=996 andY
3
=4:4 with S
3
=1992. We can observe that all maximum infected
host fractions of prey for different l
i
are the same. This means that the number of total
vulnerable nodes (N) does not affect the relative fraction of infections ( N I
A
/ (max) ) as long
as
A B
I I S : : are similar and β are the same. The time to reach the peak for each Y also
reduces proportionally to N. Note that if we keep S unchanged with similar Y but increased l
i
then the results in Fig.4.3b should be similar to what is shown in Fig.4.2d.
0 50 100 150 200 250
0
0.05
0.1
0.15
0.2
0.25
Time (Sec)
Prey Infected Host (Fraction)
Y=2:3 sim
Y=3:3 sim
Y=4:3 sim
Y=5:3 sim
Y=6:3 sim
Y=2:3 model
Y=3:3 model
Y=4:3 model
Y=5:3 model
Y=6:3 model
0 100 200 300 400 500
0
0.05
0.1
0.15
0.2
Time (Sec)
Prey Infected Hosts (Fraction)
Y=1:1sim
Y=2:2 sim
Y=4:4 sim
Y=1:1 model
Y=2:2 model
Y=4:4 model
(a) (b)
[Figure 4.3] Prey infected nodes of aggressive one-sided interaction (encounter-based
worms) with (a) different initial-infected-host ratio (b) similar initial infected node ratio
(contact rate = 6x10
-5
/sec, initial prey infected node = 1, initial predator infected node = 1 to
5)
42
4.3 Conservative one-sided interaction
In a conservative interaction, a predator has the capability to terminate a prey but does
not vaccinate susceptible nodes to reduce overheads. Hence the predator-infected nodes
change depends solely on population of the prey-infected nodes.
B A B
I I β
A A
SI β
[Figure 4.4] Conservative one-sided interactions
We show the state transition of conservative one-sided interactions in Fig.4.4. The
susceptible nodes are now only converted to prey infected nodes but not to predator infected
nodes (i.e., 0 =
B B
SI β ) . Hence, the decrease of susceptible nodes in this model is
determined by the prey infection caused by the contact between susceptible nodes and the
prey (
A A
SI β ). Hence
A A
SI
dt
dS
β − = . (Eq.4-6)
Since the prey behavior is the same as of aggressive one-sided interaction, the prey
infection rate (
dt
dI
A
) can be derived similarly.
Susceptible Infected with Infected with
worm A, prey worm B, predator
Immune to prey
43
) (
B B A A
A
I S I
dt
dI
β β − = . (Eq.4-7)
As mentioned earlier, predator infected nodes growth rate depends only on prey
termination (
B A B
I I β ). Thus, predator infection rate is
B A B
B
I I
dt
dI
β = . (Eq.4-8)
From (Eq.4-3) and (Eq.4-8), we can see that the increase of predator infected nodes in
this model is much slower than that of aggressive one-sided interaction because
B A
I I β <
B A
I I S ) ( + β .
From (Eq.4-7), the epidemiological threshold for prey is
B B
A
B A B
A A
A
I
S
I I
SI
E
β
β
β
β
= = . (Eq.4-9)
Similar to aggressive one-sided interaction, we requires that minimum product of contact
rate ratio and initial-infected-node ratio to be
XY
) 0 (
) 0 (
A
I
S
> (Eq.4-10)
Again, we validate our models through the network-level and encounter-level
simulations with the same parameters.
44
In Fig.4.5a, for random-scan network worms, X and Y reduce MI from 99% to 85% and
from 90% to 85%, respectively. Similar to aggressive one-sided interaction, we can see that
X is more important than Y in this worm interaction type. In general, the trends of MI as the
function of similar X and Y and different X and Y in conservative one-sided interaction for
both random-scan network worms and encounter-based worms (Fig.4.6) are similar to those
of aggressive one-sided interaction.
However, because of slower predator infection rate, the prey infected nodes in
conservative one-sided interaction require more time to be completely terminated causing
much higher maximum prey infected node than that of the aggressive one-sided interaction.
0 5 10 15 20
0 .0
0.2
0.4
0.6
0.8
1.0
Time (Sec)
Prey Infected Host (Fraction)
X=1:3 sim
X=2:3 sim
X=3:3 sim
X=4:3 sim
X=5:3 sim
X=1:3 model
X=2:3 model
X=3:3 model
X=4:3 model
X=5:3 model
0 5 10 15 20
0.0
0.2
0.4
0.6
0.8
1.0
Time (Sec)
Prey Infected Host (Fraction)
X=1:1 sim
X=2:2 sim
X=3:3 sim
X=4:4 sim
X=5:5 sim
X=1:1 model
X=2:2 model
X=3:3 model
X=4:4 model
X=5:5 model
(a) (b)
0 5 10 15 20
0.0
0.2
0.4
0.6
0.8
1.0
Time (Sec)
Prey Infected Host (Fraction)
Y=1:3 sim
Y=2:3 sim
Y=3:3 sim
Y=4:3 sim
Y=5:3 sim
Y=1:3 model
Y=2:3 model
Y=3:3 model
Y=4:3 model
Y=5:3 model
0 5 10 15 20
0.0
0.2
0.4
0.6
0.8
1.0
0.0
0.2
0.4
0.6
0.8
Time (Sec)
Prey Infected Host (Fraction)
Y=1:1 sim
Y=2:2 sim
Y=3:3 sim
Y=4:4 sim
Y=5:5 sim
Y=1:1 model
Y=2:2 model
Y=3:3 model
Y=4:4 model
Y=5:5 model
(c) (d)
[Figure 4.5] Prey infected nodes of conservative one-sided interaction (random-scan
network worms) with (a) different scan rate ratio (b) similar scan rate ratio ((a) and (b) prey
scan rate = 3/sec, predator scan rate = 1 to 5/sec in Transit-stub topology, initial prey
infected node = 1, initial predator infected node = 1) (c) different initial infected node ratio
and (d) similar initial infected node ratio ((c) and (d) scan rate = 1/sec, initial prey infected
node = 1, initial predator infected node = 1 to 5)
45
0 100 200 300
0
0.2
0.4
0.6
0.8
1
Time (Sec)
Prey Infected Hosts (Fraction)
Y=2:3 sim
Y=3:3 sim
Y=4:3 sim
Y=5:3 sim
Y=6:3 sim
Y=2:3 model
Y=3:3 model
Y=4:3 model
Y=5:3 model
Y=6:3 model
0 200 400 600 800
0
0.2
0.4
0.6
0.8
1
Time (Sec)
Prey Infected Hosts (Fraction)
Y=1:1 sim
Y=2:2 sim
Y=3:3 sim
Y=1:1 model
Y=2:2 model
Y=3:3 model
(a) (b)
[Figure 4.6] Prey infected nodes of conservative one-sided interaction (encounter-based
worms) with (a) with different initial-infected-host ratios (b) similar initial infected node
ratios (contact rate = 6x10
-5
/sec, initial prey infected node = 1, initial predator infected node
= 1 to 5)
The effects of increase of initial-infected-node ratios on the conservative one-sided
interaction are much weaker than that of the aggressive one-sided interaction. In this worm
interaction, if automated worm generation produces the same worm characteristics with
Y=1:1 in encounter-based networks, it would optimally limit the prey maximum infected
nodes to 95% of population which is much worse than that of aggressive one-sided
interaction which is only 17% of population. Detailed comparison of metrics between worm
types are shown later in Section 4.5.
4.4 Two-sided interaction
In this interaction type, we simply call A as predator A and B as predator B. Predator B
is capable of vaccinating susceptible nodes but unable to remove a predator A from predator
A’s infected nodes because it is blocked by predator A. Both predator A and B blocks each
other (i.e., 0 = =
B A B B A A
I I I I β β ). In automated patching systems [50], their worm-like
patch distribution falls into this category. The automated patching that assumes that each
worm patches its own node to prevent infection from the other worm is closely related to this
model.
46
A A
SI β
B B
SI β
[Figure 4.7] Two-sided Interaction
This two-sided interaction model is extended from the aggressive one-sided interaction
model explained in the earlier section. In automated patching systems, their worm-like patch
distribution falls into this category. The automated patching assumes that each worm patches
its own host to prevent infection from other worm is closely related to this model.
We show the state transition of this model in Fig.4.7. Similar to that of the aggressive
one-sided interaction, the change of susceptible nodes is caused by the prey infection and the
predator infection. Hence the susceptible rate for this model is
) (
B B A A
I I S
dt
dS
β β + − = . (Eq.4-11)
Because the predator A cannot terminate the predator B and vice versa, the predator A
infection rate is only determined by the predator A infection caused by the contacts between
the susceptible nodes and the predator A infected nodes. The decrease of predator A infection
rate is, however, due to the manual removal. Since this is the two-sided interaction, the
predator B infection rate can be derived similarly to infection rate of predator A with out the
manual removal.
Susceptible Infected with Infected with
worm A, prey, worm B, predator
Immune to predator Immune to prey
47
A A
A
SI
dt
dI
β = (Eq.4-12)
B B
B
SI
dt
dI
β = . (Eq.4-13)
From (Eq.4-12), the epidemiological thresholds for the predator A are
∞ = =
0
A A
A
SI
E
β
(Eq.4-14)
Hence we know that
A
E will be always greater than 0 at t=0.
Similar to aggressive and conservative one-sided worm interaction, we validate our
models through the network-level and encounter-level simulations.
Unlike the aggressive and conservative one-sided interaction, we can observe that the
predator A will not be completely terminated but only will be “contained” (i.e., prey cannot
infect susceptible nodes more than certain fraction of total vulnerable nodes). For example,
for random-scan network worms, from Fig.4.8a, we can see that if we want to contain
predator A to be lower than 20%, we need X ≥ 4:3 (or similar X). Similarly, for encounter-
based worms, in Fig.4.10a that if we want to contain predator A to be lower than 40% then
we need Y ≥ 5:3 (or similar Y). Again in Fig.4.8, we can conclude that in two-sided
interaction, X is much more important than Y for random-scan network worms.
The relationships of similar contact rate ratio and similar initial-infected-node ratios with
varied k
i
and l
i
are still the same as those of the aggressive and conservative one-sided
interaction.
From Fig.4.8 and 4.9, we can also directly estimate MI (and TI) from Y as follows:
Y
N
I I
I
N TI MI
B A
A
+
=
+
= =
1 ) 0 ( ) 0 (
) 0 (
(Eq.4-15)
In addition, we can also estimate ) (∞
B
I as follows:
48
Y
NY
TI N I
B
+
= − = ∞
1
) ( (Eq.4-16)
We can further observe with initial-infected-node ratios, based on MI (lowest to highest),
we can rank aggressive one-sided interaction first, two-sided interaction second and
conservative one-sided interaction last.
Note that we do not model conservative two-sided worm interaction because both
predator A and predator B infection rate are simply 0.0 and hence, no possibility of outbreak
for predator A (and predator B).
0 5 10 15 20
0.0
0.2
0.4
0.6
0.8
1.0
Time (Sec)
Prey Infected Host (Fraction)
X=1:3 sim
X=2:3 sim
X=3:3 sim
X=4:3 sim
X=5:3 sim
X=1:3 model
X=2:3 model
X=3:3 model
X=4:3 model
X=5:3 model
0 5 10 15 20
0
0.1
0.2
0.3
0.4
0.5
0.6
Time (Sec)
Prey Infected Host (Fraction)
X=1:1 sim
X=2:2 sim
X=3:3 sim
X=4:4 sim
X=5:5 sim
X=1:1 model
X=2:2 model
X=3:3 model
X=4:4 model
X=5:5 model
(a) (b)
0 5 10 15 20
0.0
0.2
0.4
0.6
0.8
Time (Sec)
Prey Infected Host (Fraction)
Y=1:3 sim
Y=2:3 sim
Y=3:3 sim
Y=4:3 sim
Y=5:3 sim
Y=1:3 model
Y=2:3 model
Y=3:3 model
Y=4:3 model
Y=5:3 model
0 5 10 15 20
0 .0
0.1
0.2
0.3
0.4
0.5
0.6
Time (Sec)
Prey Infected Host (Fraction)
Y=1:1 sim
Y=2:2 sim
Y=3:3 sim
Y=4:4 sim
Y=5:5 sim
Y=1:1 model
Y=2:2 model
Y=3:3 model
Y=4:4 model
Y=5:5 model
(c) (d)
[Figure 4.8] Prey infected nodes of two-sided interaction (random-scan network worms)
with (a) different scan rate ratio (b) similar scan rate ratio ((a) and (b) prey scan rate = 3/sec,
predator scan rate = 1 to 5/sec in Transit-stub topology, initial prey infected node = 1, initial
predator infected node = 1) (c) different initial infected node ratio and (d) similar initial
infected node ratio ((c) and (d) scan rate = 1/sec, initial prey infected node = 1, initial
predator infected node = 1 to 5)
49
0 50 100 150 200
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Time (Sec)
Prey Infected Hosts (Fraction)
Y=2:3 sim
Y=3:3 sim
Y=4:3 sim
Y=5:3 sim
Y=6:3 sim
Y=2:3 model
Y=3:3 model
Y=4:3 model
Y=5:3 model
Y=6:3 model
0 100 200 300 400
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Time (Sec)
Prey Infected Hosts (Fraction)
Y=1:1 sim
Y=2:2 sim
Y=3:3 sim
Y=1:1 model
Y=2:2 model
Y=3:3 model
(a) (b)
[Figure 4.9] Prey infected nodes of two-sided interaction (encounter-based worms) (a)
with different initial-infected-host ratios (b) similar initial infected node ratios (contact rate =
6x10
-5
/sec, initial prey infected node = 1, initial predator infected node = 1 to 5)
4.5 Metric Analysis
According to above worm interaction types, TI, MI, TL, AL, TA and TR in aggressive
one-sided interaction are expected to be the lowest among those of all interaction types. In
conservative one-sided interaction, because only once-infected-by-prey nodes can be
infected by predator, hence in some cases ∞ = TA . Similarly, for two-sided interaction,
predator cannot terminate prey, hence ∞ = = = = TR TA AL TL .
As shown in Fig. 4.10 and 4.11, we can clearly see that the predator in aggressive one-
sided interactions is much more effective than the predator in other two worm interaction
types for all metrics. Note that we have not shown TA for conservative one-sided and two-
sided worm interaction because ∞ = TA and also not shown TR, TL and AL for two-sided
worm interaction because ∞ = = = TR AL TL . Although, TL, and AL in the conservative
one-sided interaction is at least one order of magnitude higher than those of aggressive one-
sided interaction, but TR in the conservative one-sided interaction is only two-time higher
than that of aggressive one-sided interaction (with the same Y). This small difference occurs
simply because, even with aggressive one-sided interaction, predator infection rate slows
down at the later state of termination/vaccination period.
50
0
0.2
0.4
0.6
0.8
1
0.33 0.53 0.73 0.93 1.13 1.33 1.53 1.73
X
P re y In fe c te d H o s t (F r a c tio n )
TI 1Side Agg sim
TI 1Side Cons sim
TI 2Side Agg sim
TI 1Side Agg model
TI 1Side Cons model
TI 2Side Agg model
0
0.2
0.4
0.6
0.8
1
0.33 0.53 0.73 0.93 1.13 1.33 1.53 1.73
X
P re y In fe c te d H o s t (F r a c tio n )
MI 1Side Agg sim
MI 1Side Cons sim
MI 2Side Agg sim
MI 1Side Agg model
MI 1Side Cons model
MI 2Side Agg model
(a) (b)
0
2000
4000
6000
8000
10000
12000
0.33 0.53 0.73 0.93 1.13 1.33 1.53 1.73
X
T im e (S e c )
TL 1Side Agg sim
TL 1Side Cons sim
TL 1Side Agg model
TL 1Side Cons model
0
2
4
6
8
10
12
0.33 0.53 0.73 0.93 1.13 1.33 1.53 1.73
X
T im e (S e c )
AL 1Side Agg sim
AL 1Side Cons sim
AL 1Side Agg model
AL 1Side Cons model
(c) (d)
0
5
10
15
20
25
0.33 0.53 0.73 0.93 1.13 1.33 1.53 1.73
X
T im e (S e c )
TA 1Side Agg sim
TA 1Side Agg model
0
5
10
15
20
25
30
0.33 0.53 0.73 0.93 1.13 1.33 1.53 1.73
X
T im e (S e c )
TR 1Side Agg sim
TR 1Side Cons sim
TR 1Side Agg model
TR 1Side Cons model
(e) (f)
[Figure 4.10] Relationships of worm characteristics with X (random-scan network
worm)
51
1 2 3 4 5 6 7 8 9 10
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Y
Node Fraction
TI 1Side Agg sim
TI 1Side Cons sim
TI 2Side Agg sim
TI 1Side Agg model
TI 1Side Cons model
TI 2Side Agg model
1 2 3 4 5 6 7 8 9 10
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Y
Node Fraction
MI 1Side Agg sim
MI 1Side Cons sim
MI 2Side Agg sim
MI 1Side Agg model
MI 1Side Cons model
MI 2Side Agg model
(a) (b)
1 2 3 4 5 6 7 8 9 10
10
3
10
4
10
5
10
6
Y
Time (Sec)
TL 1Side Agg sim
TL 1Side Cons sim
TL 1Side Agg model
TL 1Side Cons model
2 4 6 8 10
0
50
100
150
200
250
300
Y
Time (Sec)
AL 1Side Agg sim
AL 1Side Cons sim
AL 1Side Agg model
AL 1Side Cons model
2 4 6 8 10
0
100
200
300
400
500
Y
Time (Sec)
TR 1Side Agg sim
TR 1Side Cons sim
TR 1Side Agg model
TR 1Side Cons model
(c) (d) (e)
[Figure 4.11] Relationships of worm characteristics with Y (encounter-based worms)
We can see that TI is less sensitive to the increase of X and Y than MI is. In addition, TI
and MI in two-sided interaction are less sensitive to the increase of X and Y than aggressive
one-sided interaction and conservative two-sided interaction. TL, AL and TR are also more
sensitive to the increase of X and Y in aggressive one-sided interaction than conservative
one-sided interaction.
Next we focus on the effects of large Y on our metrics only with the aggressive one-
sided interaction in the encounter-based networks. In Fig.4.12a, TI and MI decrease
exponentially as Y increases. We also find that if ) 0 ( : ) 0 ( : ) 0 (
A B
I I S is constant then
N MI : and N TI : are also constant even N changes. From Fig. 4.12b TL decreases
exponentially as Y increases. AL, on the other hand, is almost constant for all Y. It is
interesting to see that TL and AL are merging at their minimum when Y = Y
max
(Y
max
=
1,000).
As we can see that TL
min
and AL
min
do not reach zero at Y
max
because the next
52
encounter time of a prey-infected node with any of initial predator-infected node ( ) 0 (
B
I )
requires
β ) 0 (
1
B
I
where
B A
β β β = = . Furthermore, TL
min
= TI
min
AL
min
,(see Chapter 7), thus
TL
min
and AL
min
merge to each other because TI
min
= ) 0 (
A
I = 1.
From the observation in Fig.4.12c, TR reduces much faster than TA with the increase of
Y. TR decreases exponentially as Y increases. TA starts to be reduced rapidly when Y ≈ Y
max
.
At Y
max,
we can see that TA
min
=TR
min
=AL
min
, Note that TA is also similar to the average time
for every node to receive a copy of a message from a random source in an encounter-based
network which can be derived as β N N / ) 5772 . 0 ln 2 ( + [13].
10
0
10
1
10
2
10
3
10
-3
10
-2
10
-1
10
0
Y
N (Fraction)
TI sim
MI sim
TI model
MI model
10
0
10
1
10
2
10
3
10
1
10
2
10
3
10
4
10
5
Y
Time (Sec)
TL sim
AL sim
TL model
AL model
10
0
10
1
10
2
10
3
10
1
10
2
10
3
Y
Time (Sec)
TA sim
TR sim
TA model
TR model
(a) (b) (c)
[Figure 4.12] Relationships of aggressive one-sided interaction with Y
53
5. Chapter 5: Network Characteristics
5.1 Overview
In this chapter, we discuss the impact of network characteristics on worm interactions in
both random-scan network worms and encounter-based worms. Network topologies for
random-scan network worms are almost static when compared with networks of encounter-
based worms which have mobile nodes. Hence, encounter-based worms cannot be more
aggressive than the actual encounter pattern allows. On the other hand, random-scan network
worms can scan as low or as high as they want if the bandwidth or link delay of the network
allows. Also, the durations of encounters (link durations) also impact on the success of worm
transfer. We start by investigating network characteristics on random-scan network worms,
then finish with the effects of network characteristics on encounter-based worms.
5.2 Random-scan network worms
For the Internet, the fastest worm spreading to date is still bandwidth-limited random-
scan network worm Slammer (or Sapphire) [47]. The worm enjoyed its small code size and
always-on connection to spread in astonishing speed. Because of its bandwidth-limited
propagation as we use as the characteristics of prey and predator worms. We want to see
how do worm replication (code) sizes of predator, bandwidth between routers, network
scanning strategy including hit lists influence the effectiveness of predator. The impact of
scan rate (as scan rate ratio) in which is a part of network characteristics for random-scan
network worms are investigated in the previous chapter (Chapter 4).
54
5.2.1 Worm replication size and bandwidth between routers
Worm replication size is a transmission overhead reflecting the efficiency of coding and
compression technique that automatic generation or programmer uses. Some examples of
worm replication sizes and compression mechanisms can be found in [37, 45]. We assume
that the predator’s reaction time is zero for this experiment (see Appendix A for simulation
setup), and then we relax this assumption later in Chapter 6.
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
404 606 808 1010 1212
Packet size (Byte)
P re y In fe c te d H o s t (F ra c tio n )
TI sim
MI sim
TI model
MI model
1
10
100
1000
404 504 604 704 804 904 1004 1104 1204
Packet Size (Byte)
T im e (S e c )
TL sim
AL sim
TL model
AL model
(a) (b)
0
5
10
15
20
25
404 604 804 1004 1204
Packet Size (Byte)
T im e (S e c )
TA sim
TR sim
TA model
TR model
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
404 606 808 1010 1212
Packet Size (Byte)
N e tw o r k D e la y F a c to r
ρ1 512K
ρ2 512K
ρ1 1M
ρ2 1M
ρ1 2M
ρ2 2M
(c) (d)
[Figure 5.1] Effect of worm replication size on (a) prey total infected nodes and prey
maximum infected nodes and (b) prey total lifespan and prey individual life span (c) time to
infect all and time to remove all (d) estimated network delay factor (from simulations)
The increase of worm replication size in Fig.5.1b and 5.1c causes the linear increase of
TL and AL, and almost linear increase TA and TR; the effect is clearly seen by the
degradation of network delay factor (Fig.5.1d) in highly congested access-linked networks of
512 Kbps links when compared with 1 Mbps links and 2 Mbps links. In Fig.5.1d, effect of
55
the bandwidth-limited propagation is removed in the case of 2Mbps links, but the network
delay factor is still not 1.0 because the link delay (propagation delay) is still not changed and
hence the upper bound of network delay factor of this topology is 0.8.
To our surprise, the increase of replication size almost has no impact on TI (Fig.5.1a)
even in the highly congested access-linked networks. It suggests that the delay caused by any
size of packet almost equally slows down both the prey replication and the predator
replication.
5.2.2 Local Preference (Scanning strategy)
By focusing on scanning the hosts in the same subnet addresses as of infected nodes, a
worm can avoid scanning invalid addresses and reduces the packet drops caused by
bottleneck of outbound (upstream) access of local network to the Internet. Since the majority
of addresses in IPv4 are not fully utilized, appropriate local preference must be an important
factor. Many network worms already try to minimize the probability of scanning invalid
addresses by using techniques in [10, 38, 47]. In particular, the local preference has
significant impact on
v
P and hence on
A
β and
B
β . If a worm uses i different strategies to scan
vulnerable hosts (assuming independence between scan trials), we can derive
v
P , the
probability of worm replication having a contact with a vulnerable host, based on local
preference as follows.
i
i
i v
p f P
∑
= (Eq.5-1)
where
i
f is the fraction of strategy i being used (
∑
=
i
f 0 . 1 ),
i
p is the probability of worm
replication having a contact with a vulnerable host address from the chosen address space
i
υ
56
of strategy i which has
i
n vulnerable hosts in such address range. For example,
i
υ of worm
preferring vulnerable hosts in the same /16 address has address size =
16
2 instead of
32
2 ,
furthermore, if in that address range, there are only
14
2 vulnerable hosts then
i
p =0.25.
In our simulation, each worm uses 2 strategies and the valid addresses only occupy 10%
(with 1% are routers which immune to both worms) of its scanned address range (earlier we
assume that all the scanned addresses are valid). Two strategies are assigned as follows:
(1) random-scan ( =
1
p 0.099 with
1
f )
(2) preferred-local-scan ( =
2
p 0.99 with
2
f ).
We assume that all the reaction times are zero and the worm replication size of both
worms is 404 bytes.
In Fig.5.2, we vary
1
f and
2
f of both worms to see how this factor affects the interaction
between two worms. Given prey local preference
2
f = 0 (with purely random scanning
strategy), predator can terminate prey effectively according to AL if predator local
preference
2
f is between 0.6 and 0.8. TL and AL are exponentially reduced with the increase
of
2
f .
TI and MI can be limited to as low as 0.7% and 0.4% of N, respectively, with predator
local preference
2
f = 0.8. However if prey local preference
2
f is 0.5, predator can merely, at
best, contain prey at TI = 86% and MI = 53% of N. When predator local preference
2
f >
80%, then the performance of predator starts to degrade for all metrics. This happens
because predator scanning is trapped in local networks and hence jeopardizing the chance of
scanning other legitimate hosts outside. Hence predator should always utilize the local
preference appropriately since majority of worms in the Internet exploit local preference
scanning as well.
57
We expect that the errors of the estimation occur because we have not incorporated the
reduction of scanned address space caused by excessive predator’s local scanning strategy.
The most obvious errors are in TA and TR estimations, TA in the simulation seems to have its
minimum at
2
f = 10%-30%.
Predator can also further enhance the contact rate by using the knowledge of domain
such as the currently used address space [10, 36] and the topology of networks [19]. In our
experiment, if the predator has perfect knowledge of the domain (100% hit list), it can
reduce TI and MI to lower than 0.4% of N for all scanning strategies.
To increase the accuracy of our model, we assume that scanned network range has n
local networks where a local network represents a group. We can then model interacting
worms as they are in one of the following groups: prey for group 1, predator for group 1,
prey for group 2, predator for group 2, …, prey for group n, and predator for group n.
For each worm, it either scans its local group, its non-local valid groups, or its non-local
invalid group. Hence, there will be intra contact rates (within a group) and inter contact rate
(with other non-local valid groups). Such contact rates are derived based on non-local
preference and fraction of individual network address ranges and its fraction of legitimate
nodes in the network. The analogy of this can be drawn with the group behavior in
encounter-based networks which we will discuss in Section 5.3.3.
58
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 20 40 60 80 100
Predator Local Preference
P re y In fe c te d H o s t (F ra c tio n )
TI f2=0 sim
TI f2=50 sim
TI f2=0 model
TI f2=50 model
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 20 40 60 80 100
Predator Local Preference (%)
P re y In fe c te d H o s t (F ra c tio n )
MI f2=0 sim
MI f2=50 sim
MI f2=0 model
MI f2=50 model
(a) (b)
0
5000
10000
15000
20000
25000
0 20 40 60 80 100
Predator Local Preference (%)
T im e (S e c )
TL f2=0 sim
TL f2=50 sim
TL f2=0 model
TL f2=50 model
0
5
10
15
20
25
0 20 40 60 80 100
Predator Local Preference (%)
T im e (S e c )
AL f2=0 sim
AL f2=50 sim
AL f2=0 model
AL f2=50 model
(c) (d)
0
5
10
15
20
25
30
35
40
45
50
0 20 40 60 80 100
Predator Local Preference (%)
T im e (S e c )
TA f2=0 sim
TA f2=50 sim
TA f2=0 model
TA f2=50 model
0
5
10
15
20
25
30
35
40
45
50
0 20 40 60 80 100
Predator Local Preference
T im e (S e c )
TR f2=0 sim
TR f2=50 sim
TR f2=0 model
TR f2=50 model
(e) (f)
[Figure 5.2] Effect of local preference on (a) prey total infected nodes, (b) prey
maximum infected nodes, (c) prey total life span, (d) prey individual life span, (e) time to
secure all and (f) time to remove all
5.3 Encounter-based worms
The main difference between encounter-based networks and always-connected networks
like the Internet is their dynamic topologies. The contact rate of encounter-based worms
cannot be aggressively increased like scan rate increase in random-scan network worms. In
59
addition, different nodes may have different mobility pattern and preferences of locations
causing non-uniform contact rates in the networks. Their encounter pattern based on contact
rates are grouped and modeled according to its group behaviors. In this section, we
investigate the effects of (i) network size, (ii) contact rate, and (iii) group behaviors on
encounter-based worm interactions. The other related characteristics including clustering
coefficient, average hop counts are investigated in Chapter 8 for realistic mobility analysis.
5.3.1 Contact rate
Contact rate (β) is one of the most important factors to decide the characteristics of
worm interaction. We investigate the relationships between β and our proposed metrics in
this section. Because contact rate is the frequency of a pair of nodes encountering each other,
increasing the contact rate causes every node to encounter each other more frequently, i.e.,
the time between consecutive encounters will be reduced. Hence, we expect that the metrics
relating to times including TL, AL, TA and TR will be reduced. However, because prey and
predator have the same contact rate, TI and MI should not be different even when contact
rates are changed. In other words, if prey infects other susceptible nodes faster, predator also
terminates and patches them faster.
As shown in Fig. 5.3a and b, as expected, TI and MI for each Y are relatively constant
even with the increase of β (because of the equal change of
dt
dI
A
and
dt
dI
B
). Let δ be the
encounter rate which is the rate of a node encounter another node in the network (similar to
scan rate of random-scan network worms), hence δ = ) 1 ( − N β . As δ increases (fixed
number of pairs N-1, but β increases), AL, TA and TR (in Fig.5.3d-f) exponentially decrease.
However, TL is reduced exponentially as β increases, simply because TI is constant for all β.
In addition, the lower the Y, the higher the impact caused by β will be. The effects of contact
rate of multiple groups are examined in Section 5.3.3.
60
10 15 20 25 30 35 40 45 50
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
β (x10
-5
)
Node Fraction
TI Y=1:1 sim
TI Y=3:1 sim
TI Y=5:1 sim
TI Y=1:1 model
TI Y=3:1 model
TI Y=5:1 model
10 15 20 25 30 35 40 45 50
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
β (x10
-5
)
Node Fractio
MI Y=1:1 sim
MI Y=3:1 sim
MI Y=5:1 sim
MI Y=1:1 model
MI Y=3:1 model
MI Y=5:1 model
10 15 20 25 30 35 40 45 50
0
1000
2000
3000
4000
5000
6000
7000
β (x10
-5
)
Time (Sec)
TL Y=1:1 sim
TL Y=3:1 sim
TL Y=5:1 sim
TL Y=1:1 model
TL Y=3:1 model
TL Y=5:1 model
(a) (b) (c)
10 15 20 25 30 35 40 45 50
0
5
10
15
20
25
β (x10
-5
)
Time (Sec)
AL Y=1:1 sim
AL Y=3:1 sim
AL Y=5:1 sim
AL Y=1:1 model
AL Y=3:1 model
AL Y=5:1 model
10 15 20 25 30 35 40 45 50
20
40
60
80
100
120
140
β (x10
-5
)
Time (Sec)
TA Y=1:1 sim
TA Y=3:1 sim
TA Y=5:1 sim
TA Y=1:1 model
TA Y=3:1 model
TA Y=5:1 model
10 15 20 25 30 35 40 45 50
20
40
60
80
100
120
140
β (x10
-5
)
Time (Sec)
TR Y=1:1 sim
TR Y=3:1 sim
TR Y=5:1 sim
TR Y=1:1 model
TR Y=3:1 model
TR Y=5:1 model
(d) (e) (f)
[Figure 5.3] Relationships of β with metrics
5.3.2 Network size
With the same number of initial predator and initial prey-infected nodes, when network
size (N) is changed with fixed β, this implies the increase of δ causing the decrease of time
between consecutive encounter of any node with any node. Similarly as we expect from
contact rate, varying the network size can have a significant impact on TL, AL, TA and TR.
In Fig.5.4a and b, we find that TI and MI (as the fraction of N) for same Y but different N
are saturated at the same fraction of N. Because the ratios of the fraction of N that prey
infects susceptible nodes to the fraction of N that predator terminates/vaccinates are
relatively equivalent for all N. Surprisingly, in Fig. 5.4c, TL becomes saturated at certain
absolute level and also independent of N but depends only on Y. This occurs because δ is
increasing linearly with N (because β is fixed, but N increases) causing linear reduction of
the time between encounter causing AL to be reduced proportionally to N (as shown in fig.
5.4d) while TI is also increased proportionally to N (as shown in fig.5.4a). The product of
61
these two numbers yields a constant TL. In Fig. 5.4e and f, the impact of N on TA and TR is
quite similar to that on AL. It is interesting to see that for Y = 1 (1:1), TA = TR for all N, and
hence it implies that time to remove all preys are simply the time that predator needs to
infect and remove the prey from all nodes (when Y = 1). In sum, we can see that N linearly
increases TI and MI and exponentially reduces AL, TA and TR. The effects of N
n
(group size)
are further investigated in Section 5.3.3. Note that the unsmooth curves in Fig.5.4 are caused
by the non-uniform random number generator which is the artifact of the simulation.
100 200 300 400 500 600 700 800 900
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
N
Node Fraction
TI Y=1:1 sim
TI Y=3:1 sim
TI Y=5:1 sim
TI Y=1:1 model
TI Y=3:1 model
TI Y=5:1model
100 200 300 400 500 600 700 800 900
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
N
Node Fraction
MI Y=1:1 sim
MI Y=3:1 sim
MI Y=5:1 sim
MI Y=1:1 model
MI Y=3:1 model
MI Y=5:1 model
100 200 300 400 500 600 700 800 900
0
5000
10000
15000
N
Time (Sec)
TL Y=1:1 sim
TL Y=3:1 sim
TL Y=5:1 sim
TL Y=1:1 model
TL Y=3:1 model
TL Y=5:1 model
(a) (b) (c)
100 200 300 400 500 600 700 800 900
0
50
100
150
200
250
300
350
400
450
500
N
Time (Sec)
AL Y=1:1 sim
AL Y=3:1 sim
AL Y=5:1 sim
AL Y=1:1 model
AL Y=3:1 model
AL Y=5:1 model
100 200 300 400 500 600 700 800 900
0
200
400
600
800
1000
1200
1400
1600
N
Time (Sec)
TA Y=1:1 sim
TA Y=3:1 sim
TA Y=5:1 sim
TA Y=1:1 model
TA Y=3:1 model
TA Y=5:1 model
100 200 300 400 500 600 700 800 900
0
200
400
600
800
1000
1200
1400
1600
N
Time (Sec)
TR Y=1:1 sim
TR Y=3:1 sim
TR Y=5:1 sim
TR Y=1:1 model
TR Y=3:1 model
TR Y=5:1 model
(d) (e) (f)
[Figure 5.4] Relationships of N with metrics
5.3.3 Group behavior
Multi-group encounters, of which groups are classified by their encounter patterns and
contact rates, are expected to exist in encounter-based networks. For two-group modeling,
we need 3 different contact rates: two intra-contact rates for encounters within each group,
and one inter-contact rate for encounters between groups. For n groups, we need n intra-
62
contact rates and
2
n
inter-contact rates. Effects of group sizes, contact rates of the individual
group and between groups are investigated.
The state diagram of one-worm-type multi-group worm propagation without interaction
is shown below in Fig.5.5. We assume that each group has specific size of nodes whose
contact rates do not change during their encounter period. Each node of each group can
encounter any member of any group including its own group. Let
nm
β be the contact rate
between member of group n and group m (
nn
β is the contact rate within group n),
n
S is the
number of susceptible hosts of group n and
m
I is the number of infected hosts in group m
( n m 1 ≤ ≤ ).
n n
I S I S I S I S
1 1 3 1 13 2 1 12 1 1 11
... β β β β + + + +
n n
I S I S I S I S
2 2 3 2 23 2 2 22 1 2 21
... β β β β + + + +
n n
I S I S I S I S
3 3 3 3 33 2 3 32 1 3 31
... β β β β + + + +
n n nn n n n n n n
I S I S I S I S β β β β + + + + ...
3 3 2 2 1 1
[Figure 5.5] One-worm-type Multi-group Propagation
Group i Susceptible Group i Infected
by worm
63
Once a node transits to infected host state, its original contact rate that associates with
the group is unchanged. Since there is no interaction with only one type of worm, as well as
unchanged contact rate, given n groups in the networks, the susceptible rates for group n is
=
dt
dS
n
n n nn n n n n n n
I S I S I S I S β β β β − − − − − ...
3 3 2 2 1 1
(Eq.5-2)
Because the decrease of susceptible node only are caused by the infection increase (and
vice versa), the infection rates for group n are derived as the negative of susceptible rates for
group n above. Hence, the infection rate is
=
dt
dI
n
-
dt
dS
n
(Eq.5-3)
For two-group with one-sided interaction and no change in group membership (Fig.5.6),
we can derive such model by extending from one type to two types of worms and adding
transitions from susceptible to both prey and predator. The susceptible rates, prey and
predator infection rates for both groups are
2 A 1 12 1 A 1 11
I S I S β β +
2 B 1 A 12 1 B 1 A 11
I I I I β β +
2 B 1 12 1 B 1 11
I S I S β β +
2 A 2 22 1 A 2 21
I S I S β β +
2 B 2 22 1 B 2 21
I S I S β β +
2 B 2 A 22 1 B 2 A 21
I I I I β β +
[Figure 5.6] Two-group, aggressive one-sided Interaction
Group i Susceptible Group i Infected by
worm A, prey
Group i Infected by
worm B, predator
Immune to prey
64
=
dt
dS
1
) (
1 1 1 11 B A
I I S + − β ) (
2 2 1 12 B A
I I S + − β (Eq.5-4)
=
dt
dS
2
) (
1 1 2 21 B A
I I S + − β ) (
2 2 2 22 B A
I I S + − β (Eq.5-5)
=
dt
dI
A1
) (
1 1 1 11 B A
I S I − β ) (
2 1 2 1 12 B A A
I I I S − + β (Eq.5-6)
=
dt
dI
A2
) (
1 2 1 2 21 B A A
I I I S − β ) (
2 2 2 22 B A
I S I − + β (Eq.5-7)
=
dt
dI
B1
) )( (
2 12 1 11 1 1 B B A
I I I S β β + + (Eq.5-8)
=
dt
dI
B2
) )( (
2 22 1 21 2 2 B B A
I I I S β β + + (Eq.5-9)
where
11
β and
22
β are the contact rates of group 1 and group 2, respectively (for both prey
and predator).
12
β and
21
β are inter-contact rate between group 1 and 2 and inter-contact rate
between group 2 and group 1, respectively,
1 A
I and
2 A
I are the number of prey infected hosts
in group 1 and group 2, respectively,
1 B
I and
2 B
I are the number of predator infected hosts in
group 1 and group 2, respectively.
Hence, the epidemiological threshold (
1 A
E ) for group 1 which is the ratio of prey
increase rate in group1 and prey decrease rate in group 1 and the epidemiological threshold
for group 2 (
2 A
E ) which is the ratio of prey increase rate in group 2 and prey decrease rate in
group 2 are given by
) (
) (
2 12 1 11 1
2 12 1 11 1
1
B B A
A A
A
I I I
I I S
E
β β
β β
+
+
= , (Eq.5-10)
) (
) (
2 22 1 21 2
2 22 1 21 2
2
B B A
A A
A
I I I
I I S
E
β β
β β
+
+
= . (Eq.5-11)
65
Let us assume
11
β >
22
β and
21 12
β β = , we call
11
β (intra-contact rate of group 1) “fast
contact rate” and
22
β (intra-contact rate of group 2) “slow contact rate”. If the initial predator
infected node belongs to group 1, then we call this predator infected node fast predator,
otherwise, we call it slow predator. If the initial prey infected node belongs to group 1, we
call this prey infected node fast prey, otherwise, we call it slow prey.
As shown in Fig. 5.7, we show four different cases: “slow prey, slow predator”, “slow
prey, fast predator”, “fast prey, slow predator” and “fast prey, fast predator”. The initial prey
infected host and initial predator infected host are both 1. We validate our models through
encounter-level simulations. We simulate and model 1,000 mobile nodes (500 nodes in
group 1 and 500 nodes in group 2) with
11
β = 3x10
-5
sec
-1
for group 1,
22
β = 6x10
-5
sec
-1
for
group 2 and
12
β =
21
β = 1x10
-5
sec
-1
. Each simulation runs 1,000 rounds and we plot mean
values for each time instance.
0 200 400 600
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
Time (Sec)
Prey Infected Hosts (Fraction)
Fast Prey,
Slow Predator
sim
model
Slow Prey,
Slow Predator
sim
model
Fast Prey,
Fast Predator
sim
model
Slow Prey,
Fast Predator
sim
model
[Figure 5.7] Two groups of population: slow (contact rate=3x10
-5
) and fast encountered
groups (contact rate= 6x10
-5
/sec and contact rate between group =1x10
-5
/sec)
With the same contact rate set, i.e., fast contact rate, slow contact rate and inter-contact
rate, prey maximum infected hosts are different for different cases in the same network. As
66
expected, in “slow prey, fast predator” case, the maximum of prey infected hosts are the
lowest among all the cases. On the other hand, in “fast prey, slow predator” case, the
maximum of prey infected nodes are the highest among all the cases. The differences of the
highest and the lowest of the maximum of prey infected hosts can be as high as 5 times. As
an initial prey infected host is a fast prey, it infects more susceptible nodes in group 2 with
faster contact rate causing other nodes in the same group to be prey infected nodes at a much
faster rate and thus become more difficult to be entirely removed. The opposite
characteristics of prey infected nodes are expected and observed if an initial prey infected
node is a slow prey.
To understand and be able to better predict worm behavior in multi-group worm
interaction, additional concepts on similarity and difference of groups are required. The
similar approach which can effectively describe the worm behavior based on similar and
different scan rate ratio and initial infected node ratio are discussed in Chapter 4. Hence, we
propose the similarity/difference concepts of group contact rates as follows.
Let
G
X be the vector of group contact rates including intra contact rates and inter contact
rates. For n groups,
=
nn n n
n
n
G
X
β β β
β β β
β β β
...
... ... ... ...
...
...
2 1
2 22 21
1 12 11
.
i
G
X is similar to
j
G
X iif
2
G G
kX X
i
= where k
={1,2,3,…},
j n i n j i j i
G G G G G G
N N N N N N
, , , 2 , 2 , 1 , 1
,..., , = = = and they are based on the same scenario
either “fast prey slow predator”, “slow prey fast predator”, “fast prey fast predator” or “slow
prey slow predator”. Otherwise, it is said to be different.
From Fig. 5.8a and b, we can see that with similar metrics of group contact rates, TI and
MI are constant for all k. However, in Fig. 5.8c-f, TL, AL, TA and TR are exponentially
reduced with k as expected. The explanations for these are similar to those of similar and
67
different scan rate ratios of the random scan network worms, i.e., the relative magnitude of
prey termination and prey infection remains constant in similar group encounter rate, and
hence the fraction of total prey infection and maximum prey infection remain the same, but
the times between termination/infection are proportionally reduced as k increases. Again, we
can see that TI and MI for “slow prey fast predator” is much lower than “fast prey slow
predator”, but surprisingly, TL, AL, TA and TR between the two cases are almost equivalent.
This happens because the termination in the early phase of “slow prey fast predator” is much
faster than that of “fast prey slow predator”, hence predator can limit the level of prey
infection more effectively in “slow prey fast predator”, but at the later phase, the termination
rates and duration between two cases are not much different, hence by average, TL, AL, TA
and TR between the two cases are almost the same.
68
1 1.5 2 2.5 3 3.5 4
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
k
Prey Infected Host (Fraction)
TI FS sim
TI SF sim
TI FS model
TI SF model
(a)
1 1.5 2 2.5 3 3.5 4
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
k
Prey Infected Host (Fraction)
MI FS sim
MI SF sim
MI FS model
MI SF model
(b)
1 1.5 2 2.5 3 3.5 4
0
2000
4000
6000
8000
10000
12000
14000
16000
k
Time (Sec)
TL FS sim
TL SF sim
TL FS model
TL SF model
(c)
1 1.5 2 2.5 3 3.5 4
5
10
15
20
25
30
35
40
45
k
Time (Sec)
AL FS sim
AL SF sim
AL FS model
AL SF model
(d)
1 1.5 2 2.5 3 3.5 4
0
50
100
150
200
250
300
350
k
Time (Sec)
TA FS sim
TA SF sim
TA FS model
TA SF model
(e)
1 1.5 2 2.5 3 3.5 4
0
50
100
150
200
250
300
k
Time (Sec)
TR FS sim
TR SF sim
TR FS model
TR SF model
(f)
[Figure 5.8] Two groups of population: slow (contact rate=6, 12, 18, 24x10
-5
) and fast
encountered groups (contact rate= 9, 18, 27, 36x10
-5
/sec and contact rate between group =3,
6, 9, 12x10
-5
/sec)
Earlier we assume that each node does not change group membership. Now we relax
that assumption and we show the state diagram for two-group, aggressive one-sided
interaction with group transition below in Fig. 5.9 where
12
λ and
21
λ represents transition
rates from S
1
to S
2,
and from S
2
to S
1,
respectively,
12
μ and
21
μ , represents transition rates
from A
1
to A
2
and from A
2
to A
1
, respectively,
12
ω and
21
ω represents transition rates from
B
1
to B
2
and from B
2
to B
1,
respectively.
This group transition can be easily integrated into the earlier two-group aggressive one-
sided interaction as follows (Fig.5.9):
69
Susceptible nodes in group 1 is now able to change their membership to group 2 with the
rate of
12
λ , similarly, susceptible nodes in group 2 can move to group 1 with the rate
21
λ
where the increase rate and the decrease rate of members of group 1 and group2 are directly
proportional to
1 12
S λ and
2 21
S λ , respectively. From (Eq.5-4) and (Eq.5-5), susceptible rates
with group transitions are
=
dt
dS
1
) (
1 1 1 11 B A
I I S + −β ) (
2 2 1 12 B A
I I S + −β + ) (
1 12 2 21
S S λ λ − (Eq.5-12)
=
dt
dS
2
) (
1 1 1 21 B A
I I S + −β ) (
2 2 1 22 B A
I I S + −β - ) (
1 12 2 21
S S λ λ − (Eq.5-13)
Similarly, prey infected nodes in group 1 can change their group membership to group 2
with the rate of
12
μ and prey infected nodes in group 2 can change their group membership
to group 1 with the rate of
21
μ . The members of group 1 and 2 are linearly increased and
decreased with
1 12 A
I μ and
2 21 A
I μ , respectively. From (Eq.5-6) and (Eq.5-7), prey infection
rates with group transition are
=
dt
dI
1 A
) (
1 1 1 11 B A
I S I − β ) (
2 1 2 1 12 B A A
I I I S − +β + ) (
1 12 2 21 A A
I I μ μ − (Eq.5-14)
=
dt
dI
2 A
) (
1 2 1 2 21 B A A
I I I S − β ) (
2 2 2 22 B A
I S I − +β - ) (
1 12 2 21 A A
I I μ μ − (Eq.5-15)
Predator infected nodes in group 1 can their group memberships to group 2 with the rate
of
12
ω and predator infected nodes in group 2 can also change their group membership to
group 1 with the rate of
21
ω . Again, the memberships of group 1 and 2 are linearly increased
and decreased with
1 12 B
I ω and
2 21 B
I ω , respectively. From (Eq.5-8) and (Eq.5-9), predator
infection rates with group transition are
=
dt
dI
1 B
) )( (
2 12 1 11 1 1 B B A
I I I S β β + + + ) (
1 12 2 21 B B
I I ω ω − (Eq.5-16)
70
=
dt
dI
2 B
) )( (
2 22 1 21 2 2 B B A
I I I S β β + + - ) (
1 12 2 21 B B
I I ω ω − (Eq.5-17)
Similar to (Eq.5-10) and (Eq.5-11), the epidemiological thresholds for group 1 and 2 are
1 12 2 12 1 11 1
2 21 2 12 1 11 1
1
) (
) (
A B B A
A A A
A
I I I I
I I I S
E
μ β β
μ β β
+ +
+ +
= (Eq.5-18)
2 21 2 22 1 21 2
1 12 2 22 1 21 2
2
) (
) (
A B B A
A A A
A
I I I I
I I I S
E
μ β β
μ β β
+ +
+ +
= (Eq.5-19)
2 A 1 12 1 A 1 11
I S I S β β +
2 B 1 A 12 1 B 1 A 11
I I I I β β +
2 B 1 12 1 B 1 11
I S I S β β +
2 A 2 22 1 A 2 21
I S I S β β +
2 B 2 22 1 B 2 21
I S I S β β +
2 B 2 A 22 1 B 2 A 21
I I I I β β +
2 21
S λ
1 12
S λ
2 21 A
I μ
1 12 A
I μ
2 21 B
I ω
1 12 B
I ω
[Figure 5.9] Two-group, one-sided Interaction with group transition
Group i Susceptible Group i Infected by
worm B, predator
Group i Infected by
worm A, prey
Immune to prey
71
0 0.2 0.4 0.6 0.8 1
0
0.1
0.2
0.3
0.4
0.5
Initial Prey Group Fraction (Slow)
Prey Infected Hosts (Fraction)
TI sim
MI sim
TI model
MI model
0 0.2 0.4 0.6 0.8 1
10
1
10
2
10
3
10
4
10
5
Initial Prey Group Fraction (Slow)
Time (Sec)
TL sim
AL sim
TL model
AL model
0 0.2 0.4 0.6 0.8 1
150
200
250
300
350
Initial Prey Group Fraction (Slow)
Time (Sec)
TA sim
TR sim
TA model
TR model
(a) (b) (c)
0 0.2 0.4 0.6 0.8 1
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Initial Prey Group Fraction (Fast)
Prey Infected Hosts (Fraction)
TI sim
MI sim
TI model
MI model
0 0.2 0.4 0.6 0.8 1
10
1
10
2
10
3
10
4
10
5
Initial Prey Group Fraction (Fast)
Time(Sec)
TL sim
AL sim
TL model
AL model
0 0.2 0.4 0.6 0.8 1
200
220
240
260
280
300
320
340
360
Initial Prey Group Fraction (Fast)
Time (Sec)
TA sim
TR sim
TA model
TR model
(d) (e) (f)
[Figure 5.10] Effects of group size in two-group population: slow group (contact
rate=6x10
-5
sec
-1
) and fast groups (contact rate= 9x10
-5
sec
-1
and contact rate between group
=3x10
-5
sec
-1
) for Slow prey Fast predator (a, c and e) and Fast prey Slow predator (b, d and
f)
In Section 5.3.2 and 5.3.3, we investigate the network characteristics of a single-group
network; in this part we will discuss the effect of the two-group network including the group
size, contact rate of one of the two groups, and contact rate between two groups on the worm
interactions.
We start by investigating the effects of group sizes as the fraction of fixed N (1000
nodes) where
1 5
22
1 5
11
sec 10 9 , sec 10 6
− − − −
= = x x β β and
1 5
12
sec 10 3
− −
= x β . Group 1 and group 2
are called “slow group” and “fast group”, respectively. For the first part (Fig. 5.10a, b and c),
an initial prey-infected node is in the slow group and an initial predator-infected node is in
the fast group (slow-prey-fast-predator case). In the second part (fig. 6d, e and f), an initial
prey-infected host is in the fast group and an initial predator-infected node is in the slow
group (fast-prey-slow-predator case).
72
Here in Fig.5.10a and d, we see that as the size of the fast group increases, TI, MI, and
TL linearly decrease. This indicates the independent of which group has the initial predator-
infected node or the initial prey-infected node. As TI and TL linearly decrease with the same
rate as of the increase of fast-group size, then AL is almost constant for all group sizes. TA
and TR increase gradually as the slow-group size increases (and fast-group size decreases),
and drop gradually after reaching their peak value. This occurs because of the low contact
rate between groups. The fluctuation in Fig.5.10c and Fig.5.10f are caused by the non-
uniform random number generator which is the artifact of the simulation.
In Fig. 5.11, we show the impact of the contact rate of the initial-prey-infected-node
group where the contact rate of initial prey group =
11
β 3 to 30x10
-5
sec
-1
and the contact rate
of the initial predator group =
22
β 15x10
-5
sec
-1
and contact rate between group =
12
β 3x10
-5
sec
-1
. As expected, TI, MI and TL increase linearly as
11
β increases while TA and TR reduce
exponentially as
11
β increases. This effect is similar to the increase of contact rate in a single
group (Fig. 5.3e-f).
0 10 20 30
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Contact Rate of Initial Prey Group (x10
-5
)
Prey Infected Hosts (Fraction)
T1 sim
M1 sim
T1 model
M1 model
0 5 10 15 20 25 30
10
1
10
2
10
3
10
4
10
5
Contact Rate of Initial Prey Group (x10
-5
)
Time (Sec)
TL sim
AL sim
TL model
AL model
0 10 20 30
100
150
200
250
300
350
Contact Rate of Initial Prey Group (x10
-5
)
Time (Sec)
TA sim
TR sim
TA model
TR model
(a) (b) (c)
[Figure 5.11] Effects of initial-prey-infected-node group’s contact rate in two group
population: varied-contact-rate of initial-prey-infected-node group (contact rate=3 to 30x10
-5
sec
-1
) and fixed-contact-rate of initial predator group (contact rate= 15x10
-5
sec
-1
and contact
rate between group =3x10
-5
sec
-1
)
73
In Fig. 5.12, we show the impact of the contact between groups where =
11
β 3x10
-5
sec
-1
and =
22
β 15x10
-5
sec
-1
and =
12
β 3 to 30x10
-5
sec
-1
.As shown in Fig. 5.10a-b, as
12
β
increases, prey in the slow-prey-fast-predator can infect more susceptible nodes and predator
in the fast-prey-slow-predator can terminate more preys and vaccinate more susceptible
nodes (as indicated by TI and MI). Hence, the contact rate between groups only helps prey
or predator in the slower group to infect relatively more nodes than the one in the faster
group (i.e., worms in both groups infect nodes faster but the one in slower group has higher
relative improvement). However, TL, AL, TA and TR reduce as the contact rate between
group increases for all cases (slow-prey-fast-predator and fast-prey-slow-predator cases),
and that because δ increases. Later, we evaluate group characteristics again using more
realistic trace-driven encounter-based networks.
0 10 20 30
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
Contact Rate Between Group (x10
-5
)
Prey Infected Hosts (Fraction)
TI sim
MI sim
TI model
MI model
0 10 20 30
10
1
10
2
10
3
10
4
Contact Rate Between Group (x10
-5
)
Time (Sec)
TL sim
AL sim
TL model
AL model
0 10 20 30
50
100
150
200
250
300
350
Contact Rate Between Group (x10
-5
)
Time (Sec)
TA sim
TR sim
TA model
TR model
(a) (b) (c)
0 10 20 30
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Contact Rate Between Group (x10
-5
)
Prey Infected Hosts (Fraction)
TI sim
MI sim
TI model
MI model
0 5 10 15 20 25 30
10
1
10
2
10
3
10
4
10
5
Contact Rate Between Group (x10
-5
)
Time (Sec)
TL sim
AL sim
TL model
AL model
0 5 10 15 20 25 30
50
100
150
200
250
300
350
400
Contact Rate Between Group (x10
-5
)
Time (Sec)
TA sim
TR sim
TA model
TR model
(d) (e) (f)
[Figure 5.12] Effects of contact rate between groups of two-group population: slow
group (contact rate=3x10
-5
sec
-1
) and fast encountered groups (contact rate= 15x10
-5
sec
-1
and
contact rate between group =3 to 30x10
-5
sec
-1
) for Slow prey Fast predator (a, b and c) and
Fast prey Slow predator (d, e and f)
74
6. Chapter 6: Node Characteristics
6.1 Overview
Earlier we assume that all nodes are fully cooperative, susceptible to both prey and
predator and “always-on”, and hence each encounter guarantees a successful message
(worm) transfer. Each node may have different characteristics because of differences in
user’s usage strategies, daily-life activities or level of security technology and awareness.
Four important node characteristics corresponding to this worm interaction factor are
addressed in this chapter including cooperation, immunization, on-off behavior and delay.
We assume these node characteristics are persistent through out the life time of the network.
In this chapter, we discuss the node characteristics that effect worm propagation. There
are many factors that may affect worm propagation but we only focus on cooperation,
immunization, on-off behavior and delay because we believe that these characteristics are the
most fundamental characteristics of nodes that can affect worm propagation significantly.
Our node characteristics do not affect of how contact rates are derived, the effect of node
characteristics in random-scan network worms and encounter-based worms are similar.
Hence, in this chapter, we only choose to present our results based on encounter-based
worms only.
6.2 Cooperation
Cooperation is the willingness of a node to forward messages (worms) for other nodes.
The opposite characteristic is known as selfishness. Intuitively, cooperation may seem to
make the network more vulnerable as nodes may be willing to forward prey replication
75
through network. However, unlike immunization, cooperation is expected to equally slow
down both prey and predator propagations. Hence, the effect of cooperation is hard to
anticipate.
6.3 Immunization
Not all nodes are equally susceptible to the prey either because of their heterogeneous
operating systems or because of their differences of promptness to remove the vulnerability
from their machines. Hence part of the nodes can be immune to prey and will slow down the
overall prey infection. Immunization is expected to improve the overall targeted metrics that
we mention earlier because immune nodes still help forward predator to other nodes. It is
expected to have no positive impact on TA but reduce TR simply because of less number of
nodes to be removed.
6.4 On-off behavior
A node is able to accept or forward the packet based on the on-off characteristics. In
reality, devices are “on” or active only a fraction of the time. Activity may be related to
mobility. For instance, a mobile phone is usually on, while lap top is unlikely to be mobile
while on
2
. We model the transition from on to off, and vice versa, probabilistically. The
probability is determined at the beginning of each time interval. Hence the contact rate is
expected to be proportionally reduced according to the probability that the node cannot
forward or accept the packets because of on-off status.
6.5 Delay
Initial prey-infected nodes and initial predator-infected nodes may start their infections
in the networks at different times (depending on prey timers or security architecture of
2
This is observed from measurements [25] and is captured in our study using trace-driven simulations.
76
predator). The gap between those times can be significant. If initial prey-infected nodes start
infecting susceptible nodes in the network earlier than initial predator-infected nodes starts
vaccination and termination, we can expect the increase of TI, MI, AL, TA, TL and TR, and
the opposites results are expected if the order of their start times are reversed.
A
I S p * β
B A
I I pβ
B
I S p * β
B
I S p ' β
[Figure 6.1] Aggressive one-sided interaction with node characteristics
6.6 Aggressive one-sided interaction based on node characteristics
Let c be the fraction of nodes in the network (N) that are willing to be cooperative
where 1 0 ≤ ≤ c and N is the total number of nodes in the networks. Let i be the fraction of
cooperative nodes that are immune to prey where 1 0 ≤ ≤ i . We assume that initial predator
and prey hosts are cooperative then the number of susceptible hosts for both prey and
predator is S* where ) 0 ( ) 1 ( ) 0 ( *
A
I N i c S − − = and number of susceptible hosts for predator
only is S’, where ) 0 ( ) 0 ( '
B
I ciN S − = . Note that
B A
I I S S N + + + = ' * and ' * S S S + = . We
define the probability of “on” behavior as p and “off” behavior as 1-p where 1 0 ≤ ≤ p . Hence
contact rate for both prey and predator are
A
pβ and
B
pβ , respectively. For encounter-based
worms, we assume
B A
β β = .
77
Based on these definitions, the node-characteristic-based aggressive one-sided model
can be shown as follows (Fig.6.1):
) ( *
*
B B A A
I I pS
dt
dS
β β + − = (Eq.6-1)
B B
I S p
dt
dS
'
'
β − = (Eq.6-2)
) * (
B B A A
A
I S pI
dt
dI
β β − = (Eq.6-3)
) ) ' * ((
B A B B
B
I I I S S p
dt
dI
+ + = β (Eq.6-4)
We use this model to derive metrics in which we are interested. The differences between
the conditions of this model and that of basic aggressive one-sided interaction model to
minimize the metrics are investigated here.
From (Eq.6-3), if we want to suppress the prey initial infection, then we need
) 0 ( * ) 0 ( S I
A B B
β β = (Eq.6-5)
Assume small ) 0 (
A
I and ) 0 (
B
I when compared with N, hence ) 0 ( ) 1 ( ) 0 ( * S i c S − ≈ ;
required ) 0 (
B
I to stop prey initial infection. TI, which is the number of nodes ever infected
by prey, from (Eq.6-3), can be derived from
∫
∞
=
=
0
*
t
A A
dt I S p TI β (Eq.6-6)
As contact rate is changed due to on-off behavior, TA which 1 = Y , can be derived as
follows:
TA=
B
pN N β / ) 5772 . 0 ln 2 ( + (Eq.6-7)
78
Our model can also be used to model node-characteristic-based one-worm-type
propagation which equivalent to epidemic routing by assigning 0 ) 0 ( =
B
I or 0 ) 0 ( =
A
I in
(Eq.6-1) to (Eq.6-4).
6.7 Evaluation
6.7.1 Uniform encounter-based simulations
According to node characteristics, there is no difference between random-scan network
worms and encounter-based worms; hence, we choose to show our evaluation based on
simulated encounter-based worms only (see Appendix A, for simulation setup).
In the simulation, we vary cooperation (c) from 20% to 100%, immunization (i) from
0% to 90% with 100% “on” time for the first part of experiments (Fig.6.2a-f) and we vary
“on” time from 10% to 90% with 90% cooperation and 10% immunization, for the second
part (Fig.6.2g-h). The first part aims to analyze the impact of cooperation and immunization
whereas the second part aims to analyze the on-off behavior on aggressive one-sided worm
interaction. In this simulation, again we assume only a single group within the network.
(1) Cooperation: In Fig. 6.2a-f, we find that cooperation, surprisingly, reduces prey
infection for every metric. (Note that cooperation actually increases absolute TI and absolute
MI, but relative TI (or TI/ * N ) and relative MI (or MI/ * N ) are reduced where the number of
cooperative-susceptible nodes N i c N ) 1 ( * − = ). We can observe that cooperation reduces AL,
TA and TR significantly more than it does to TI, MI and TL.
(2) Immunization: Similarly, for immunization Fig. 6.2a-f shows that immunization
reduces all categories of metrics except TA and AL. With the increase of immunization, TI is
reduced much faster than TL, thus increase of immunization increases AL. Furthermore,
increase of immunization, as expected, reduces TR because of less number of possible prey-
infected nodes.
79
Immunization reduces relative TI, relative MI and TL more significantly than it does
other TR. With equal increase (20% to 80%), immunization at cooperation = 100% reduces
relative TI, relative MI and TL approximately 8.8 times, 2.7 times, and 10.6 times,
respectively, more than cooperation does at immunization = 0%. On the other hand,
cooperation reduces TR approximately 3.3 times more than immunization does. As shown in
fig. 6.2e, unlike cooperation, immunization cannot reduce TA.
(3) On-off behavior: The impact of on-off behavior (p) is clear in fig. 6.2g-h. As
expected, with variant of “on” time, relative TI and relative MI do not change. The ratio of
contact rate between predator and prey is an indicator of the fraction of infected nodes
irrespective of the contact rate. In this case, the ratio of contact rate is always 1.0, and hence
the constant of relative TI and relative MI. Because of the increase of “on” time causing
reduction of time between consecutive encounters between nodes, hence TL, AL TA and TR
exponentially decrease as p increases.
(4) Delay: As shown in Fig. 6.2i, the delay (d) causes absolute TI and absolute MI to
linearly increase until the number of prey-infected node reaches the N. Similarly, in Fig.6.2k,
TA and TR also increase linearly as d increases. We can notice that the increase of TA and TR
is simply the delay. In addition, TA and TR are merging after certain delay. For TL and AL
(Fig.6.2j), they slowly increase as d increases.
80
[Figure 6.2] Effects of cooperation (c), immunization (i), on-off behavior (p) and delay
(d) on uniform-encounter worm interactions
0 0.2 0.4 0.6 0.8
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
i
Cooperative-Susceptibel Nodes (Fraction)
TI C20 sim
TI C40 sim
TI C60 sim
TI C80 sim
TI C100 sim
TI C20 model
TI C40 model
TI C60 model
TI C80 model
TI C100 model
0 0.2 0.4 0.6 0.8
0
0.05
0.1
0.15
0.2
0.25
0.3
i
Cooperative-Susceptible Nodes (Fraction)
MI C20 sim
MI C40 sim
MI C60 sim
MI C80 sim
MI C100 sim
MI C20 sim
MI C40 sim
MI C60 sim
MI C80 sim
MI C100 sim
0 0.2 0.4 0.6 0.8
0
2000
4000
6000
8000
10000
12000
14000
i
Time (Sec)
TL C20 sim
TL C40 sim
TL C60 sim
TL C80 sim
TL C100 sim
TL C20 model
TL C40 model
TL C60 model
TL C80 model
TL C100 model
(a) (b) (c)
0 0.2 0.4 0.6 0.8
0
100
200
300
400
500
600
i
Time (Sec)
AL C20 sim
AL C40 sim
AL C60 sim
AL C80 sim
AL C100 sim
AL C20 model
AL C40 model
AL C60 model
AL C80 model
AL C100 model
0 0.2 0.4 0.6 0.8
200
300
400
500
600
700
800
900
i
Time (Sec)
TA C20 sim
TA C40 sim
TA C60 sim
TA C80 sim
TA C100 sim
TA C20 model
TA C40 model
TA C60 model
TA C80 model
TA C100 model
0 0.2 0.4 0.6 0.8
100
200
300
400
500
600
700
800
900
i
Time (Sec)
TR C20 sim
TR C40 sim
TR C60 sim
TR C80 sim
TR C100 sim
TR C20 model
TR C40 model
TR C60 model
TR C80 model
TR C100 model
(d) (e) (f)
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8
0
0.05
0.1
0.15
0.2
p
N (Fraction)
TI C90 I10 sim
MI C90 I10 sim
TI C90 I10 model
MI C90 I10 model
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8
10
1
10
2
10
3
10
4
10
5
10
6
10
7
p
Time (Sec)
TL C90 I10 sim
AL C90 I10 sim
TA C90 I10 sim
TR C90 I10 sim
TL C90 I10 model
AL C90 I10 model
TA C90 I10 model
TR C90 I10 model
(g) (h)
0 100 200 300 400 500
0
0.2
0.4
0.6
0.8
1
Delay (Sec)
N (Fraction)
TI C100 I0 sim
MI C100 I0 sim
TI C100 I0 model
MI C100 I0 model
0 100 200 300 400 500
10
1
10
2
10
3
10
4
10
5
10
6
Delay (Sec)
Time (Sec)
TL C100 I0 sim
AL C100 I0 sim
TL C100 I0 model
AL C100 I0 model
0 100 200 300 400 500
200
300
400
500
600
700
800
Delay (Sec)
Time (Sec)
TA C100 I0 sim
TR C100 I0 sim
TA C100 I0 model
TR C100 I0 model
(i) (j) (k)
81
6.7.2 Trace-driven encounter-based simulations
800000.00 600000.00 400000.00 200000.00 0.00
TotalEncounter
1,000
800
600
400
200
0
Frequency
Mean =
17313.809
Std. Dev. =
35726.16663
N = 1,000
600.00 500.00 400.00 300.00 200.00 100.00 0.00
UniqueEncounter
200
150
100
50
0
Frequency
Mean =
137.745
Std. Dev. =
128.49695
N = 1,000
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60
Time (Days)
T o ta l In c o m in g N o d e s (% )
Batch arrival patterns
at different start times
(a) (b) (c)
[Figure 6.3] Trace-based encounter characteristics (a) Total encounters (b) Unique
encounters and (c) Batch arrival pattern
We investigate the consistency of the model-based results with those generated by using
measurement-based real encounters. We drive our encounter-level simulations using the
wireless network traces of the University of Southern California of 62 days in spring 2006
semester [25]. We define an encounter as two nodes sharing the same access point at the
same time. We randomly choose 1,000 random nodes from 5,000 most active nodes based
on their online time from the trace. Their median β is 1.27x10
-6
sec
-1
and median number of
unique encounter node is 94. We use ) 0 (
A
I =1 and ) (d I
B
=1 where d is the delay between
initial predator-infected node and initial prey-infected node in the simulation. This delay was
introduced as the traced delay between the first arrival of two groups in which the initial
predator-infected node and the initial prey-infected node are assumed to be in different
groups (and different batch arrivals
3
). First group and second group account approximately
for 90% and 10% of total population, respectively. The first group has average contact rate
11
β =3.6x10
-6
sec
-1
, the second group has average contact rate
22
β =3.3x10
-6
sec
-1
, and the
approximated contact rate between groups
12
β =4x10
-7
sec
-1
. When contact rate of the initial
predator-infected node is higher than that of the initial prey-infected node, we call this
3
Nodes may join the networks simultaneously as a “batch arrival”. It can be modeled as the “birth” of the population. We
assume that those nodes enter the network only as susceptible nodes. Note that for infected nodes that temporarily leave and
then join the network, we would not consider this case as a batch arrival.
82
scenario “Fast predator”. On the other hand, when contact rate of initial predator-infected
node is lower than that of prey, we call this scenario “Slow predator”. From the trace, the
median arrival delay between initial predator-infected node and initial prey-infected node is
8.7 days (introduced by the gap between the first and the second batch arrivals). Because the
first group is in the first batch, hence “Fast predator” is also the early predator and “Slow
predator” is also the late predator.
We can see the consistent batch arrival pattern in Fig.6.3c, each line represents different
start new-node arrival time into the networks, i.e., day 0, 10, 20 and 30 where day 0 is
January 25, 2006. Because at the beginning of the semester, not all students had returned to
campus; hence, the large gap between the batch arrivals. The smaller gaps (1 day) in other
start days were caused by the university’s schedule that has classes either on Tuesday-
Thursday or Monday-Wednesday-Friday. Hence, the batch arrival patterns are likely to
occur in any encounter-based networks due to the users’ schedules. In addition, in Fig.6.3a-
b, we find that user’s encounter in the trace is highly skewed (non-uniform), i.e., top 20% of
user’s total encounter account for 72% of all users’ encounters and 70% of users encounter
less than 20% of total unique users which are caused by non-uniform on-off behavior and
location preferences [25, 26].
We choose to run our trace-driven simulations at day 0 to see the significance of batch
arrival patterns on worm interactions. To validate our model accuracy, we compare the trace-
driven simulation results with our aggressive one-sided model with node characteristics and
group behavior. We also apply the batch arrival and delay to our model and compare the
trace-driven simulation results with our model plot.
In our model, we use
7
12
6
22
6
11
10 4 , 10 3 . 3 , 10 6 . 3
− − −
= = = x x x β β β with t
1
= day 8.7 (second
batch arrival, 395 nodes join group 1, 50 nodes join group 2), t
2
= day 8.71 (all predator-
83
infected nodes leaving the networks), t
3
= day 11.57 (predator-infected nodes rejoin the
networks), t
4
= day 17.4 (third batch arrival, 50 nodes join group 2), t
4
= day 40.5 (fourth
batch arrival, 5 nodes join group 2). These batch arrival patterns are approximated from the
observed trace and simulations.
In Fig.6.4c-f and i-l, this batch arrival patterns and the delay cause significant additions
on our proposed metrics especially TL, AL, TA, and TR (TA is subject to the time of the last-
node arrival). In addition, we find that immunization (i) is still a very important factor to
reduce relative TI, relative MI, TL, and TR, in the “Slow predator” case, but it does not have
much impact in the “Fast predator” case, since there is not much room for improvement
(except TL). However, unlike uniform-encounter worm interaction, we find that cooperation
only helps reduce relative TI, relative MI, TL, AL and TR in “Fast predator” case.
In Fig.6.4a-c, relative TI, relative MI, TL with “Slow predator” almost linearly decrease
to zero with the increase of i. Hence, large immunization can offset large delay.
Surprisingly, as shown in fig. 6.4g and m, AL with “Fast predator” has not shown significant
improvement over AL with “Slow predator”.
Our model seems to more accurately predict the metrics in “Slow predator” case in
which delay and batch arrival pattern are the major factors (for example, in case of 25%
cooperation, TI errors in “Slow predator case” is only 25% as of TI errors in “Fast predator”
case). On the other hands, for the “Fast predator”, TI and MI (fig.6.4g-h) are more sensitive
to fine-grained non-uniform encounter patterns in which we simplify them to only two-group
encounters. With the number of groups precisely estimated, the accuracy of the metrics
estimations can be drastically improved.
84
0 0.2 0.4 0.6 0.8
0
0.2
0.4
0.6
0.8
1
i
Cooperative-Susceptible Hosts
TI C25 model
TI C50 model
TI C100 model
TI C25 trace
TI C50 trace
TI C100 trace
0 0.2 0.4 0.6 0.8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
i
Cooperative-Susceptible Hosts (Fraction)
MI C25 model
MI C50 model
MI C100 model
MI C25 trace
MI C50 trace
MI C100 trace
0 0.2 0.4 0.6 0.8
0
1
2
3
4
5
6
x 10
8
i
Time (Sec)
TL C25 model
TL C50 model
TL C100 model
TL C25 trace
TL C50 trace
TL C100 trace
(a) (b) (c)
0 0.2 0.4 0.6 0.8
0
2
4
6
8
10
12
x 10
5
i
Time (Sec)
AL C25 model
AL C50 model
AL C100 model
AL C25 trace
AL C50 trace
AL C100 trace
0 0.2 0.4 0.6 0.8
0
0.5
1
1.5
2
2.5
3
3.5
4
x 10
6
i
Time (Sec)
TA C25 model
TA C50 model
TA C100 model
TA C25 trace
TA C50 trace
TA C100 trace
0 0.2 0.4 0.6 0.8
0
0.5
1
1.5
2
2.5
3
x 10
6
i
Time (Sec)
TR C25 model
TR C50 model
TR C100 model
TR C25 trace
TR C50 trace
TR C100 trace
(d) (e) (f)
0 0.2 0.4 0.6 0.8
0
0.02
0.04
0.06
0.08
0.1
0.12
i
Cooperative-Susceptible Hosts (Fraction)
TI C25 model
TI C50 model
TI C100 model
TI C25 trace
TI C50 trace
TI C100 trace
0 0.2 0.4 0.6 0.8
0
0.02
0.04
0.06
0.08
0.1
0.12
i
Cooperative-Susceptible Hosts (Fraction)
MI C25 model
MI C50 model
MI C100 model
MI C25 trace
MI C50 trace
MI C100 trace
0 0.2 0.4 0.6 0.8
0
2
4
6
8
10
12
x 10
6
i
Time (Sec)
TL C25 model
TL C50 model
TL C100 model
TL C25 trace
TL C50 trace
TL C100 trace
(g) (h) (i)
0 0.2 0.4 0.6 0.8
0
2
4
6
8
10
12
14
x 10
5
i
Time (Sec)
AL C25 model
AL C50 model
AL C100 model
AL C25 trace
AL C50 trace
AL C100 trace
0 0.2 0.4 0.6 0.8
0
1
2
3
4
5
x 10
6
i
Time (Sec)
TA C25 model
TA C50 model
TA C100 model
TA C25 trace
TA C50 trace
TA C100 trace
0 0.2 0.4 0.6 0.8
0
2
4
6
8
10
12
x 10
5
i
Time (Sec)
TR C25 model
TR C50 model
TR C100 model
TR C25 trace
TR C50 trace
TR C100 trace
(j) (k) (l)
[Figure 6.4] Trace-based simulation results: effects on cooperation (c), and
immunization (i) on TI , MI ,TL, AL , TA and TR in non-uniform-encounter worm
interaction which (a)-(f) initial predator-infected hosts in slow contact-rate and late group,
(g)-(l) initial predator-infected hosts in fast contact-rate and early group
85
7. Chapter 7: General Worm Interaction Models
7.1 Overview
In Chapter 4 to 6, we have modeled and investigated the effect of worm interaction types,
network characteristics and node characteristics, respectively. Here, in Chapter 7, we unify
all these concepts into a single model that can explain all worm interaction factors for both
random-scan network worms and encounter-based worms. In addition, we include the effects
of the worm removal process and re-susceptible (becoming susceptible to prey/predator after
being infected by prey/predator) process for a generic worm interaction type. We also add
group behaviors for random-scan network worms according to their local scanning
preference and related scanning strategies. The general worm interaction model state
diagram is shown in Fig.7.1
7.2 General Worm Interaction Models
Assume that there are g groups in the network and assume types A and B worms, where
A is the prey and B is the predator. Let
Anm
β and
Bnm
β be prey inter-contact rate and predator
inter-contact rate, respectively, between the members of group n and the members of group
m (
Ann
β and
Bnn
β are the prey intra-contact rate and predator intra-contact rate, respectively,
within group n),
n
S is the number of susceptible nodes of group n (at time t) where
g n m ≤ ≤ , 1 . Let c be the fraction of nodes N
n
that are willing to be cooperative
where 1 0 ≤ ≤ c and N
n
is the total number of nodes in the network that are members of group
n. Let i be the fraction of cooperative nodes that are immune to prey where 1 0 ≤ ≤ i . Let
An
I and
Bn
I be the number of prey-infected nodes and predator-infected nodes for group n,
respectively. Assume that initial predator-infected nodes and initial prey-infected nodes (t=0)
86
are cooperative, and the number of susceptible nodes for both prey and predator is S*
n
where ) 0 ( ) 1 ( ) 0 ( *
An n n
I N i c S − − = for group n and number of susceptible nodes for
predator only is S’
n
, where ) 0 ( ) 0 ( '
Bn n n
I ciN S − = for group n. Note that
Bn An n n n
I I S S N + + + = ' * and
n n n
S S S ' * + = . We define the probability of “on” behavior as p
and “off” behavior as 1-p where 1 0 ≤ ≤ p . Hence inter-contact rate between group n and m
for both predator and prey is
nm
pβ . Let d be the delay between the initial prey-infected
node(s) and the initial predator-infected node(s) (assume all initial predator-infected (prey-
infected) nodes start infection at the same time) then
1 ) ( ≥ t I
An
where 0 ≥ t and 1 ) ( ≥ t I
Bn
where d t ≥ . For simplicity and brevity, let us assume that
number of groups in the network is 2. Fig.1a shows the state diagram of our model.
Let
2 1 1
*
A A
I I S
K be the state transition indicator from
1
* S to either
1 A
I or
2 A
I ,
where } 1 , 0 {
2 1 1
*
∈
A A
I I S
K ,
2 1 2
*
A A
I I S
K be the state transition indicator from
2
* S to either
1 A
I or
2 A
I where } 1 , 0 {
2 1 2
*
∈
A A
I I S
K ,
2 1 1
*
B B
I I S
K be the state transition indicator from
1
* S to either
1 B
I
or
2 B
I where } 1 , 0 {
2 1 1
*
∈
B B
I I S
K ,
2 1 2
*
B B
I I S
K be the state transition indicator from
2
* S to
either
1 B
I or
2 B
I where } 1 , 0 {
2 1 2
*
∈
B B
I I S
K ,
2 1 1
'
B B
I I S
K be the state transition indicator from
1
' S to
either
1 B
I or
2 B
I where } 1 , 0 {
2 1 1
'
∈
B B
I I S
K ,
2 1 2
'
B B
I I S
K be the state transition indicator from
2
' S to
either
1 B
I or
2 B
I where } 1 , 0 {
2 1 2
'
∈
B B
I I S
K ,
2 1 1 B B A
I I I
K be the state transition indicator from
1 A
I to
either
1 B
I or
2 B
I where } 1 , 0 {
2 1 1
∈
B B A
I I I
K , and
2 1 2 B B A
I I I
K be the state transition indicator from
2 A
I to either
1 B
I or
2 B
I where } 1 , 0 {
2 1 2
∈
B B A
I I I
K .
Let α be the re-susceptible rate which is the rate at which prey-infected nodes or
predator-infected nodes become susceptible to prey/predator again after being infected with
prey/predator ( α can also be different between prey and predator, i.e.,
A
α for prey and
87
B
α for predator). The state transition indicators and α are used to identify types of worm
interactions. Let γ be the manual removal rate and
S
γ be the manual vaccination for both
prey and predator.
For the aggressive one-sided interaction, susceptible nodes in group 1 (or group 2) can
change into prey infected nodes or predator infected nodes of the same group and prey
infected nodes in group 1 (or group 2) can change into predator infected nodes of the same
group. Hence, =
2 1 1
*
A A
I I S
K =
2 1 2
*
A A
I I S
K =
2 1 1
*
B B
I I S
K
=
2 1 1
*
B B
I I S
K =
2 1 1
'
B B
I I S
K
2 1 2 2 1 1 2 1 2
'
B B A B B A B B
I I I I I I I I S
K K K = = 1 = and 0 = α .
For the conservative one-sided interaction, susceptible nodes in group 1 (or group 2) can
change into prey infected nodes of the same group and prey infected nodes in group 1 (or
group 2) can change into predator infected nodes of the same group.
Hence, =
2 1 1
*
A A
I I S
K
2 1 2
*
A A
I I S
K = =
2 1 1 B B A
I I I
K 1
2 1 2
=
B B A
I I I
K , =
2 1 1
*
B B
I I S
K
2 1 1
*
B B
I I S
K =
0
2 1 2 2 1 1
' '
= =
B B B B
I I S I I S
K K and 0 = α .
For the aggressive two-sided interaction, susceptible nodes in group 1 (or group 2) can
change into prey infected nodes or predator infected nodes of the same group.
Hence,
2 1 1
*
A A
I I S
K
2 1 2
*
A A
I I S
K = = = = =
2 1 1 2 1 1 2 1 1
' * *
B B B B B B
I I S I I S I I S
K K K
2 1 2
'
B B
I I S
K 1 = , =
2 1 1 B B A
I I I
K
2 1 2 B B A
I I I
K 0 = and 0 = α .
Let
2 1 1 2 2 1 1 2 2 1 1 2 2 1
, , , , , ,
' ' ' ' * * * *
B B A A A A
I I I I I I S S S S S S S S
λ λ λ λ λ λ λ and
1 2 B B
I I
λ be the group transition rates
from
1
* S to
2
* S ,
2
* S to
1
* S ,
1
' S to
2
' S ,
2
' S to
1
' S ,
1 A
I to
2 A
I ,
2 A
I to
1 A
I ,
1 B
I to
2 B
I ,
and
2 B
I to
1 B
I ,respectively. Let
1
* S
Δ ,
2
* S
Δ ,
1
' S
Δ , and
2 ' S
Δ be the batch arrival rates for
1
* S ,
2
* S ,
1
' S and
2
' S , respectively.
88
Susceptible nodes’ decrease rate is determined by manual vaccination and the contact of
susceptible nodes with prey or prey-infected nodes (from the same or different group)
causing prey infection or with predator or predator-infected nodes (from the same or
different group) causing vaccination. (Note that immune nodes are different than vaccinated
nodes. Immune nodes are never susceptible to prey but vaccinated nodes once was
susceptible to prey) On the other hand, the re-susceptible (infected nodes become susceptible
again
4
) rate causes the increase of susceptible nodes. In addition, the number of susceptible
nodes within each group can be changed due to the group transitions and batch arrival.
Hence, the susceptible rates of group 1 and 2 are
=
dt
dS
1
*
+ + − ) ( ( *
2 12 1 11 * 1
2 1 1
A A A A I I S
I I K pS
A A
β β )) (
2 12 1 11 *
2 1 1
B B B B I I S
I I K
B B
β β + +
) * * (
1 * * 2 * *
2 1 1 2
S S
S S S S
λ λ − -
1
* S
S
γ + ) ) 1 ( (
1 1 B A
I i I − + α +
1
* S
Δ (Eq.7-1)
=
dt
dS
2
*
+ + − ) ( ( *
1 12 2 22 * 2
2 1 2
A A A A I I S
I I K pS
A A
β β )) (
1 12 2 22 *
2 1 2
B B B B I I S
I I K
B B
β β + -
) * * (
1 * * 2 * *
2 1 1 2
S S
S S S S
λ λ − -
2
* S
S
γ + ) ) 1 ( (
2 2 B A
I i I − + α +
2
* S
Δ (Eq.7-2)
=
dt
dS
1
'
) ( '
2 12 1 11 1 '
2 1 1
B B B B I I S
I I S pK
B B
β β + − + ) ' ' (
1 ' ' 2 ' '
2 1 1 2
S S
S S S S
λ λ − -
1
' S
S
γ +
1 B
iI α +
1
' S
Δ
(Eq.7-3)
=
dt
dS
2
'
) ( '
1 12 2 22 2 '
2 1 2
B B B B I I S
I I S pK
B B
β β + − - ) ' ' (
1 ' ' 2 ' '
2 1 1 2
S S
S S S S
λ λ − -
2
' S
S
γ +
2 B
iI α +
2 ' S
Δ
(Eq.7-4)
Since prey relies on susceptible nodes to expand its population, the increase of prey
infection rate is determined by the contacts of susceptible nodes and prey or prey-infected
nodes. The decrease of prey infection rate is determined by prey termination caused by the
4
Some worms only reside in memory, and disappear after restart of computer
89
contacts of prey-infected nodes and predator or predator-infected nodes, manual removal
rate and also the re-susceptible rate. The other factors such as group transition and batch
arrival are also applied to the prey infection rate. Hence the prey infection rates for group 1
and 2 are
=
dt
dI
A1
) ( * (
2 12 1 11 1 *
2 1 1
A A A A I I S
I I S K p
A A
β β + - )) (
2 12 1 11 1
2 1 1
B B B B A I I I
I I I K
B B A
β β +
+ ) (
1 2
2 1 1 2
A I I A I I
I I
A A A A
λ λ − -
1
) (
A
I γ α + (Eq.7-5)
=
dt
dI
A2
) ( * (
1 12 2 22 2 *
2 1 2
A A I I S
I I S K p
A A
β β + - )) (
1 12 2 22 2
2 1 2
B B A I I I
I I I K
B B A
β β +
- ) (
1 2
2 1 1 2
A I I A I I
I I
A A A A
λ λ − -
2
) (
A
I γ α + (Eq.7-6)
Because predator can terminate its prey as well as vaccinate susceptible nodes, the increase
of predator infection rate is determined by the contacts of predator or predator infected nodes
with either the susceptible nodes or prey-infected nodes. The decreases of prey-infected
nodes are caused by manual removal rate and re-susceptible rate. The predator infection
rates for group 1 and 2 are
=
dt
dI
B1
1 * 2 12 1 11
* )( (
2 1 1
S K I I p
B B
I I S B B B B
β β + +
1 '
'
2 1 1
S K
B B
I I S
+ )
1
2 1 1
A I I I
I K
B B A
+
) (
1 2
2 1 1 2
B I I B I I
I I
B B B B
λ λ − -
1
) (
B
I γ α + (Eq.7-7)
=
dt
dI
B2
2 * 1 12 2 22
* )( (
2 1 2
S K I I p
B B
I I S B B B B
β β + +
2 '
'
2 1 1
S K
B B
I I S
+ )
2
2 1 2
A I I I
I K
B B A
-
) (
1 2
2 1 1 2
B I I B I I
I I
B B B B
λ λ − -
2
) (
B
I γ α + (Eq.7-8)
Finally, the increase of removed nodes is caused by manual vaccination of susceptible
hosts and manual removal of prey-infected and predator-infected nodes.
) ( ) ' ' * * (
2 1 2 1 2 1 2 1 B B A A S
I I I I S S S S
dt
dR
+ + + + + + + = γ γ (Eq.7-9)
90
Our model addresses all worm interaction factors mentioned thus for in this document
and can be easily extended to address more types of worms and more number of groups
within the network. For example, the basic SIR model can also be derived from this model
by setting 1
2 1 1
*
=
A A
I I S
K and 0 , 0 , 0 * , 0
1 1 11
> > > > γ β
A
I S while setting other parameters to
0.
Prey infected nodes and predator infected nodes can arrive and leave the network
temporarily, those scenario we can model it by using on-off behavior parameter p.
91
1 * S * S * S * S
2 S' S' S' S'
1 S' S' S' S'
2 I I I I
1 I I I I
2 I I I I
1 I I I I
1
1
1
1
1
2 12 1 11 1
2 12 1 11 1 '
2 12 1 11 1 *
2 12 1 11 1 *
* ) ( : p
' ) ( : o
' ) ( : n
) ( : m
) ( : l
) ( : k
) ( : j
: i
: h
: g
) 1 ( : f
: e
) ( : d
) ( ' : c
) ( * : b
) ( * : a
1 2 2 1
2 1 1 2
1 2 2 1
A2 A1 A1 A2
A1 A2 A2 A1
B2 B1 B1 B2
B1 B2 B2 B1
2 1 1
2 1 1
2 1 1
2 1 1
S
S
S
I
I
I
I
I
I
I
I i
iI
I I I pK
I I S pK
I I S pK
I I S pK
A
A
B
B
B
A
A
B
B
B B B B A I I I
B B B B I I S
B B B B I I S
A A A A I I S
B B A
B B
B B
A A
λ λ
λ λ
λ λ
λ λ
λ λ
λ λ
λ λ
γ
γ
α
α
α
β β
β β
β β
β β
−
−
−
−
−
−
−
−
+
+
+
+
2 S
2 S
2
2
2
2
2
1 12 2 22 2
1 12 2 22 2 *
1 12 2 22 2 '
2 12 2 22 2 *
'
*
'
*
1 S
1 S
2 * S * S * S * S
* : ah
' : ag
: af
: ae
) 1 ( : ad
: ac
: ab
) ( : aa
) ( * : z
) ( ' : y
) ( * : x
: w
: v
: u
: t
' : s
* : r
* ) ( : q
2 1 2
2 1 2
2 1 2
2 1 2
2
2
1
1
2 1 1 2
S
S
I
I
I i
I
iI
I I I pK
I I S pK
I I S pK
I I S pK
S
S
S
A
B
B
A
B
B B B B A I I I
A A A A I I S
B B B B I I S
B B B B I I S
S
S
S
S
B B A
A A
B B
B B
γ
γ
γ
γ
α
α
α
β β
β β
β β
β β
γ
γ
λ λ
−
+
+
+
+
Δ
Δ
Δ
Δ
−
[Figure 7.1] General worm interaction model state diagram
92
Table 7.1: Parameters and Definition Summary
Parameter Definition
S,
n
S Susceptible nodes: the number of nodes of the whole
population that can be infected by either prey or predator, the
number of susceptible nodes of group n
n
S * Number of susceptible nodes of group n that can be
infected by either prey or predator
n
S' Number of susceptible nodes of group n that can be
infected by predator only
A
I ,
B
I Prey-infected nodes: the number of nodes infected by
prey of a whole population, Predator-infected nodes: the
number of nodes infected by predator of a whole population
An
I ,
Bn
I Prey-infected nodes: the number of nodes infected by
prey in group n, Predator-infected nodes: the number of
nodes infected by predator in group n
N, N*,
n
N Total number of vulnerable nodes in the networks: it is
the sum of number of susceptible nodes, prey-infected nodes
and predator-infected nodes, total number of cooperative-
susceptible nodes of a whole population, total number of
vulnerable nodes of group n
Anm
β ,
Anm
β Pair-wise prey and predator contact rate, respectively,
between a member in group n and a member in group m.
Y Initial-infected-nodes ratio: a ratio between predator-
infected nodes and prey-infected nodes of the whole
population at t = 0.
c Cooperation: node’s willingness to forward messages for
others of the whole population (fraction)
i Immunization: immune nodes (fraction) of the whole
population will not be infected by prey
p On-off behavior: “on” nodes can participate in
forwarding packets while “off” nodes cannot (probability)
d Delay: the time differences between initial prey-infected
nodes and initial predator-infected nodes
a Re-susceptible: infected nodes can become susceptible
again
2 1 1
*
A A
I I S
K ,
2 1 2
*
A A
I I S
K ,
2 1 1
*
B B
I I S
K ,
2 1 2
*
B B
I I S
K ,
2 1 1
'
B B
I I S
K ,
2 1 2
'
B B
I I S
K ,
2 1 1 B B A
I I I
K ,
2 1 2 B B A
I I I
K
State transition indicators: the numbers (0 or 1) used to
identify the types of worm interaction types
1
* S
Δ ,
2
* S
Δ ,
1
' S
Δ ,
2 ' S
Δ Batch arrival (and departure) rate: a rate of new
vulnerable nodes join (or leave) into the networks
93
Table 7.1 (Continued): Parameters and Definition Summary
Parameter Definition
Bm Bn Am An m n m n
I I I I S S S S
λ λ λ λ , , ,
' ' * *
Group transition rate: rates of susceptible nodes,
susceptible nodes which immune to prey, prey-infected
nodes, predator-infected nodes in group n become
susceptible nodes, susceptible nodes which immune to
prey, prey-infected nodes, predator-infected nodes in
group m, respectively
7.3 Model Analysis
For brevity, we assume that there are no transitions between groups,
i.e., 0
1 2 2 1 1 2 2 1 1 2 2 1 1 2 2 1
' ' ' ' * * * *
= = = = = = = =
B B B B A A A A
I I I I I I I I S S S S S S S S
λ λ λ λ λ λ λ λ . We focus our
analysis on the aggressive one-sided interaction for two-group encounter-based networks. If
we want to suppress the initial infection ( ≤
dt
dI
A1
0 and ≤
dt
dI
A2
0 at t=0), from (Eq.7-5) and
(Eq.7-6), then the required conditions for this are
≤ + )) 0 ( ) 0 ( )( 0 ( *
2 12 1 11 1 A A A A
I I S β β )) 0 ( ) 0 ( )( 0 (
2 12 1 11 1 B B B B A
I I I β β + (Eq.7-10)
≤ + )) 0 ( ) 0 ( )( 0 ( *
1 12 2 22 2 A A A A
I I S β β )) 0 ( ) 0 ( )( 0 (
1 12 2 22 2 B B B B A
I I I β β + (Eq.7-11)
where ), 0 ( ), 0 ( ), 0 ( ), 0 (
2 1 2 1 B B A A
I I I I ) 0 ( *
1
S and ) 0 ( *
2
S are the number of prey-infected
nodes, predator-infected nodes and susceptible nodes of group 1 and 2 at t=0 respectively.
We obtain from this condition that
) 0 ( ) 0 (
2 1 A A
I I MI TI + = = , = ∞ = ∞ ) ( ) (
2 1 A A
I I 0 (Eq.7-12)
where ) (
1
∞
A
I and ) (
2
∞
A
I are the number of prey-infected nodes of group 1 and 2 at t= ∞ .
However, we can see from (Eq.7-10) and (Eq.7-11) that the threshold can only be
obtained from such conditions. If those conditions cannot be met, then we can only have
certain acceptable level of infection and TI can be derived from
94
= TI
∫
∞
=
+
0
1 12 2 22 2
) ( * (
t
A A A A
I I S p β β + dt I I S
A A A A
)) ( *
2 12 1 11 1
β β + (Eq.7-13)
MI can be found from
max 2 1
) (
A A
I I + where = =
dt
dI
dt
dI
A A 2 1
0 at t > 0, in which
= + ) ( *
2 12 1 11 1 A A A A
I I S β β ) (
2 12 1 11 1 B B B B A
I I I β β + (Eq.7-14)
= + )) 0 ( ( *
1 12 2 22 2 A A
I I S β β ) (
1 12 2 22 2 B B A
I I I β β + (Eq.7-15)
Because TL is the accumulated life of all individual preys until the last prey has been
removed by predator whose duration indicated by TR, we can simply derive TL based on the
numerical solutions from (Eq.7-5) and (Eq.7-6)as follows:
t t I t I TL
o t
A A
Δ + =
∑
∞
=
)) ( ) ( (
2 1
(Eq.7-16)
Since AL is the average lifespan for each node that has been terminated by predator
which is equal to the number of nodes that are ever infected, AL can be derived from (Eq.7-
13) and (Eq.7-16) as
TI
TL
AL = . (Eq.7-17)
We can find TA which is derived from t where
dt
dS
dt
dS
dt
dS
dt
dS
2 1 2 1
' ' * *
= = =
0
2 1 2 1
= = = = =
dt
dI
dt
dI
dt
dI
dt
dI
B B A A
, ) ( ) 0 ( *
1 1
t I S
B
= and ) ( ) 0 ( *
2 2
t I S
B
= while TR is
derived from t where 0
2 1
= =
dt
dI
dt
dI
A A
, 0
2 1
= =
A A
I I and
B
t TR TA ≥ ≥ where
B
t is the time
of last batch arrival.
95
8 Chapter 8: VACCINE Architecture
8.1 Overview
In previous chapters, we have learned the intrinsic characters of worm interactions. We
have realized how important of scan rates ratios, initial-infected node ratios, delays of
deployments. We also know that we require cooperation and immunization for successful
deployment of worm termination. In this chapter, we design the preliminary protocol and
architecture recommended for random-scan network worms and encounter-based worms
based on those findings. For random-scan network worms, we introduce the adaptive scan
for predator to adjust itself to severity of prey infection and success of predator vaccination
and termination. For encounter-based worms, we revisit the realistic network characteristics
and we introduce the concept of super node and power node concept. Note that this part of
our work is in the early stage and need more future work.
8.2 Random-scan network worms
From the lesson we learned from this work, we expect predator as a non-malicious worm
can be an effective tool to combat with prey with appropriate scan rate if we can estimate the
reaction time and prey’s scan rate accurately.
However, to know the scan rate of infected malicious worm is not an easy task. One
approach to do is, instead of terminating malicious worm immediately, the predator, after
infecting a machine, can learn the scan rate by observing the machine’s behavior. Or by
transforming original malicious code to anti-worm code which contains original attack
strategy [8]. By scanning vulnerable nodes moderately (appropriate scan rate ratio and local
96
preference), predator can reduce unnecessary traffic. The patch can be carried with
predator’s payload or downloaded from trusted anti-virus site. We earlier learned in section
5.2.1 that the smaller worm replication size can reduce TL, AL, TA and TR. Patch
downloading can be efficient only if the patch copies are distributed to multiple hosts, e.g.
using peer-to-peer file sharing.
The predator’s signature should be known by the intrusion detection system (local
network or ISP level) of targeted networks to prevent them from being terminated
accidentally.
Furthermore, we can expect to have worm communication protocol among predator
infected nodes such as assigning the scope of spreading (i.e. IP address range) to reduce
overlapping infection area and prevent them from propagating to uncontrolled environment.
Moreover, predator can also share experiences or strategies on how to attack the malicious
worms effectively, e.g. average delay in their networks, or number of observed prey infected
nodes. The coordination should avoid the use of only a single authority as much as possible
to reduce the bottleneck and single-point-of-failure problem.
However, more important issue is to control predator to scan with moderate scan rate but
effective enough to terminate entire malicious worms. VACCINE architecture hence need
important component as follows:
1. Sensors
Because the delay is critical for effective worm termination, hence we need
distributed detection in which it can detect and response in least amount of time.
Sensor nodes require worm signature module to accumulate up-to-date signature
database. These nodes must be deployed in the networks that require immediate
action after the threats are detected. Sensor nodes can combine host-based and
97
network-based intrusion detection capability to enhance its effectiveness. They can
be used as a trap to study the nature of attack also (including scan rates and scanning
strategies). Sensors are also able to detect abnormal activities and trigger the further
analysis from Signature analyzer and generator module which we explain next. To
minimize delay, accurate anticipation of which applications and which network
address range will be under attack is required. This task can be very challenging
since different worm targets different application and scan network with different
algorithm.
2. Signature and patch analyzer and generator
Signature analyzer and generator collect worm signatures from trusted third parties
and also have capability to generate its own signature after sensors detect the
abnormality from suspicious events. It can also act as the trusted third parties for
other domains. Currently, these functions are performed by human and hence, the
cause of delay in deployment mainly due to unavailability of worm signatures. Patch
analyzer and generator from captured worms will also enhance effectiveness of
protection and termination. Signatures and patches must be timely distributed to all
sensors by updating all sensors as soon as new signatures and patches become
available.
3. Predator generator
Predator can be generated based on the analysis from Signature analyzer and
generator. It can contain the same vector that prey is using for its own attack. Similar
technique as shown in [8] can be used to preserve original attack strategy and embed
that into newly created predator so predator knows where and when to terminate
prey infected nodes and vaccinate susceptible hosts. Predator generator must also
98
incorporate patch generated patch analyzer and generator. The sizes of worm
replication carried patches are critical to reduce TL, AL, TA, and TR.
4. Worm Filter
Worm filter is a smart firewall that recognizes prey and predator. Prey, if recognized
by worm filter, will be dropped before entering/leaving the protected networks. For
predator, worm filters are used to prevent predator to leak to unauthorized domains
which may cause unintentional damages.
5. Predator
Predator is a beneficial worm terminating prey and vaccinate prey infected node.
Predator must be able to make a decision of how aggressively it scans the possible
targeted address range. Hence predator adaptive scan rate protocol is proposed as a
Dynamic Distributed Incremental Scan rate mechanism to address such issue.
[Figure 8.1] VACCINE Architecture
Internet
sensor
sensor
Architectures
•Domain-based
Components
•Beneficial worm
•Sensors with Worm
Generator
•Worm filter
Domain A
Domain B
Worm filter
Worm filter
Worm filter
(1)Detect
new malicious worm
(2) Generate new
Beneficial Worm
(3) Update worm filter
(1)Detect new malicious worm
(2) Generate new Beneficial
Worm
99
Note that Sensors, Signature and patch analyzer and generator, Predator generator and
Predator components are also applicable to encounter-based worms. However, Worm
filter deployment may not be efficient in encounter-based networks. Example of
VACCINE architecture deployment is shown in Fig.8.1.
8.2.1 Dynamic Distributed Incremental Scan rate (DDIS) Protocol
We propose and implement DDIS prototype in ns-2 to combat prey. Once predator
found that the machine is infected with prey, it terminates prey and increases its scan rate to
the scan rate multiplied by increasing factor k 1 ≥ . It stops scanning after it does not receive
packet from prey within specified period of time. Details of protocol are shown in Table 8.1
and the flowchart is shown in Fig.8.2.
Table 8.1: Distributed Dynamic Incremental Scan Rate Protocol (DDIS)
Preliminary Protocol for Predator in VACCINE
STEP 1: Infect susceptible hosts with same strategy as of prey
STEP 2: After successfully infecting the host, check whether prey has already
infected the host.
STEP 3: If infected, adjust initial scan rate as in (Eq.8-1). Otherwise, continue scan
with same scan rate.
Optional: reduce speed to normal if predator receives packet from another predator,
back to high scan rate if predator receive packet from prey
STEP 4: Terminate targeted worms and apply patch
STEP 5: Wait for a specified period of time, if there is additional incoming preys,
adjust to scan rate in (Eq.8-1) (if have not done this in STEP 3), otherwise, terminate
self from host.
100
[Figure 8.2] DDIS Flowchart
With large reaction time, even with scan rate ratio is 1, the total infected nodes and other
metrics can be extremely high. Hence we have to use dynamic distributed incremental scan
rate to enhance the effectiveness of predator. The challenge is how predator knows the initial
infect time of prey. One possible solution is to use multicast mechanism to update all
predator infected nodes (or carry the information within predator payload). After receiving
updates, predator would know how much increase of scan rate is needed to compensate with
prey.
) , max(
) 0 ( max ) ( A
T
T B
r k r r
Δ
Δ
= (Eq.8-1)
Infect host
with
predator
Infected with
predator?
Yes
No
Remove
prey from
host
Exit
Patch
available?
Scan other
hosts
Yes
Apply
patch (to
prevent
prey re-
infection)
Start
No
Incoming
Prey
No
Infected with
prey?
Yes
Yes
No
Increase
to fast
scan rate
Increase
to fast
scan rate
Decrease
to slow
scan rate
Incoming
Predator
Yes
No
101
where
max
r is a maximum allowed predator scan rate (based on background traffic, security
policy, etc.),
) 0 ( A
r and
) ( T B
r
Δ
are the a scan rate of prey at time 0 and a scan rate of predator at
time ΔT, respectively, k is the increasing factor that is real number greater than 1.0 and ΔT is
the reaction time (delay). Because of the feedback control, DDIS should be able to
adaptively adjust the predator scan rate according to current aggressiveness of the prey and
sufficient to control the level of prey infection.
A A
SI β
1 B A A
I I β 1 B 1 B
SI β
2 B A 2 B 1 B A 1 B
I I I I β β +
2 B 2 B
SI β
2 1 1 2 2 2 B B B B B B
I I I I β β +
[Figure 8.3] DDIS model with feedback controls for 2 adaptable predator scan rates
Based on DDIS protocol shown in Table 8.1, we can derive the susceptible rate, prey
infection rate, predator infection rate 1 (slow scan rate, B1), and 2 (fast scan rate, B2) as
follows:
The susceptible hosts can be infected by either prey or two-scan-rate predator, hence the
susceptible rate is
2 2 1 1 B B B B A A
SI SI SI
dt
dS
β β β − − − = (Eq.8-2)
Prey relies on susceptible hosts to replicate. But prey infected nodes will be changed to
predator with fast scan rate as soon as the predator infects the prey because predator knows
that prey is still active. Thus the prey infection rate is
102
1 1 2 2 B A B B A B A A
A
I I I I SI
dt
dI
β β β − − = . (Eq.8-3)
Predator with slow scan rate can infect susceptible hosts and will change to predator
with fast scan rate if predator with slow scan rate detects an incoming prey replication.
Furthermore, because of DDIS, predator with fast scan rate can become predator with slow
scan rate if it receives predator replication from other predator infected nodes. Thus the
infection rate of predator with slow scan rate is
1 2 1 1 2 2 2 1 1
1
B A A B B B B B B B B
B
I I I I I I SI
dt
dI
β β β β − + + = . (Eq.8-4)
Predator with fast scan rate only exists if there is any prey infected nodes in the
networks. The transition between fast scan rate and slow scan rate depends on the number of
prey and predators. In other words, predators try to attenuate the scan rate if there are too
many predators and raise the scan rate if there are still active preys. Hence the infection of
predator with fast scan rate is
2 1 1 2 2 2 1 2 2 2 2
2
B B B B B B B A A B A B B B
B
I I I I I I I I SI
dt
dI
β β β β β − − + + = (Eq.8-5)
We do not discuss the removal rate here in the DDIS model. We assume that all packets
in the networks will not be dropped by the traffic condition or anti-virus software. The DDIS
model state diagram is shown in Fig.8.3. As shown in Fig.8.4, k reduces the level of
instantaneous prey infection in aggressive one-sided interactions. Fig.8.4d shows different
optimal bounds based on epidemiological threshold with delay = 1 sec compared with TI for
various k.
103
0 2 4 6 8 10
0
0.2
0.4
0.6
0.8
1.0
Time (Sec)
Infected Host (Fraction)
A sim
B1 sim
B2 sim
A model
B1 model
B2 model
0 2 4 6 8 10
0
0.2
0.4
0.6
0.8
1.0
Time (Sec)
Infected Host (Fraction)
A sim
B1 sim
B2 sim
A model
B1 model
B2 model
(a) (b)
0 2 4 6 8 10
0
0.2
0.4
0.6
0.8
1.0
Time (Sec)
Infected Host (Fraction)
A sim
B1 sim
B2 sim
A model
B1 model
B2 model
0
100
200
300
400
500
600
700
800
900
1000
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
Reaction Time (Sec)
T otal Infectives
k=2
k=3
k=4
Aggr
Epi Thresh
(c) (d)
[Figure 8.4] Effects of distributed dynamic incremental scan rate (DDIS) on aggressive
one-sided patch with non-zero reaction time (a) k=2, (b) k=3, (c) k=4, (d) optimum bound
((a)-(c) reaction =1 sec)
Fig.8.4 shows linear improvement of total infected nodes over total infected nodes from
aggressive one-sided interaction (prey and initial predator scan rate are 2/sec) in which no
DDIS is deployed. We can see that our model overestimate the effectiveness of predator. We
also show the optimum bound of TI based on the predator’s scan rates derived from
epidemiological thresholds, i.e., the minimum total infected nodes; we can observe that ,
based on the model, predator with k=4 can almost reach the optimum bound. Predator with
higher scan rate is shown to be conservatively adjusted to the current amount of prey
infected nodes and predator infected nodes. It gradually increases as prey increases and
gradually decreases as prey decreases. In Fig.8.5, we observe that as k increase, in addition
to TI and MI, we can see the gradual decrease of TL, AL, TA and TR. We expect finer
104
adjustment will increase the performance of predator, i.e., the amount of scan rate increased
and decreased depend on how many predator retrieves prey replications and predator
replication.
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
2 2.5 3 3.5 4 4.5 5 5.5 6
k
Prey Infected H osts (Fraction)
TI
MI
1
10
100
1000
2 2.5 3 3.5 4 4.5 5 5.5 6
k
Tim e (Sec)
TL
AL
(a) (b)
0
2
4
6
8
10
12
2 2.5 3 3.5 4 4.5 5 5.5 6
k
Tim e (Sec)
TA
TR
(c)
[Figure 8.5] Effects of distributed dynamic incremental scan rate (DDIS) on aggressive
one-sided patch with non-zero reaction time from k = 2 to 6
As shown in Fig. 8.6, when prey scan rate is low, increase predator scan rate can reduce
total infected nodes significantly, however when prey is extremely aggressive by generating
high scan rate, predator cannot effectively terminate predator because of the bottleneck
effect, i.e., significant fraction of packets are dropped at outbound links. As we see in
Fig.8.6, the total infected nodes of prey from the model is only 0.306 when scan rate ratio is
500:500, but total infected nodes of prey in simulation is still as high as 0.640. We see drop
105
in performance by more than 100% because of the bottleneck effect of the outbound links
(with 99% packet drop rate) on the worm propagation. In DDIS, even we can increase the
scan rate ratio, but because prey can saturate the outbound links, DDIS cannot guarantee
significant improvement on total infected nodes, as we can see here, the scan rate ratio from
1:500 to 100:500 has similar total infected nodes even it has been increased by 2 orders.
However, the TL and AL will be reduced proportionally to the increase of predator scan rate.
Automatic scan rate throttling mechanism is expected to be in place to help detect extremely
aggressive scan activities from prey.
1
10
100
1000
1 10 100 1000
Predator Scan Rate
Total infectives
model, prey 1/sec
simulation, prey 1/sec
model prey 500/sec
simulation prey 500/sec
[Figure 8.6] Effect of prey high scan rate on total infected nodes (TI)
8.3 Encounter-based worms
In encounter-based worms, we learned that initial-infected nodes ratio is very important
factor for successful prey termination. Hence, we must deploy sufficient initial predator-
infected nodes in such network. To generate the initial predator-infected nodes, we require
similar VACCINE components as of random-scan network worms, i.e., sensors, signature
and patch analyzer and generator, worm filter, predator generator and predator. However, in
encounter-based networks, there is not necessary a link connected to outside networks and
hence, it relies heavily on its own signature and patch analyzer and generator. Further more,
106
there may not be boundaries, firewalls, etc and we cannot control node’s mobility. A node
that is capable to be an initial predator-infected node in encounter-based networks is called a
“seed”. Here we show two architectures that one can receive signatures/patches from
outside networks (off-line-seed architecture) and the other one that can only generate the
signature/patch/predator only once seeds encounter prey infected nodes (encounter-then-
generate-seed). A seed has sensor/signature and patch analyzer and generator/predator
generator capability in encounter-then-generate-seed architecture.
8.3.1 Off-line-seed architecture (OLS)
In the OLS architecture, there is an outside entity (such as a trusted base station or a
vehicular node with antenna) that propagates prey signature and generates predator to seeds.
Those m seeds have direct communication links among themselves, and as soon as one of
them receives signatures from outside entity, it immediately propagates signatures using
their direct links to all other seeds (The other possibility is that all of these seeds
simultaneously join the network with embedded signature and predator.). Then after a seed
become initial predator-infected node, it starts vaccinating susceptible nodes and terminating
prey immediately afterwards. All of our models and experiments are assume to be in this
architecture.
The alternative scenario for OLS is possible when there is no direct links between seeds
and hence, only encounter between seeds that have received the signature from outside entity
or from other seeds allow prey signature and predator to be transferred between them. This
can be simply modeled similar to aggressive one-sided interaction with immune nodes where
immune nodes are seeds and to retrieve signature and patch, one of those seeds need to
encounter any seed with updates from outside entity.
107
8.3.2 Encounter-then-generate-seed architecture (ETGS)
In the ETGS architecture, prey signatures, patches and predator are generated within the
network. Similar to OLS, each seed can communicate directly among themselves using their
long distance links. However, they rely solely on their own automatic prey signature, patch
and predator generation and can only generate predator after encounter seeds encounter
prey-infected nodes. Alternate scenario can also occur if there is no direct link between
seeds, hence relying solely on encounter between them.
Let
OLS
T be the delay between an initial prey-infected node enters the networks and
outside entity transmit the signature/predator to seeds in OLS architecture. Let
ETGS
T be the
delay between an initial prey-infected node encountering any seed and time that requires
generating prey signature/predator in ETGS architecture. With same number of seeds and
number of initial prey-infected hosts, ETGS will have lower performance than OLS if
OLS
T
<
ETGS
T . Examples of OLS and ETS scenarios are shown in Fig. 8.7(a) and (b).
108
(a)
(b)
[Figure 8.7] VACCINE architecture for encounter-based networks (a) off-line-seed (b)
encounter-then-generate-seed
We show the effectiveness and statistics based on ETGS architecture in Fig. 8.8. The
plots we show here reflecting the average
ETGS
T of 1000 nodes with three different numbers
of initial prey-infected nodes. In Fig. 8.8a, we can see that the number of prey-infected nodes
before they encounter any seed exponentially reduce with increase of number of seeds (as a
fraction of population). However, the total prey infected nodes and maximum prey infected
nodes do not reduce as quickly as the reduction of number of prey-infected nodes does
before encountering any seed.
In case of initial prey-infected node = 0.1%, we can see that if we want to have total
prey-infected nodes lower than 20% (10%, 5%), we need at least 4% (6%, 7%, respectively)
Seed
Predator-infected
Prey-infected
Susceptible
T ETGS
Seed
Predator-infected
Prey-infected
Susceptible
Outside entity
T OLS
109
of population to be seeds. On the contrary, if we want to have total prey-infected nodes
lower than 20% in OLS, we only need 0.1% of population to be the number of seeds (based
on earlier experiments and models). Maximum prey infected hosts in the Fig.8.8d has similar
trend as total prey-infected nodes
10
-3
10
-2
10
-1
10
-3
10
-2
10
-1
10
0
Seed
Prey before encounter
prey 0.1%
prey 0.2%
prey 0.3%
10
-3
10
-2
10
-1
10
0
10
1
10
2
10
3
Seeds
Time Before Enconter
prey 0.1%
prey 0.2%
prey 0.3%
(a) (b)
10
-3
10
-2
10
-1
10
-2
10
-1
10
0
Seeds
Total Infectives
prey 0.1%
prey 0.2%
prey 0.3%
10
-3
10
-2
10
-1
10
-2
10
-1
10
0
Seeds
Maximum Infectives
prey 0.1%
prey 0.2%
prey 0.3%
(c) (d)
[Figure 8.8] Characteristics of ETGS architecture with (a) fraction of prey before
encounter (b) time before predators encounter preys (c) total prey infected nodes and (d)
maximum prey infected nodes.
8.3.3 Super node architecture
In addition to our proposed architecture, to improve the performance of those
architectures, we can either increase number of seeds or the contact rate of seeds. However,
normal nodes (like human) cannot always increase their contact rates or communication
between static seeds with base station may be difficult. Here we propose an architecture
relying on extremely mobile nodes with capability of seed and base station to help propagate
the predator to other susceptible nodes or prey-infected nodes. Super nodes can be vehicles
or mobile robots that have much higher speed than human’s mobility speed. An example of
110
deployment of super nodes is shown in Fig.8.9. Similar to seeds and base station in other
architecture, we assume that super nodes are immune to prey.
As we study the impact of number of seeds (initial infected nodes ratio) earlier, now let
us investigate the impact of contact rates of super node with susceptible nodes. Note that this
are different than when we investigate the scan rate ratio of the worm interaction in the
Internet since only super nodes can change their contact rate but not the other regular nodes.
.
[Figure 8.9] Super node architecture
Based on aggressive one-sided interaction, we can mathematically model the worm
interaction with super node as follows. The state transition diagram of the aggressive one-
sided interaction with π super nodes is shown in Fig.8.10. Let π be the number of super
nodes in the network (number of super nodes is constant).
Predator-infected
Prey-infected
Susceptible
Super nodes
111
A
SI β
A S B A
I I I πβ β +
S SI
S B
πβ β +
[Figure 8.10] Aggressive one-sided Interaction with π super nodes
Similarly to aggressive one-sided interaction, susceptible node’s reduction rate is caused
by the contacts between susceptible nodes and either prey-infected nodes, predator-infected
nodes, or super nodes.
S SI SI
dt
dS
s B A
πβ β β − − − = (Eq.8-6)
The number of prey-infected nodes increases by the contacts between prey-infected
nodes and susceptible nodes. The reduction of them, however, is caused by the encounter
between them and predator-infected nodes or super nodes. Hence,
A s B A A
A
I I I SI
dt
dI
πβ β β − − = . (Eq.8-7)
The contacts between predator-infected nodes and susceptible nodes or prey-infected
nodes as well as the contacts between super nodes and susceptible nodes or prey-infected
nodes increase the number of predator-infected nodes.
) (
A s B A B
B
I S I I SI
dt
dI
+ + + = πβ β β (Eq.8-8)
The dynamic of population with super nodes in Fig. 8.10 are shown below:
112
0 2 4 6 8 10 12 14
10
0
10
1
10
2
10
3
Time (Sec)
Infected Nodes
A 0E-3
B 0E-3
A 1E-3
B 1E-3
A 2E-3
B 2E-3
A 3E-3
B 3E-3
A 4E-3
B 4E-3
0 2 4 6 8 10 12 14
10
0
10
1
10
2
10
3
Time (Sec)
Infected Nodes
A π=0
B π=0
A π=1
B π=1
A π=2
B π=2
A π=3
B π=3
A π=4
B π=4
(a) (b)
[Figure 8.11] Aggressive one-sided interaction model with super nodes (a) various
contact rates (with π =2) (b) various number of super nodes (with
s
β = 2x10
-3
sec
-1
)
As expected, we can see that maximum prey-infected nodes are reduced more rapidly
with the increase contact rate with fixed π than the case with the increase of π with fixed
contact rate.
If we want to suppress the initial infection (
A
I =0 at t=0), then the epidemiological
threshold is
B
I (0) =
β
β
π
s
S − ) 0 ( (Eq.8-9)
or
s
B
I S
β
β
π
)) 0 ( ) 0 ( ( −
= (Eq.8-10)
The initial number of predator at t=0 for epidemiological threshold is reduced by
β
β
π
s
when compared with aggressive one-sided worm interaction without super nodes.
From this equation, we can derive the minimum π or minimum
s
β from this condition. We
can observe that the factor to determine prey infection rate and epidemic threshold is
s
πβ . As
long as this product is the same, it would produce the same results. For example,
113
instantaneous infected hosts for π =2 and
s
β = 2x10
-3
sec
-1
is equal to infected hosts for π =4
and
s
β = 1x10
-3
sec
-1
.
2 2.5 3 3.5 4 4.5 5 5.5 6
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
π
Prey Infected Host (Fraction)
TI sim
MI sim
TI model
MI model
1 2 3 4 5
0
0.05
0.1
0.15
0.2
β (x10
-5
)
Prey Infected Host (Fraction)
TI sim
MI sim
TI model
TI model
(c) (d)
2 3 4 5 6
10
1
10
2
10
3
10
4
10
5
π
Time (Sec)
TL sim
AL sim
TL model
AL model
1 2 3 4 5
10
1
10
2
10
3
10
4
10
5
βx10
-5
Time (Sec)
TL sim
AL sim
TL model
AL model
(e) (f)
2 3 4 5 6
250
300
350
400
450
500
π
Time (Sec)
TA sim
TR sim
TA model
TR model
1 2 3 4 5
200
250
300
350
400
450
500
βx10
-5
Time (Sec)
TA sim
TR sim
TA model
TR model
(g) (h)
[Figure 8.12] Effect of number of super node on aggressive one-sided interaction (a), (c) and
(e) (with
s
β = 6x10
-5
sec
-1
) and of super nodes’ encounter rates on aggressive one-sided
interaction (π =2) (b), (d) and (f)
114
In Fig.8.12, we find that adding super nodes into the network enhances the effectiveness
in prey termination. The effects of π and
s
β on aggressive one-sided interactions are
compared. We find that
s
β can help vaccinate susceptible nodes and terminate prey in prey
infected nodes slightly better than π .Only AL (Fig.8.12g and h) does not reduce noticeably
for both π and
s
β . Note that the fluctuations in Fig.8.12g and h are caused by the artifact of
non-uniform number distribution of uniform random number generator. Our model with
super nodes seems to correctly predict the trend on all metrics. However, super node may not
be available or not applicable for all kind of scenarios. We investigate the use of super node
and its effectiveness in our experiment in Chapter 9.
8.3.4 Seed selection in realistic deployment
In uniform encounter-based networks, choosing seeds for OLS or ETGS architecture
may not be the most important task since every node shares the same encounter
characteristics. However, in realistic deployment, some nodes have much higher contact
rates than other. Similarly, some nodes might also have higher number of node they will
encounter. As seen by the model in Chapter 5 and 6, if initial infected node belongs to the
fast group, the effectiveness of worm relies heavily on which group it starts. Hence, for a
seed to be highly effective, it needs to have higher contact rate and higher number of nodes it
contacts than another node. We revisit the realistic characteristics of nodes from WLAN
traces and investigate on how to find good candidates from this chapter.
8.3.4.1 Realistic mobility revisited
Earlier we propose Worm Interaction Model to describe the fundamental characteristics
of worm interactions in uniform encounter pattern. Our model shows very promising
accuracy in capturing such dynamics. Here, we revisit the characteristics of real mobility
pattern with batch arrival with more depth.
115
0 6 12 18 24 30
0
1000
2000
3000
4000
5000
6000
Time (Days)
Number of nodes
1-type Infection USC
Incoming USC
1-type Infection DM
Incoming DM
[Figure 8.13] Batch arrival pattern and one-type worm infection for USC and Dartmouth
In USC WLAN traces and DM WLAN traces, there are 5,000 and 5,583 unique MAC
addresses, respectively. As shown earlier in Chapter 5, from the above Fig. 8.13, we can see
that the populations did not saturate very quickly. USC total incoming nodes were at the
peak in 9 days and DM total incoming nodes were at the peak in around one whole month.
Instantaneous infected hosts were almost reaches 100 % of total arrived population within a
single day. In other words, we can simply predict the total infected hosts of one-type worm
infection by estimation from the total new arrival nodes after certain period. The batch
arrival pattern can be seen clearly for both USC and DM wireless LAN trace. In addition,
Fig.8.13 shows that batch arrival is common for every campus and every interval of time (as
shown in Chapter 6). The good candidate for a seed must enter the networks very early or at
least earlier than when initial prey-infected nodes enter the network.
116
(a)
(b)
(c)
[Figure 8.14] Evolution of encounter graph over time (a) 3 hours (b) 6 hours (c) 24 hours
A seed candidate must also have a high number of contacts with other nodes. We start
by finding out how the mobile node connections in encounter-based networks evolving over
times and where do encounters start. We demonstrate by using the encounter graph of USC
WLAN trace (in Fig. 8.14) where each node is a vertice and if node v at least once
encounters node u, then there will be an edge between them (multiple encounters also
117
account for only one edge). We can see that in early 3 hours, only partial of vertices have
edges to other vertices. But in less than 24 hours, most of vertices have edges to most of
other vertices. Cluster coefficient for 3-hours period, 6-hours, and 24-hours are 0.94, 0.807,
0.701 respectively and shortest path between nodes for 3-hours period, 6-hours, and 24-
hours are 1.208, 7.321 and 2.992 respectively. However, from this graph, it is not clear that
which node have higher number of contacts (or edges in the encounter graph).
Another approach in finding good candidates is to find a node with higher cluster
coefficient or shorter average distance to other nodes. In Fig 8.15, we show the encounter
graph characteristics: cluster coefficient (CC) and shortest-distance from reachable nodes
(DR). Interestingly, for entire month, we can see from Fig. 8.15 that the characteristics that
explaining encounter graph shows the weekly pattern for DR. DR is highest during
weekends and gradually increase as it approach weekdays.
Both high CC and low DR indicate that the encounter graph is small-world-like graph
more than regular graph. Hence, we can expect some nodes exhibit themselves as “hubs”
which it has more unique encounter than others.
0.6
0.65
0.7
0.75
0.8
0 5 10 15 20 25 30
Time (Day)
Cluster Coefficient
0
1
2
3
4
5
6
0 5 10 15 20 25 30
Time (Day)
D istance
(a) (b)
[Figure 8.15] Average (a) cluster coefficient (b) distance from reachable nodes (one-
month period)
Here we look closely at the histogram of total encounter in which we can derive contact
rates from. In Fig.8.16, we can see that only small fraction of population has high total
118
encounter. Top 10% of USC WLAN nodes and top 10% of DM WLAN nodes (according to
their total encounters) account for 33% and 37% of total encounter of the whole population,
respectively. In addition, average total encounters of top 10% of USC WLAN nodes and top
10% of DM WLAN nodes (according to their total encounters) is 3.25 times and 3.7 times of
the average of total encounter of the whole population, respectively. We also expect a seed
candidate to have higher number of total encounters than other nodes.
1200000 800000 400000 0
Encounter
4000
3000
2000
1000
0
Frequency
50000 40000 30000 20000 10000 0
Encounter
3000
2500
2000
1500
1000
500
0
Frequency
(a) USC (b) Dartmouth
[Figure 8.16] Histogram of total encounters in USC and Dartmouth Wireless LAN traces
Higher number of contacts can also mean that a seed candidate contact more unique
number of nodes. From Fig.8.17, average unique encounter of top 10% of USC WLAN
nodes, and top 10% of DM WLAN nodes is 2.5 times and 2.8 times of average of the whole
population, respectively (or 3.0 times and 3.6 times of other nodes’ average unique
encounter, respectively).
119
3000 2000 1000 0
Unique Encounter
400
300
200
100
0
Frequency
1500 1200 900 600 300 0
Unique Encounter
600
500
400
300
200
100
0
Frequency
(a) USC (b) Dartmouth
[Figure 8.17] Histogram of unique encounters in USC and Dartmouth Wireless LAN
traces
A seed candidate can also travel more than other nodes to spread out the predator to
more number of locations. From Fig.8.18, average location of top 10% of USC WLAN
nodes, and top 10% of DM WLAN nodes is 2.7 times and 3.13 times of average of the whole
population, respectively (or 3.35 times and 4.1 times of other nodes’ average unique
encounter, respectively).
120
30.00 25.00 20.00 15.00 10.00 5.00 0.00
Location
1,250
1,000
750
500
250
0
Frequency
80.00 60.00 40.00 20.00 0.00
Location
1,200
1,000
800
600
400
200
0
Frequency
(a) (b)
[Figure 8.18] Histogram of visited locations in USC and Dartmouth Wireless LAN
traces
In Fig.8.19, we show the graph representing top-10 seed candidates as they are in the
middle of a star-shape sub graphs with strong edges (> 100 encounters).
[Figure 8.19] Subset of graph that shows the strong edges (>100 encounters) between
top-10-encountered nodes themselves and them with other nodes which are connecting them
together
121
8.3.4.2 Power ranking systems
Here we propose a systematic methodology to identify and quantify strength of a seed
candidate from those guidelines using a power ranking system. We call such a seed
candidate base on the ranking system as a “power node”. We investigate whether a power
node out perform a seed based on random selection at the same scenario.
In our power ranking system, each node can be classified by their strengths in three
categories:
1. Encounter strength
2. Mobility strength
3. Timing strength
For mobility strength, we measure the strength of node in term of number of locations
they visit. For timing strength, we measure how much delay between arrival of seeds (initial-
predator-infected nodes) and arrival of initial prey infected nodes. Lower-delay nodes are
stronger than higher-delay nodes and expected to be better seeds candidate.
For encounter strength, we require to identify the quantity and quality of encounters. We
start by formulation of encounter. Let
i
e be the total encounters of node i, and let
i
u be the
total unique encounters of node i. Let
ij
f be the number of times that node i meets node j,
and let } 1 , 0 { ∈
ij
a be the number indicating that node i meets node j at least once, if so
then 1 =
ij
a otherwise 0 =
ij
a . From the definition above, we know that
i
N
j
ij
e f =
∑
=1
and
i
N
j
ij
u a =
∑
=1
.
122
We further classify node based on qualities of their encounters into active/active,
active/popular, popular/active and active/active. We describe these definitions and how we
calculate it as follows:
For encounter strength, it is calculated based on the number of encounters (contacts) and
the quality of their encounters. We start by define the terms we use to describe a power node
based on encounter strength.
1. Active is an indicator of how often a node encounters other nodes. Active is simply
a number of encounters of node i which is
i
e . This number is a quantity of
encounters.
2. Popular is an indicator of how many unique nodes a node encounters. Popular is
simply a number of unique encounters of node i which is
i
u . This number is a
quantity of unique encounters.
3. Active/active is an indicator of how active of a node other active nodes indicating
the quality of number of encounters based on its encountered nodes’ activeness. Let
active/active of node i be
i
AA
θ . Based on our definition, active/active is
∑
=
=
N
j
j ij
i
AA
e f
1
θ (Eq.8-11)
4. Active/popular is an indicator of how active a node encounters other popular nodes
indicating the quality of number of encounters based on its encountered nodes’
popularity. Let Active/popular score of node i be
i
AP
θ . Based on our definition,
active/popular is
∑
=
=
N
j
j ij
i
AP
u f
1
θ (Eq.8-12)
123
5. Popular/active is an indicator of how many active nodes that a node encounters
indicating a quality of number of unique encounters based on its encountered nodes’
activeness. Let popular/active score of node i be
i
PA
θ . Based on our definition,
popular/active is
∑
=
=
N
j
j ij
i
PA
e a
1
θ (Eq.8-13)
6. Popular/Popular is an indicator of how many popular node that a node encounters
indicating a quality of number of unique encounters based on its encountered nodes’
popularity. Let popular/popular score of node i be
i
PP
θ . Based on our definition,
popular/popular is
∑
=
=
N
j
j ij
i
PP
u a
1
θ (Eq.8-14)
Here we show the power node score distribution in fig. 8.20a and b for USC and
Dartmouth, respectively. The main purpose of these graphs is to see how much we can
distinguish quantity and quality of encounters. In these figures, we normalize the encounter
strength which the top number in each category is 1.0. We can see that the differences are
more significance in the USC traces. The CCDF of active, active/active and active/popular
has sharper drop at very low normalized. Hence it is implies that it is more difficult to find
nodes that have higher active, active/active and active/popular than the others. However, we
would need to see which of these scores matter the most which includes arrival time and
location.
124
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Normalized Ranking Score
CCDF
Active Active
Active Popular
Popular Active
Popular Popular
Active
Popular
(a)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Normalized Ranking Score
CCDF
ActiveActive
ActivePopular
PopularActive
PopularPopular
Active
Popular
(b)
[Figure 8.20] CCDF of nodes based on ranking systems (a) USC (b) Dartmouth.
8.3.4.3 Evaluation
We simulate the encounter-level worm interactions of 5,000 users for both USC and
Dartmouth. If two nodes share the same access point, we consider them encounter each
125
other. The duration of each encounter is at least 5 minutes to filter out accidental encounter
caused by ping-pong effect.
As seen in Fig.8.21, by choosing proper power ranked set of nodes, when compared with
random chosen nodes (with prey infected nodes = 20 and predator infected nodes = 100), the
effectiveness based on prey total infected nodes can be improved by more than 66% with
nodes with high mobility strength (locations), 73% with timing strength (arrival time), 24%
with encounter strengths (active and active/active) for USC. Similarly, in Dartmouth, when
compared with random chosen nodes, the effectiveness based on prey total infected nodes
can be improved by 62.5% with nodes with high mobility strength (locations), 62.5% with
timing strength (arrival time), at least 50% with encounter strengths. Hence, we can see that
mobility and timing strength are even more important than encounter strength to terminate
prey effectively.
The effectiveness of each category in encounter strength varies from one campus to
another. Active and active/active seem to have equivalent effectiveness consistently perform
well in both USC and Dartmouth. Further investigation on how to effectively classify the
encounter strength is required in future work.
126
0.01
0.1
1
0 10 20 30 40 50 60 70 80 90 100
Initial Predators
Total Infectives (Fraction)
Active
Popular
ActiveActive
ActivePop
PopActive
PopPop
Arrival Time
Random
Location
(a)
0.01
0.1
1
0 10 20 30 40 50 60 70 80 90 100
Initial Predators
Total Infectives (Fraction)
Active
Popular
Active-Active
Active-Pop
Pop-Active
Pop-Pop
ArrivalTime
Random
Location
(b)
[Figure 8.21] Comparison of effect of increasing number of initial predators (from 10-
100 nodes) with fixed initial prey (20 nodes)) (a) USC, (b) DM
Earlier in Chapter 6 we showed that immunization is the key to successful prey
termination. Here in Fig. 8.22 and 8.23, we show the effect of immunization and cooperation
in realistic encounter patterns in USC wireless LAN trace. We can observe that
immunization and cooperation (with predator) linearly enhances the effectiveness of each
127
category of strength by reducing the number of total infected nodes (as a fraction of total
population) as shown in Fig. 8.22. Hence, enforcing immunization and cooperation is still
the first priority policy in this scenario. (Note that cooperation here indicates whether
susceptible nodes cooperate with predator but susceptible nodes are forced to cooperate with
prey. Hence, the cooperation here is different from that we use in Chapter 6.)
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0 10 20 30 40 50 60 70 80 90
Immune level (%)
Total Infectives (Fraction)
Active
Popular
ActiveActive
ActivePop
PopActive
PopPop
Arrival Time
[Figure 8.22] Immunization effect on timing strength and encounter strength in USC
trace with 20 initial prey-infected hosts and 10 initial predator-infected hosts
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 10 20 30 40 50 60 70 80 90
Non-cooperative level (%)
Total Infectives (Fraction)
Active
Popular
ActiveActive
ActivePop
PopActive
PopPop
Arrival Time
[Figure 8.23] Non-cooperative effect on timing strength and encounter strength in USC trace
with 20 initial preys and 10 initial predators
128
9. Chapter 9: Experiments on Worm Interactions in
Encounter-based Networks
9.1 Overview
In this chapter, we conduct experiments on worm interactions. Our objective is to see
how worms propagate and interact in real wireless environments. All of our experiments are
performed on Bluetooth-enabled PDA and smart phone. There are 4 parts of experiments.
First, we explore the population of exposed Bluetooth devices in the campus environment.
Second, we investigate on the encounter characteristics between graduate students. Third, we
evaluate the capability of worm propagation with large files using different mobility patterns.
Finally, we assess effectiveness of worm interaction using our proof-of-concept predator and
prey with and without super nodes.
9.2 Experiment set up and devices
We conduct our experiment using 6 Bluetooth-capable devices including 5 HP iPAQ
hx2490b (PDA) and 1 HP iPAQ hw6515a (smart phone). We develop a program based on
Widcomm SDK (for Widcomm Bluetooth stacks) for continuous Bluetooth probing and
logging capability for the first two parts of the experiments and for proof-of-concept worm
interaction benchmarking for the last part of the experiments. File exchanges in the third part
of the experiment are done via a file transfer utility in HP iPAQ devices. First three parts of
experiments are carried out by graduate computer science students at University of Florida,
in April 2007 as part of CIS6930 Mobile Networks seminar. Last part of the experiment is
129
performed in July 2007. Additional experiment is conducted in September 2007 as part of
Demo and Poster presentation at CHANTS 2007 (Mobicom Workshop).
9.3 Population of exposed Bluetooth devices
In this part of experiment, we analyze the Bluetooth-capable device population
distribution according to number of encounters and unique encounters based on locations
and times on campus. We aim to show the distribution based on unique number of devices
per location at specific time period. We assume that there are no spoofed in their device
names and its MAC address.
We conduct our experiments at 4 locations on campus (CSE, Reitz Union, Marston
Science Library, and Library West) and 1 location off campus (Oak Mall). In Table 9.1, we
find that there are numerous exposed Bluetooth devices with discoverable mode on campus
and off campus. We believe that with longer duration of experiment we will find more
discoverable devices on both on-campus and off-campus locations
We also find that the majority of exposed devices are laptops and cell phones (especially
off-campus). From our experiment, the popular brands of those devices are Samsung, LG,
Sony Ericsson, and Nokia.
The results of this experiment show that many mobile devices reveal their identities and
expose themselves to attackers which can lead to large-scale malicious worm epidemic.
130
Table 9.1: Spatial and Time distribution of exposed Bluetooth devices
Time CSE Reitz Union Marston
Science
library
Library
West
Oak Mall
April 8 5
(3:20pm-
3:34pm)
20
(3:44pm-
4:42pm)
40
(5:14pm-
8:29pm)
April 9 14
(9:49pm-
10:27pm)
27
(10:43pm-
12:58am)
April 11 3
(2:51pm-
5:33pm)
April 12 9
(2:18pm-
11:45pm)
April 13 3
(2:46pm-
9:27pm)
April 15 2
(5:48pm)
April 17 3
(10:30am-
11:30 am)
8
(1:30pm-
2:00pm)
3
(5:00pm-
6:00pm)
April 18 7
(10:30am-
11:30 am)
21
(1:30pm-
2:00pm)
9
(5:00pm-
6:00pm)
April 19 9
(10:30am-
11:30 am)
10
(1:30pm-
2:00pm)
10
(5:00pm-
6:00pm)
April 20 6
(10:30am-
11:30am)
22
(1:30pm-
2:00pm)
2
(5:00pm-
6:00pm)
9.4 Encounter characteristics
In this section, our objective is to see how students encounter with class mates during a
one week period. We ask students to carry 6 iPAQ devices when they are on campus with
discoverable mode. There are three groups of students in this class; each group has 2 iPAQ
131
devices. However, data from 5 devices are shown in Fig.9.1(one of them had a problem).
Here we show the total encounter and unique encounter for one week period in Fig.9.1. For
the encounter rates and pair-wise encounter rate in Table 9.2 below and encounter duration is
shown in Table 9.3. Continuous encounters are counted as one encounter in this experiment.
We can see in Fig.9.1 that there is no significant skewed data distribution because all
students in this class meet everybody regularly in a weekly basis (once per week).
0
2
4
6
8
10
12
1 2 3 4 5
Device ID
C o u n ts
Total Encounter
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
1 2 3 4 5
Device ID
C o u n ts
Unique Encounter
[Figure 9.1] Encounter characteristics between graduate students in one week period (a)
total encounters and (b) unique encounters
Table 9.2: Pair-wised Contact Rate and Encounter rate (per day)
Device 1 2 3 4 5 Encounter
rate
1 - 0.25 0.125 0.125 0.375 0.875
2 0.25 - 0 0.5 0.125 0.875
3 0.125 0 - 0.125 0.375 0.625
4 0.125 0.5 0.125 - 0.375 1.125
5 0.375 0.125 0.375 0.375 - 1.25
average 0.22 0.21 0.17 0.33 0.29 0.97
We can identify their encounter pattern by their average pair-wised contact rate (shown
in Table 9.2) and average duration of encounter (shown in Table 9.3).
132
Table 9.3: Pair-wised Contact Duration (hours)
Device 1 2 3 4 5
1 - 4.50 2.12 0.51 3.76
2 4.50 - 0 6.32 1.43
3 2.12 0 - 2.33 5.67
4 0.51 6.32 2.33 - 6.78
5 3.76 1.43 5.67 6.78 -
average 2.7225 3.0625 2.53 3.985 4.41
Although, the number of devices shown here is limited, but we can see that Bluetooth
devices can be used to identify “real” encounter pattern very effectively and in very good
details. Unlike WLAN association traces, our experiments only record real user encounters
(with in 10 meters) which are usually overestimated in WLAN traces (with AP level or
building level). Note that our devices are programmed to probe every 30 seconds to save
energy (it can last for 17 hours per charge if its Bluetooth is turned on continuously).
9.5 File exchange capability
In this section, we investigate the practicality of worm interaction carrying a patch using
Bluetooth with human mobility. We explore three dimensions in this experiment: distance,
moving speed and file size. Each experiment is performed 10 times and the average is
recorded.
For the distance, we vary the distance from 1 m, 5 m, 10 m, maximum (based on
measurement). Moving speed can be 1 m/s (one person stands, one person walks), 2 m/s
(both walks in opposite direction), 3 m/s (one person stands, one person jogs, 6 m/s (both
jogs in opposite direction). File sizes are varied from 1 MB, 5 MB, and 10 MB (for extreme
case). We use fsutil to create a file with a specified size above.
133
Table 9.4: Relationships of file sizes and distance between users (success rate)
Distance/File Size 1m 5m 10m Max(23m)
1M 1.0 1.0 1.0 0.1
5M 1.0 0.9 1.0 0
10M 1.0 1.0 1.0 0
From Table 9.4, we can see that large file transfer is very reliable if the distance is at
most 10 meters away. However, if the distance is too far, i.e.,> 20 meters, then even with
small file transfer (1 MB file), success of file transfer is also not very consistent.
Table 9.5: Relationships of file sizes and velocity between users (success rate)
File Size 1m/s 2m/s 3m/s 6m/s
1MB 1.0 0.2 0 0
5MB 0 0 0 0
10MB 0 0 0 0
In Table 9.5, we show how mobility affects the success of file transfer. The start position
between two users is 1 meter between them. We can see that only small file transfer (1MB)
with slow mobility is reliable. Bluetooth worm code size is very small, e.g. Commwarrior.a
is only 30KB, prey can easily propagate from one device to others while the patch can be
much bigger than prey, e.g., a security patch for Palm Treo 680 smart phone is 142KB, and
hence relies more on a closer distance or a slower speed to be transferred. Note that the
standard of bandwidth of Bluetooth 1.2 is up to 721 Kb/s and of Bluetooth 2.0 is up to 2.1
Mb/s.
9.6 Proof-of-concept Worm Interactions
We implement and evaluate the Bluetooth encounter-based worm propagations and
interactions in mobile devices. Our goal of this study is to understand the realistic worm
propagations and interactions in realistic delay-tolerant networks. For worm interactions, we
134
only focus one aggressive one-sided interaction [where beneficial worms (predator) can
terminate malicious worms (prey) and vaccinate susceptible hosts (causing susceptible node
to be predator-infected node and immune to prey).
9.6.1 Implementation
The program is an extension of a Bluetooth chat program given as a part of the
Widcomm Bluetooth SDK. To implant worm interaction functions, we add the necessary
components to this program as follows (the block diagram is shown in Fig.9.2):
• Automated message transfer
We modify the program to send messages automatically to other devices with the
contents of messages depending on the status of sender: prey-infected or predator-infected.
The sender periodically checks its status and sends a message according to its status. The
receiver can also identify the status of sender based on the content of the message and act
accordingly. Note that susceptible nodes do not send any message to other nodes.
• Worm behavior
After receiving the transmitted message, based on the content of the message and status
of receiver, the receiver can become either prey-infected or predator-infected. If a
susceptible node receives a message from a prey-infected node successfully, the susceptible
node changes to a prey-infected node. Similarly, if a susceptible node or a prey-infected
node receives a message from a predator-infected node successfully, that susceptible node or
prey-infected node becomes a predator-infected node.
135
• Automated reconnection
Because we want to launch worms in delay-tolerant networks, each device can be highly
mobile and disconnect from other nodes frequently. We implement a component that after a
node (client) disconnects from a receiver (server), it reinitiates the connection by using the
same destination address (server address) repeatedly with specified interval.
• Timers for reconnection and scan
There are two types of timers: the reconnection timer and the scanning timer. For
reconnection attempts, we need a timer which starts as soon as an error message of network
disconnection is reported. The reconnection timer continuously runs until the successful
message of reconnection is reported. For scan, after a node becomes either prey-infected or
predator-infected, such node periodically sends the messages to neighbor nodes which
controlled by the scanning timer.
• Logging capability
There are two types of messages to be logged. First, the status of a node needs to be
written down in a “status” file. Second, the activity with time stamps will be recorded in
“activity” file, e.g., when it receives the message and when it changes its status to either
prey-infected or predator-infected node.
136
[Figure 9.2] The block diagram of proof-of-concept worms (arrows represent the flow of
messages and events from one component to others).
9.6.2 Experiment setup
We conduct our experiment using 6 Bluetooth-capable devices including 4 HP iPAQ
hx2490b (PDA) and 2 HP iPAQ hw6515a (smart phone). We show a picture of these devices
in Fig. 9.6a. We develop proof-of-concept worms based on Broadcom Bluetooth SDK. We
evaluate the performance of worm propagation and interactions in two different scenarios:
(1) static topologies and (2) human encounter. For static topologies (line, star, and random),
we assign a low scan rate 1 scan for every 30 seconds to emulate the interval of human
encounter. For real human encounters, a high scan rate 1 scan per second is assigned. To
produce such encounters, we ask 5 graduate students to carry PDAs and smart phones while
they are walking inside the same building. We set the nodes to attempt to reconnect every
10 seconds if the disconnection is detected. For static topologies and human encounters, we
run our experiment 10 rounds and 1 round, respectively.
We launch predator and prey to two different set of nodes. We measure effectiveness of
worm interaction based on the proposed metrics (shown below). The experiment will be
mainly on worm interaction which is varied on following parameters (default is 5 nodes,
aggressive one-sided interaction)
Worm
Behavior
Automated
Message
Transfer
Logging
capability
Automated
Reconnection
Timers
Events
State
Worm Copy
137
• Metrics: Prey total infected nodes, Prey maximum infected nodes, Prey total
lifespan, Prey individual lifespan, Time to secure all, Time to remove all prey, and
Success Rate (% of all nodes are secured)
• Mobility: Static, and Mobile (on human encounter)
• Topology (for static): Star, Line and Random
• Type of Interaction: Aggressive one-sided, Conservative one-sided, and Aggressive
two-sided
• Number of super node: 0 and 1
Experiment results
Part I. Worm interaction without super node
• One worm type
We start our experiment with one worm type propagation. We test whether worm can
propagate automatically and properly in both static topology and real human encounters. We
find that, with line topology (Fig.9.3a) and one initial prey-infected node, prey can infect
every susceptible node in 35.1 seconds by average (Fig.9.4a). This line topology simulates
human encounters with average node degree = 1.6. For real human encounters (Fig.9.3b),
prey needs more than 15 minutes (Fig.9.4b) before it infects 80% of population (one node
has failed to connect to other nodes, hence it does not get infected).
[Figure 9.3] One worm type scenario (a) the line topology (b) human encounters
Prey
(a)
(b)
Prey
138
0 10 20 30 40 50 60
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Time (Sec)
Prey Infected Host (Fraction)
(a)
0 200 400 600 800 1000
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Time (Sec)
Prey Infected Host (Fraction)
(b)
[Figure 9.4] One worm type propagation with (a) static line topology (b) human
encounter
• Two worm types
For this setting, we investigate on how effective predator can be in three different static
topologies: line (Fig.9.5a), star (Fig.9.5b) and random (Fig.9.5c).
As shown in Fig.9.6, we find that predator is more effective in star topology than it does
in line topology. Predator can terminate all prey in 44.3 seconds for the line topology and
only 38.4 seconds for the star topology.
As shown in Table 9.6, the average number of prey-infected nodes (as a fraction of
population) in the line topology is 0.54 in line topology and 0.36 in the star topology.
Possible cause is the average number of hops to other nodes in the star topology is smaller
than that of the line topology. Hence, predator can vaccinate susceptible hosts and terminate
prey-infected nodes in shorter time.
In addition, for random topology, we want to investigate whether predator can gain
advantage by having average distance to any other nodes shorter than that of prey. It turns
out that the effectiveness of predator in random topology is almost the same as the star
topology but it has better TA and TR than those of predator in the line topology and in the
star topology.
139
[Figure 9.5] Scenarios for aggressive one-sided interaction: static topologies with 5
nodes (a) line (b) star (c) random topology with 5 nodes, and mobile networks with 3 nodes
(d) human encounters
0 10 20 30 40 50
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Time (Sec)
Infected Host (Fraction)
R1 A
R1 B
R2 A
R2 B
R3 A
R3 B
(a)
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Time (Sec)
Infected Host (Fraction)
R1 A
R1 B
R2 A
R2 B
R3 A
R3 B
(b)
0 20 40 60 80 100
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Time (Sec)
Infected Host (Fraction)
R1 A
R1 B
R2 A
R2 B
R3 A
R3 B
(c)
[Figure 9.6] Aggressive One-sided Interaction where R1, R2 and R3 are the sample run
number 1, 2 and 3 respectively (total number of runs = 10) for (a) straight line topology (b)
star, and (c) random topology
Prey
(a)
Prey
Predator
(b)
Prey
Predator
(c)
Predator
(d)
Prey
Predator
140
Table 9.6: Metrics for Aggressive One-sided Interactions with static topologies (TI and
MI as a fraction of total population, TL, AL, TA and TR in seconds)
Topology TI MI TL AL TA TR
Straight line 0.54 0.54 89.6 33.38 44.3 44.3
Star 0.36 0.36 36.2 17.46 37.85 38.44
Random 0.38 0.38 55.5 27.93 32.5 32.5
We investigate the effectiveness of worm interaction in encounter-based networks. In
this scenario, we only run three nodes: one prey-infected node, one predator-infected node
and one susceptible node. Only this susceptible node can transfer the packet between initial
prey-infected node and initial predator-infected node. This shows the scenario that only one
node is trusted (susceptible) and able to forward packets between those two nodes. We show
the results of this experiment in Table 9.7. Only one third of nodes (TI and MI) are ever
infected by prey causing TL and AL to be equal. TA is slightly higher than TR because not all
nodes infected by prey, and prey infected nodes are terminated before all nodes are secured
(vaccinated or its preys are terminated).
Table 9.7: Metrics for Aggressive One-sided Interactions with human encounters (TI and
MI as a fraction of total population, TL, AL, TA and TR in seconds)
TI MI TL AL TA TR
0.33 0.33 143 143 149 146
Earlier, we only focus on aggressive one-sided interaction. Next, we investigate the
effects of worm interaction types in the star topology. As shown in Table 9.8, TI and MI in
conservative one-sided interaction and aggressive two-sided interaction are 55% and 33%,
respectively, more than that of aggressive one-sided interaction. Similar to our earlier
simulation results and our model, conservative one-sided interaction shows the worst
performance when compared with aggressive one-sided interaction and aggressive two-sided
interaction, and TI and MI in aggressive two-sided interaction are approximately half of total
141
number of vulnerable nodes. Not all vulnerable nodes are infected by prey or predator in
conservative one-sided interaction; hence TA is not applicable in this scenario.
Table 9.8: Metrics for Conservative One-sided Interactions and Aggressive Two-sided
Interactions (TI and MI as a fraction of total population, TL, AL, TA and TR in seconds) with
star topology
Type TI MI TL AL TA TR
Conservative One-sided 0.56 0.56 196 76.45 NA 162.8
Aggressive Two-sided 0.48 0.48 NA NA NA NA
We also investigate whether the alternative architecture, Encounter-Then-Generate-Seed
(ETGS) for worm interaction is effective if predator is only activated when a seed receive
incoming prey. As mentioned in Chapter 8, ETGS requires the automatic worm signature
generation for its scheme to work. We evaluate such scenario in the line topology (similar to
Fig. 9.4a) with fast emulated encounter rate 1.0/sec. As expected (in Table 9.9), because of
the line topology, TI and MI are always 80% of total population. We can see that it only
takes 4.5 second to remove all prey and vaccinate all susceptible nodes. We expect predator
to be more effective in star topology where it can react to incoming prey with lesser amount
of time. We can see that the position of seed is very important in this architecture. If seed
locates next to prey in the line topology, then TI and Mi will be only 0.2 of the population.
Table 9.9: Encounter-Then-Generate-Seed Architecture (with encounter rate = 1.0/sec)
with line topology (similar to Fig. 9.5a)
TI MI TL AL TA TR
0.8 0.8 11.5 2.875 4.5 4.5
Part II Worm interaction with super nodes
In this part, we evaluate the usefulness and applicability of super nodes (highly mobile
nodes) in assisting the propagation and interaction of predators. As shown in Fig. 9.7(b), we
142
use a radio-control truck carrying an iPAQ for one-worm-type propagation and two radio-
control trucks carrying each carrying one iPAQ for aggressive one-sided interaction as super
nodes. In this experiment, we set the scan rate of each node (attempt to infect others) to
1.0/sec. The white radio-controlled truck runs at 2 meter/sec and the red radio-controlled
truck runs at 1 meter/sec.
(a) (b)
[Figure 9.7] Devices for the experiments (a) iPAQ PDA and Smartphone (b) radio-
controlled trucks (super nodes), each carrying an iPAQ PDA on top
• One worm type
For one-type worm propagation, we evaluate that how effective data can be transferred
to a static node with a super node. There are two scenarios in this case: (1) mobile
susceptible node with static predator-infected node and (2) mobile predator node with static
susceptible node.
The first scenario is shown in Fig.9.8. The super node (white radio-controlled truck) is a
susceptible node and the static node is a predator-infected node. We initially place the super
node at location far enough that predator-infected node cannot infect the susceptible node.
We find that it has high data receiving rate of 92% (when the predator-infected node
143
successfully infects the susceptible node) and 90% success rate where the success rate is the
fraction of rounds of experiments that at least one packet received from the sender.
[Figure 9.8] One static node and one super node for one worm type propagation
Table 9.10: Metrics for one static node and one super node for one worm type
propagation
#Packets Sent #Packets Received Relative Packet Received Success Rate*
11.7 10.8 0.92 0.9
For the second scenarios (in Fig.9.9), there are 4 static susceptible nodes (there are no
links between them) and one predator-infected node as a super node. In this scenario, the
predator-infected node constantly sends a predator to other static nodes. Unlike the first
scenario, we find that mobile predator–infected node has less capability in transferring a
worm to static susceptible nodes than the static predator-infected node transfer data to a
mobile susceptible node. Although, for every round, at least one static susceptible node from
the total of 4 nodes are successfully vaccinated by the super node (success rate = 100%), but
only 58% of transmitted packet are received at the susceptible nodes (as shown in Table
9.10) where the success rate is defined as the fraction of time at least one node in each round
of the experiment receive a packet from sender. The reason for this may be because we place
four static susceptible nodes very close to each other and hence it may have high collisions
caused by the responses from other susceptible nodes to the super node (every time a node
receive a prey or predator from other nodes, it immediately sends an acknowledge packet
back to the sender).
Predator
144
[Figure 9.9] Four static nodes with one super node for one worm type propagation
Table 9.11: Metrics for four static nodes with one super node for one worm type
propagation
Infected Nodes (Fraction) Success Rate
0.58 1.0
• Two worm types
We extend our experiment from previous one worm type scenario where there is one
predator-infected node as a super node and another mobile prey-infected node moving in the
opposite directions (as shown in Fig.9.10). They have aggressive one-sided interaction
relationships. We want to investigate whether a static node and a mobile node can be
recovered from the super node with predator.
In this scenario, the super node with prey attempts to infect a static susceptible node. At
the same time, the super node with predator tries to vaccinate a static susceptible node or
terminate a prey if such susceptible node becomes a prey-infected node. The results of
experiments are shown in Table 9.12.
[Figure 9.10] One static node with two super nodes for aggressive one-sided interaction
Prey
Predator
Predator
145
Table 9.12: Metrics for aggressive one-sided interactions with two super nodes
Static Susceptible Super node with Prey
Become Prey 0.5 1.0
Become Predator 0.5 0.0
9.7 Summary and future experiments
In this chapter, we investigate and evaluate the Bluetooth worm propagations and
interactions in real wireless environments. We find that Bluetooth devices are prevalent on
campus and most of them are discoverable from Bluetooth probing, hence vulnerable to
worm infection. The population of Bluetooth devices depends on the locations and times.
Libraries on campus seem to be the most crowded areas of Bluetooth devices for most of the
time. We also show the real encounter characteristics using Bluetooth continuous probing for
a week. Unlike WLAN trace, our trace has finer granularity in capturing human encounters.
However, WLAN trace can capture much larger scale of human encounters and mobility.
With GPS included, our experiment can incorporate location information in the future. We
also find that large file transfer using Bluetooth with long distance or walking speed if the
file size is less than 1 Mbytes and distance shorter than 20 meters. Hence, automated
patching is also possible if it satisfies these conditions. In addition, we evaluate the worm
propagations and interactions based on our proof-of-concept worms in mobile devices. We
find that topology, encounter patterns and distance from an initial predator-infected node to
other nodes significantly impact the worm propagation speeds and effectiveness of the worm
interactions.
Currently our proof-of-concept worm faces difficulties when one node needs to connect
to more than 4 nodes and the disconnection are detected in such node. Hence, the automated
146
reconnection may need to be fine tuned to reduce the CPU overload. In addition, we still
need to manually invoke the worm program to act as a server or a client and pair it before the
infection can occur between such pair. We also find that Bluetooth service discovery process
takes a substantial time (around 30 seconds) before the connection before setup. Thus, real
deployment with Bluetooth among unknown nodes might be difficult in mobile networks.
For the future experiments, we plan to deploy large-scale Bluetooth encounter-based worms
with automated discovery and pairing. Another possibility is to integrate our current test bed
with other wireless ad-hoc technology such as Zigbee or 802.11x.
147
10. Chapter 10: Conclusion and Future Research Direction
10.1 Conclusion
In this paper, we propose a general worm interaction model addressing worm interaction
types, network characteristics and node characteristics for both random-scan network worms
and encounter-based networks. In addition, new metrics are proposed as a performance
evaluation framework for worm interactions to quantify the effectiveness of the worm
termination which can also be used as a guideline for other security responses. Based on our
worm interaction study, we find that worm interaction causes drastic change in the worm
propagation model. Such interaction cannot be explained by earlier works based on the
epidemic model even when the removal process is used. According to worm interaction
types, we find that predator is most effective in aggressive one-sided worm interaction.
For random-scan network worms, our new worm interaction model is validated through
extensive network simulations. We find that scan rate ratio has much more impact on worm
propagation pattern than initial infected host ratio. With similar scan rate ratios, it always
results in the same maximum prey infectives. Our worm interaction models for random-scan
network worms can be used as a major component in designing an effective protocol of
controlled worm deployment to counter ongoing worm attacks. For example, if there are
50,000 vulnerable hosts, and =
1
p 1E-2, =
2
p 1E-6,
1
f =
2
f = 0.5 and prey scan rate is
100/sec with same network-delay as our simulated transit-stub networks with reaction time =
30 seconds, to contain prey total infectives within 70%, 50% or 20% of total vulnerable
hosts, predator requires scan rate at least 500/sec, 1000/sec, or 1500/sec.
148
Using our model can avoid deploying underestimated predator’s scan rate which causes
predator to lose to prey or overestimated predator’s scan rate which causes excessive
congested networks deteriorating both regular traffic and predator contact rate. Our model,
however, does not incorporate the router misbehavior when experiencing excessive scan
from prey as well as the background traffic which affects network delay factor. We also have
not modeled other in-place security defenses such as firewalls and intrusion detection
systems. We expect our approach to have higher efficiency in terminating prey if we
consider this factor.
For encounter-based worms, we find that in uniform and realistic encounter-based
networks, immunization and delay are the most influential node characteristics for total prey-
infected nodes, maximum prey-infected nodes and total prey lifespan. Cooperation and on-
off behaviors greatly affect average individual prey lifespan, time to secure all nodes and
time to remove all preys in uniform encounter-based networks. Furthermore, for multi-group
uniform-encounter-based networks, large group-size with fast contact rate helps limit total
prey-infected nodes, maximum prey-infected nodes. Fast contact rate between groups
reduces average individual prey lifespan, time to secure all nodes and time to remove all
preys. Our model shows a very good agreement with uniform-encounter simulation results.
Based on realistic mobile networks measurements, we find that batch arrivals are
common in the trace and likely to take place in any encounter-based networks. In addition,
we also find that the contact rate and the number of unique encounters of users are highly
skewed. This network characteristic causes worm infection behavior to deviate from our
predictions, even though the general trends remain similar to the model. We believe that our
general worm interaction model can be extended to incorporate fined-grained and dynamic
user groups to enhance the accuracy of prediction.
149
In such networks, immunization and timely predator deployment in high encounter rate
groups seems to be more important factors than cooperation. Hence, enforcing early
immunization and having a mechanism to identify a high-contact-rate group to deploy an
initial predator-infected node is critical to contain worm propagation in encounter-based
networks. These findings provide insight that we hope would aid to develop counter-worm
protocols in future encounter-based networks.
We propose VACCINE architectures and guidelines based on lesson learned in this
study for both random-scan network worms and encounter-based worms. The basic
architecture supporting our approach for both random-scan network worm and encounter-
based worms should at least contain prey detection, predator generation, predator updates,
inter-predator communication protocol and prey/predator network access control. Prey
detection is the first necessary component to activate the predator generation.
For random-scan network worms, we propose the dynamic distributed incremental scan
rate (DDIS) protocol to adapt to level of ongoing prey attacks and current predator infected
nodes. Hence, predator with DDIS will not overwhelm the network and contain prey with
appropriate level of aggressiveness. Off-line-seed architecture (OLS) and Encounter-then-
generate-seed architecture (ETGS) for encounter-based worms are investigated and
compared. We find that ETGS requires more number of seeds than OLS to achieve the same
effectiveness as of OLS.
We conduct experiment on applicability of Bluetooth worm propagation. We find that
many of Bluetooth-enabled devices on campus (at University of Florida) and off campus (at
the mall) are discoverable and hence exposed to worm attacks. Mobility speed and distances
between devices are critical for worm replication transfer. Surprisingly that even large worm
replication (1 MB) can be occasionally transferred with a long distance (20 meters).
150
Experiment of proof-of-concept worm interactions are conducted for applicability of
encounter-based worms using PDA and motes. Our proof-of-concepts worm experiments
help us understand how worm propagates and interacts in encounter-based networks. We use
our proposed metrics to evaluate our realistic worm interactions. We find that mobility and
position of predator initial-infected nodes are important factors for predator effectiveness.
10.2 Future Research Direction
Our future work can focus on enhanced VACCINE architecture and protocol design and
evaluation to support this new security paradigm in real deployments which may collaborate
with existing defense mechanisms. For the Internet worm, DDIS can be adaptable to
background traffics and can be finer tuned according to feedbacks. In addition, DDIS can
also adjust the predator range address of scan dynamically based on inter-predator protocol.
Our worm interaction model can also be extended to support social network structure
and also for scale-free networks. The Bluetooth worm interaction prototypes can be
developed into full-fledged worm applications and can be tested more thoroughly. For
example, Bluetooth worm should be able to find new devices and connect to them
automatically.
Realistic node characteristics such as immunization and cooperation from real delay-
tolerant network traces can help determine the applicability of worm propagation and
interaction in such networks. Power ranking systems can be enhanced to include the
encounter history and prediction. For example, power ranking systems should evaluate the
seed candidates based on which nodes are prey and who are likely to encounter with prey-
infected nodes in the future.
To evaluate the realistic worm propagations and interactions, large-scaled Bluetooth
encounter-based worm experiments are planned with upgraded functionality of our proof-of-
151
concept worm. Super nodes in our experiments can be enhanced in term of mobility and
controllability with radio-controlled planes, balloons, robots or even with real cars. We also
believe that our test bed can be used to evaluate related research such as disaster relief or
social-based routing.
152
References
[1] A. Avritzer, R. G. Cole, and E. J. Weyuker, “Using performance signatures and software
rejuvenation for worm mitigation in tactical MANETs,” Proceedings of the 6th international
Workshop on Software and Performance (Buenes Aires, Argentina, February 05 - 08, 2007).
WOSP '07. ACM Press, New York, NY, 172-180.
[2] E. Anderson, K. Eustice, S. Markstrum, M. Hansen, and P. Reiher. “Mobile contagion:
Simulation of infection and defense,” Proceedings of the 19th Workshop on Principles of
Advanced and Distributed Simulation, pages 80-87, 2005.
[3] F. Bai, N. Sadagopan, A. Helmy, "The IMPORTANT Framework for Analyzing the
Impact of Mobility on Performance of Routing for Ad Hoc Networks", AdHoc Networks
Journal Elsevier Science, Vol. 1, Issue 4, pp. 383-403, November 2003.
[4] M. Bishop, “Computer Security: Art and Science,”
[5] BRITE: Boston Representative Internet Topology Generator
[6] R. Buckley, “’Anti-worms’ released to clean up Code Red,” Information Age
http://www.information-age.com/article/2001/september/anti-
worms_released_to_clean_up_code_red
[7] CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE, “Analysis
of the Sapphire Worm,” http://www.caida.org/analysis/security/sapphire
[8] F. Castaneda, E.C. Sezer, J. Xu, “WORM vs. WORM: preliminary study of an active
counter-attack mechanism,” ACM workshop on Rapid malcode, 2004
[9] A. Chaintreau, P. Hui, J. Crowcroft, C. Diot, R. Gass and J. Scott, “Impact of Human
Mobility on the Design of Opportunistic Forwarding Algorithms,” IEEE INFOCOM 2006,
April 2006
[10] Z.Chen, L. Gao, and K. Kwiat, “Modeling the Spread of Active Worms,” IEEE
INFOCOM 2003
[11] R. G. Cole, “Initial Studies on Worm Propagation in MANETS for Future Army
Combat Systems,” ASC 2004.
[12] R. G. Cole, N. Phamdo, M. A. Rajab, and A. Terzis “Requirements of Worm Mitigation
Technologies in MANETS,” Principles of Advanced and Distribution Simulation, 2005
[13] D.E. Cooper, P. Ezhilchelvan, and I. Mitrani, “A Family of Encounter-Based Broadcast
Protocols for Mobile Ad-hoc Networks,” In Proceedings of the Wireless Systems and
Mobility in Next Generation Internet. 1st International Workshop of the EURO-NGI
Network of Excellence, Dagstuhl Castle, Germany, June 7-9 2004
153
[14] R. Dantu, J. Cangussu, and A. Yelimeli, "Dynamic Control of Worm Propagation,"
Proceedings of the International Conference on Information Technology: Coding and
Computing (ITCC'04) Volume 2 - Volume 2 2004
[15] C. Douligeris, and A. Mitrokotsa, "DDoS attacks and defense mechanisms:
classification and state-of-the-art," Computer Networks: The International Journal of
Computer and Telecommunications Networking 2004
[16 ] N. Eagle and A. Pentland. “Reality Mining: Sensing Complex Social Systems,” Journal
of Personal and Ubiquitous Computing, June 2005.
[17] S. Eubank, H. Guclu, V. S. A. Kumar, M. V. Marathe, A. Srinivasan, Z. Toroczkai and
N. Wang, "Modelling disease outbreaks in realistic urban social networks," Nature 429, 180-
184 (13 May 2004)
[18] J. C. Frauenthal. “Mathematical Modeling in Epidemiology,” Springer-Verlag, New
York,1988
[19] A. Ganesh, L. Massoulie and D. Towsley, “The Effect of Network Topology on the
Spread of Epidemics,” IEEE INFOCOM 2005.
[20] T. C. Green, “’Friendly’ Cheese worm reveals many compromised boxes,” The Register
http://www.theregister.co.uk/2001/05/17/friendly_cheese_worm_reveals_many/
[21] R. Groenevelt, P. Nain, and G. Koole, “The Message Delay in Mobile Ad Hoc
Networks,” Performance, October 2005.
[22] A. Helmy, "Small Worlds in Wireless Networks", IEEE Communications Letters, pp.
490-492, Vol. 7, No. 10, October 2003.
[23] R.V. Hogg and E. A. Tanis, Probability and Statistical Inference, Prentice Hall, 2001
[24] W. Hsu, A. Helmy, "On Nodal Encounter Patterns in Wireless LAN Traces," The 2nd
IEEE Int.l Workshop on Wireless Network Measurement (WiNMee), April 2006.
[25] W. Hsu, A. Helmy, "On Modeling User Associations in Wireless LAN Traces on
University Campuses," The 2nd IEEE Int.l Workshop on Wireless Network Measurement
(WiNMee), April 2006.
[26] A. Jindal, and K. Psounis, “Performance analysis of epidemic routing under
contention,” Proceeding of the 2006 international Conference on Communications and
Mobile Computing (Vancouver, British Columbia, Canada, July 03 - 06, 2006). IWCMC '06.
ACM Press, New York, NY, 539-544
[27] J. Kephart, G. Sorkin, D. Chess, and S. White, “Fighting Computer Viruses,” Scientific
American, November 1997.
154
[28] W. O. Kermack and A. G. McKendrick: “A Contribution to the Mathematical Theory of
Epidemics,” Proceedings of the Royal Society 1997; A115: 700-721.
[29] W. Mendenhall and, T. Sincich, Statistics for Engineering and the Sciences, Prentice
Hall
[30] D. Moore, C. Shannon, G. M. Voelker, and S. Savage, "Internet Quarantine:
Requirements for Containing Self Propagating Code," IEEE INFOCOM 2003.
[31] J. Morales, P.J. Clarke, B.M. G. Kibria, Y. Deng, "Testing and evaluating virus
detectors for handheld devices", Journal of Computer Virology, Springer, Vol2, 135-147,
2006.
[32] NS-2: the network simulator (http://www.isi.edu/nsnam /ns/)
[33] D. M. Nicol, M Lijenstam, and J. Liu, “Multiscale Modeling and Simulation of Worm
Effects on the Internet Routing Infrastructure,” Proceedings of the Performance Tools 2003
Conference Urbana, IL, September 2003
[34] D. M. Nicol, “Models and Analysis of Active Worm Defense,” Proceeding of
Mathematical Methods, Models and Architecture for Computer Networks Security
Workshop 2005.
[35] Z. Nicoloski, N. Deo, and L. Kucera, “Correlation Model of Worm Propagation on
Scale-Free Networks,” Complexus 2006 Vol.3, No.1-3, 2006 page 169-182
[36] R. Pastor-Satorras and A. Vespignani, "Epidemic dynamics in finite size scale-free
networks," Physcal Review E, 65, 2002
[37] J. Su, K. K. W. Chan, A. G. Miklas, K. Po, A. Akhavan, S. Saroiu, E. Lara, and A. Goel,
“A preliminary investigation of worm infections in a bluetooth environment,” ACM
Workshop on Rapid Malcode (WORM), Alexandria, VA, Oct. 2006
[38] S. Staniford, V. Paxson, and N. Weaver, “How to 0wn the Internet in your spare time,”
Proceeding of the USENIX Security Symposium, Monterey, 2002, pp 149-167.
[39] P. Szor, "The Art of Computer Virus Research and Defense," (Symantec Press) 2005
[40] S. Tanachaiwiwat, A. Helmy, "VACCINE: War of the Worms in Wired and Wireless
Networks," IEEE INFOCOM 2006, Barcelona, Spain Poster and Demo Session (Technical
Report CS 05-859, Computer Science Department, USC)
[41] S. Tanachaiwiwat, A. Helmy, "Analyzing the Interactions of Self-Propagating Codes in
Multi-hop Networks," Eighth International Symposium on Stabilization, Safety, and Security
of Distributed Systems (SSS) accepted as Brief Announcement, November 2006, Dallas,
Texas
155
[42] S. Tanachaiwiwat, A. Helmy, "Modeling and Analysis of Worm Interactions (War of
the Worms)," IEEE Broadnets 2007 Fourth International Conference on Broadband
Communications, Networks, and Systems, September 10-14, 2007, Raleigh, North Carolina,
2007
[43] S. Tanachaiwiwat, A. Helmy, "Worm Ecology in Encounter-based Networks (Invited
Paper)," IEEE Broadnets 2007 Fourth International Conference on Broadband
Communications, Networks, and Systems, September 10-14, 2007, Raleigh, North Carolina,
2007
[44] S. Tanachaiwiwat, A. Helmy, "On the Performance Evaluation of Encounter-based
Worm Interactions Based on Node Characteristics," ACM Mobicom 2007 Workshop on
Challenged Networks, September 14, 2007, Montreal, Quebec, Canada
[45] S. Tanachaiwiwat, A. Helmy, "Encounter-based Worms: Analysis and Defense," IEEE
Conference on Sensor and Ad Hoc Communications and Networks (SECON) 2006
Poster/Demo Session, VA, September 2006
[46] S. Tanachaiwiwat, A. Helmy, "Encounter-based Worms: Analysis and Defense,"
Technical Report arXiv:0706.4035 (under submission to a journal)
[47] Trend Micro Annual Virus Report 2004 http://www.trendmicro.com
[48] H. Trottier and P. Phillippe, "Deterministic Modeling Of Infectious Diseases: Theory
And Methods," The Internet Journal of Infectious Diseases ISSN: 1528-8366
[49] A.Vahdat and D. Becker, “Epidemic routing for partially connected ad hoc networks,”
Technical Report CS-2000.
[50] M. Vojnovic and A. J. Ganesh, “On the Effectiveness of Automatic Patching,” ACM
WORM 2005, The 3rd Workshop on Rapid Malcode, George Mason University, Fairfax,
VA, USA, Nov 11, 2005.
[51] Viruslist.com, “Information about Viruses, Hackers and Spams,” www.viruslist.com
[52] A. Wagner, T. Dubendorfer, B. Plattner, and R. Hiestand, “Experiences with worm
propagation simulations,” Proceedings of the ACM Workshop on Rapid Malcode (WORM),
Washington 2003
[53] Y. Wang and C. Wang, “Modelling the effects of timing parameters on virus
propagation,” Proceedings of the ACM Workshop on Rapid Malcode (WORM), Washington
2003
[54] N. Weaver, V. Paxson, S. Staniford, “ A taxonomy of computer worms,” Proceedings of
the ACM Workshop on Rapid Malcode (WORM), Washington, D.C., 2003
[55] N. Weaver, S. Staniford, V. Paxson, “Very Fast Containment of Scanning Worms,”
13th USENIX Security Symposium, Aug 2004
156
[56] N. Weaver, I. Hamadeh, G. Kesidis, and V. Paxson. “Preliminary Results Using Scale-
Down to Explore Worm Dynamics,” Proceedings of the ACM Workshop on Rapid Malcode
(WORM), Fairfax, VA, Oct. 2004
[57] G. Yan, L. Cuellar, S. Eidenbenz, H. D. Flores, N. Hengartner, and V. Vu, “Bluetooth
Worm Propagation: Mobility Pattern Matters!,” ASIACCS, March 2007, Singapore
[58] X. Zhang, G. Neglia, J. Kurose, and D. Towsley. “Performance Modeling of Epidemic
Routing”, to appear Elsevier Computer Networks journal, 2007
[59] C. C. Zou, W. Gong and D. Towsley, "Code red worm propagation modeling and
analysis," Proceedings of the 9th ACM CCS 2002
[60] C. C. Zou, W. Gong, D. Towsley and L. Gao, "Monitoring and early detection for
Internet worms," Proceedings of the 9th ACM CCS 2003
157
Appendix A: Simulation Setup
A.1 Random-scan network worms:
We simulate 1000 vulnerable hosts in following topologies:
1. Star-shaped topology: we want to test our model with network having small number of
hops (1-2 hops) that has moderate constant bandwidth (512 kbps) and constant delay (1ms)
between hosts.
2. Transit-stub topology: this two-level topology will help us test our model with
bottleneck network having large number of hops (1-4 hops) that has moderate bandwidth
(512 kbps access-link, 10 Mbps local network) and delay between hosts (average 1 ms).
There are 10 local networks; each local network has 100 hosts with one of them acting as a
router. One AS can have one or two local networks. The links between routers in this
topology are generated by BRITE Internet topology generator.
Each worm use UDP scan to transfer worm replication to random chosen vulnerable hosts
of the network. The default packet size is 404 bytes which similar to Slammer worms.
A.2 Encounter-based worms:
We use encounter-level simulations to simulate a simple uniform encounter of 1,000
mobile nodes of a uniform encounter-based network with no batch arrivals and all nodes are
susceptible to both prey and predator. Each simulation runs at least 1,000 rounds and we plot
the median values for each position. We assume that there is only one group in the network
with β = 5x10
-5
sec
-1
and two groups in Chapter 5 with , ,
22 12 11
β β β between
5 5
10 30 to 10 3
− −
x x sec
-1
. In addition, we only assume the aggressive one-sided worm
interaction in all parts except in part a. For similar initial host, we simulate worm interaction
158
with the network size of 500, 1,000 and 2,000 nodes, and for different initial host ratios with
fixed 1,000 nodes.
159
Appendix B: Regression Analysis
Our objective is to find out how much worm interaction affects individual propagation
based on real data. Hence in this section, we use a multiple ordinary least-square linear
regression analysis on global network worm infection. The Regression technique is a very
effective tool to analyze relationships of output (dependent variables) and input (independent
variables) based on real data. Moreover, we can also verify the significance of individual
variables (subsection B.1) and adequacy of chosen model (subsection B.2).
We focus on modeling worm propagation of recent deadly worm types including
NetSky, Bagle, MyDoom, MyTob, LovGate and Zafi. We investigate a set of strategies that
worm programmers use to spread out the worm. We define the strategy as following
independent variable: number of added registries (X
1
), number of deleted registries (X
2
),
number of file extensions the worm search for valid email address, i.e. dynamic hit list (X
3
),
number of means of transportation (X
4
), number of possible infected platforms, e.g.
Windows XP, 2000, NT, etc (X
5
), day of the week (X
6
), number of worm variants in top 50
(X
7
). X
1
and X
2
capture the interaction between worms. Especially for X
2
, the current strategy
for terminating other worms is to delete the associated registries from victim worms. The
reason we choose second-order (interaction) model is because this model provides more
accurate results than the first order model.
Statistical data were mainly collected from virus-radar.com and trendmicro.com [47] and
main technical information for individual worms were mainly collected from
pandasoftware.com. Viruslist.com provides complete lists of alias name of worms. Other
antivirus companies also provide supplemental technical information. More than 300 reports
were collected from March 25-31 (training data) and on April 6 2005 (new set of data).
160
Table B.1: Sample of worm characteristic data
Worm Name
Number of
File Search
Number of
Platform
Number of
Variants
Channel
Of Trans
Number of
Added
Registry
Number of
Deleted
Registry
NetSky.P 24 7 10 2 1 30
Bagle.AB 29 6 6 2 1 2
MyDoom.R 10 7 2 1 5 0
MyTob.D 12 7 24 3 5 0
Table B.2: Chosen second-order model with seven independent variables
Independent
Variables
κ
i
t
i
p-value
Constant 1464.733 5.710 .000
X
3
2
5.719 22.363 .000
X
3
X
7
-12.111 -12.691 .000
X
1
X
2
434.598 11.905 .000
X
3
X
6
181.818 8.263 .000
X
2
2
-16.954 -8.731 .000
X
2
X
4
-101.643 -4.310 .000
X
6
X
7
-241.827 -5.234 .000
X
2
X
6
112.781 3.917 .000
B.1. Test of an individual parameter coefficient in the multiple
regression model
We can verify significant of individual variable by using two-tailed t- test [23, 29]. If the
variable statistically contribute to the model, its absolute t
i
must be greater than critical
region t
α/2
(i = 0 to l-1 where l = number of variables). In Table II, we show each t
i
and its
161
associated κ
i
(regression coefficient) and p-value (observed significant value). We can only
reject null hypothesis (H
0
) when α (probability outside critical region) is greater than p-
value. For two-tailed test,
H
0
: κ
i
= 0
H
a
: κ
i
≠ 0
t
i
=
i
s
i
β
κ
ˆ
ˆ
(B-1)
Rejection region: | t
i
| > t
α/2
Critical values for Student’s t
With degree of freedom = n-k-1= 124-8-1 = 113 (n = number of analyzed data, k =
number of estimated parameters in the model)
For α = .05, 1.98< t
α/2
< 2.00 and with α = .01, 2.617< t
α/2
< 2.660
Hence there is sufficient evidence that all of our parameters are not zero (slope is not
zero) at both 95% and 99% confidence level.
B.2. Analysis of variance F test: Testing the overall adequacy of the model
In this section, instead of verify individual variable, we verify the overall adequacy of the
model by using F test. Again we can reject H
0
only when absolute F is greater than F
α(8,115).
E(Y|X) = κ
0
+ κ
1
X
3
2
+ κ
2
X
3
X
7
+ κ
3
X
1
X
2
+ κ
4
X
3
X
6
+ κ
5
X
2
2
+ κ
6
X
2
X
4
+ κ
7
X
6
X
7
+ κ
8
X
2
X
7
(B-2)
H
0
: κ
1
= κ
2
= … = κ
8
=0
H
a
: At least one of the parameters, κ
1
, κ
2
,…, κ
8
≠ 0
Test statistic: F =
)) k ( n /( SSE
k / ) Model ( SS
1 + −
(3)
= 234.591
Rejection region: F > F
α(8,115)
For α = .05, 2.02< F
α
< 2.10 and with α = .01, 2.66< F
α
< 2.82
162
Hence there is sufficient evidence that all of our κ
i
parameters are not zero (slope is not
zero) at both 95% and 99% confidence level. Moreover, the reason we chose this model
because with condition index < 15 to avoid undesirable multicollinearity problem i.e.
instability model caused by high correlation between independent variables (The lowest
eigenvalue 3.419E-02 which provide condition index = 12.764), this model has highest r
(correlation coefficient) = 0.971, r
2
(deterministic coefficient which tell how much variation
is explained by the model) = 0.943 and adjusted r
2
=0.939 (corrected deterministic
coefficient) and lowest standard error of estimate = 1464.419.
Hence, we found that worm can be very effective if it heavily searches potential targets
with more file extensions (larger hit list) and with more interaction with other worms. The
chosen second-order with 7 related independent variables shows extremely high correlation
with infection nodes (r
2
= 0.93, F=234.59 and p < 0.001) Our model has been tested with
another set of data from different days and shows that it can effectively predict 78%
correctly with 95% prediction interval (residual was normally distributed).
This model confirms that the worm interaction is a very important factor to decide the
worm propagation pattern. However, the add/remove registries are only the foot-print of
worm interaction. To understand worm interaction better, we create the worm interaction
model (Chapter 4-7) based on the epidemic model.
163
-5000
0
5000
10000
15000
20000
25000
30000
35000
40000
1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 86 91 96 101 106 111 116 121
Events
Report Counts
Counts
Predicted Mean
L_CI
U_CI
(a)
-5000
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
1 2 3 4 5 6 7 8 9
Events
Report Counts
Counts
Predicted Mean
L_PI
U_PI
(b)
[Figure.B.1] shows that the proposed regression model is very accurate. Comparison of
infection hosts (report count) and predicted value are shown from chosen model with (a)
training data set with 95% confidence interval plot (L_CI/U_CI = Lower/Upper Confidence
Interval) , and (b) new data set with 95% prediction interval (L_PI/U_CI = Lower/Upper
prediction interval)
164
Appendix C: Simulation Results on Worm Propagation in Ad-hoc
Networks
To understand worm propagations using ad-hoc networks, we test the network worm
propagation using ns-2 simulation. Our goal is to have better understanding of worm
propagation in a rich set of environments. In this section, we start by comparing single-type
worm simulations in ad-hoc networks with the epidemic model. Then we investigate the
effects of incubation time (delay after infection) and mobility characteristics on single-type
worm propagation.
Table C.1 Simulation setup
Wired Ad-hoc Networks
Number of nodes 50 50
Routing protocol Static DSR, DSDV, AODV
Topology Star-shaped Random
Mobility N/A Random Way Point
[1, 2] (v
max
= 20m/s)
Area N/A 150x150(dense),
300x300(dense),
670x670 (sparse)
Bandwidth 10, 25 Mb/s 10 Mb/s
Delay 20 ms, 10 μs 20 ms
Packet size 404 Bytes 404 Bytes
C.1 Epidemic model and single-type worm
In Fig.C.1, the epidemic model is compared with the worm propagation in static and
dynamic wireless networks (DSR), wired network with different bandwidth and propagation
delay. All of them show phase transition characteristic. Only dynamic DSR network slightly
shift to the right due to mobility and routing overhead. The results show that with basic
165
assumptions, epidemic model is sufficient to explain the single-type worm behavior even
with different topology i.e. star-shaped and random graph. Fig 3(b) shows the effect when
removal rate is introduced in the epidemic model.
0 2 4 6 8 10 12 14 16 18 20
0
5
10
15
20
25
30
35
40
45
50
time (sec)
Infected Number (Nodes)
Epidemic Model
Static dsr (dense)
Static dsr (sparse)
Dynamic dsr
Wired 25 MB/S 25 ms
Wired 10 MB/S 10us
[Figure C.1] shows that the epidemic model is generally adequate for one-type worm
behavior prediction shows that wired network and wireless ad-hoc network (DSR) are
closely related except when mobility is introduced.
C.2 Incubation effects
Before we move on to multiple worm types interaction, we test the incubation time
(delay after infection either caused by human interaction or worm tactics to avoid intrusion
detection system) effect (in Fig.C.2). We assume that typical incubation time (ϖ) is
exponential distributed with mean ϖ. Three ϖ values (0.0 sec, 0.5 sec, 1.0 sec) are tested
with DSR wireless network and wired network.
While in mobile ad-hoc network, the ϖ values cause infection characteristic shifted
linearly. However, in wired network, infection characteristic is changed exponentially with
the ϖ values. Basic epidemic model does not emphasize on incubation effect and also
assume immediate infection.
166
0 5 10 15 20
0
10
20
30
40
50
time(sec)
infected number (nodes)
dsr t=0.0
dsr t=0.5
dsr t=1.0
[Figure C.2] Incubation time of worm causes serious drop on propagation rate. Three
different incubation times are chosen (0, 0.5, 1) second to show the impact in DSR.
C.3 Protocol and Node density Effects
In ad-hoc network, worms are very sensitive to routing protocol as shown in Fig.C.3. We
choose three routing protocol to be tested: DSR, DSDV and AODV. In spare environment,
Fig. C.3a shows that DSR clearly helps worms to infect all vulnerable nodes quickest. In
dense area, as shown in Fig.C.3b, DSR is slightly better than DSDV in worm spreading.
Please notice that AODV is not the suitable routing protocol for worm infection in most
cases. The reason is DSR always performs better than AODV in large number of sources and
low mobility.
0 5 10 15 20
0
10
20
30
40
50
time (sec)
infected number (nodes)
aodv (670x670)
dsdv (670x670)
dsr (670x670)
(a)
0 5 10 15 20
0
10
20
30
40
50
time (sec)
infected number (nodes)
aodv(150x150)
aodv(300x300)
dsdv(150x150)
dsdv(300x300)
dsr(150x150)
dsr(300x300)
(b)
[Figure C.3] Worms propagate most effectively in DSR network when compared with
DSDV and AODV for both nodes’ densities which are (a) 50 nodes in 670x670 m
2
area
(sparse) and (b) 50 nodes in 300x300/150x150 m
2
area (dense).
167
Appendix D: Other Types of Worm Interactions
Earlier in Chapter 4, we only explain the models that we focus in this dissertation. Here
we show the models that we have not discussed.
D.1 Aggressive Two-sided Interaction with No patch
A A
SI β
B A B
I I β
B B
SI β
B A A
I I β
[Figure D.1] Aggressive two-sided interactions with no patch
As shown in Fig.D.1, in this aggressive two-sided interaction with no patch, every
state transition is the same as of aggressive one-sided interaction, except that prey can
terminate predator also. Hence, additional transition from predator to prey is added. The
model of this type of interaction is shown below:
) (
B B A A
I I S
dt
dS
β β + − = . (Eq.D-1)
) ) ( (
B A B A A
A
I S I
dt
dI
β β β − − = . (Eq.D-2)
) ) ( (
A A A B B
B
I I S I
dt
dI
β β − + = . (Eq.D-3)
Epidemiological threshold for two-sided interaction with no patch is shown as follows:
B A B
A
B A A B
A A
A
I
S
I I
SI
E
) ( ) ( β β
β
β β
β
−
=
−
= (Eq.D-4)
Susceptible Infected with Infected with
worm A, prey worm B, predator
168
D.2 Friendly Interaction
In this type of interaction, there is no prey or predator, but one worm type depends
(B) on the other worm type (A) to spread out. The real life example includes DoomJuice
relies on MyDoom’s backdoor to propagate. The model of friendly interaction is shown
below:
B A B
I I β
A A
SI β
[Figure D.2] Friendly interactions
A A
I S
dt
dS
β − = . (Eq.D-5)
A A
A
SI
dt
dI
β = . (Eq.D-6)
B A B
B
I I
dt
dI
β = . (Eq.D-7)
Because, there is no termination and vaccination in this worm interaction type, the
epidemiological threshold is not applicable here.
Susceptible Infected with Infected with
worm A worm A and worm B
Abstract (if available)
Abstract
"War of the worms" is a war between opposing computer worms, creating complex worm interactions as well as a detrimental impact on infrastructure. For example, in September 2003 the Welchia worms were launched to terminate the Blaster worms and patch the vulnerable hosts. We propose a new Worm Interaction Model (based upon and extending beyond the epidemic model) focusing on random-scan network worm interactions and encounter-based worm interactions.
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Gradient-based active query routing in wireless sensor networks
PDF
A protocol framework for attacker traceback in wireless multi-hop networks
PDF
Cooperation in wireless networks with selfish users
PDF
Efficient and accurate in-network processing for monitoring applications in wireless sensor networks
PDF
A framework for worst-case performance evaluation of MAC protocols for wireless adhoc networks
PDF
Transport layer rate control protocols for wireless sensor networks: from theory to practice
PDF
Reconfiguration in sensor networks
PDF
On location support and one-hop data collection in wireless sensor networks
PDF
The interplay between networks and robotics: networked robots and robotic routers
PDF
Congestion control in multi-hop wireless networks
PDF
Collaborative detection and filtering of DDoS attacks in ISP core networks
PDF
Relative positioning, network formation, and routing in robotic wireless networks
PDF
Dynamic routing and rate control in stochastic network optimization: from theory to practice
PDF
IEEE 802.11 is good enough to build wireless multi-hop networks
PDF
Realistic modeling of wireless communication graphs for the design of efficient sensor network routing protocols
PDF
Boundary estimation and tracking of spatially diffuse phenomena in sensor networks
PDF
Design of cost-efficient multi-sensor collaboration in wireless sensor networks
PDF
Robust and efficient geographic routing for wireless networks
PDF
Reliable and power efficient protocols for space communication and wireless ad-hoc networks
PDF
Time synchronization and scheduling in underwater wireless networks
Asset Metadata
Creator
Tanachaiwiwat, Sapon
(author)
Core Title
Analysis and countermeasures of worm propagations and interactions in wired and wireless networks
School
Viterbi School of Engineering
Degree
Doctor of Philosophy
Degree Program
Computer Engineering
Publication Date
11/12/2007
Defense Date
10/26/2007
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
encounter-based networks,network security,OAI-PMH Harvest,worm interactions,worm propagations
Language
English
Advisor
Helmy, Ahmed (
committee chair
), Govindan, Ramesh (
committee member
), Krishnamachari, Bhaskar (
committee member
)
Creator Email
stanachai@gmail.com
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-m920
Unique identifier
UC1231428
Identifier
etd-Tanachaiwiwat-20071112 (filename),usctheses-m40 (legacy collection record id),usctheses-c127-591593 (legacy record id),usctheses-m920 (legacy record id)
Legacy Identifier
etd-Tanachaiwiwat-20071112.pdf
Dmrecord
591593
Document Type
Dissertation
Rights
Tanachaiwiwat, Sapon
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Repository Name
Libraries, University of Southern California
Repository Location
Los Angeles, California
Repository Email
cisadmin@lib.usc.edu
Tags
encounter-based networks
network security
worm interactions
worm propagations