Discrete-Time Simulation Method for Worm ... - Science Direct

Available online at www.sciencedirect.com Available online at www.sciencedirect.com

Procedia Engineering

Procedia Engineering 00 (2011) 000–000 Procedia Engineering 15 (2011) 4162 – 4167 www.elsevier.com/locate/procedia

Advanced in Control Engineeringand Information Science

Discrete-time simulation method for worm propagation model with pulse quarantine strategy Yu Yaoa,b,∗ , Hao Guoa,b, Ge Yua,b, Fu-xiang Gaoa,b a

Key Laboratory of Medical Image Computing (Ministry of Education), Northeastern University, Shenyang, 110819, China b School of Information Science and Engineering, Northeastern University, Shengyang, 110819, China

Abstract In this paper, discrete-time simulation method for worm propagation model with pulse quarantine strategy is proposed. Such method is firstly applied to traditional Kermack-Mckendrick model and is verified to be effective. Then, considering practical factors, worm propagation model with pulse quarantine strategy is simulated in the method. Through the comparison between numerical curves and simulation ones, discrete-time simulation method can well simulate worm propagation under pulse quarantine strategy. Finally, the algorithm of the method is given and analyzed.

© 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. Selection and/or peer-review under responsibility of [CEIS 2011] Keyword: worm propagation model with pulse quarantine strategy; discrete-time simulation; algorithm

1. Introduction Internet worms are malicious codes that can automatically propagate themselves and attack susceptible computers without human participation. They pose a great threat to our network security. Worm propagation models can help describe the characteristics of worms and constrain their spread. The method selected to verify the correction and effectiveness of models is thus significant. Enlightened by epidemiological studies, some epidemic models such as simple epidemic model and Kermack-Mckendrick

∗

Corresponding author. Tel.: +8613130283275. E-mail address: [email protected].

1877-7058 © 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. doi:10.1016/j.proeng.2011.08.781

Yu Yao et al. Procedia Engineering 15 00 (2011) 4162 – 4167 Yu Yao et /al/ Procedia Engineering (2011) 000–000

2

model are brought in to the field of worms. On this basis of them, more defensive strategies are put forward and enrich worm propagation models. However, Traditional numerical experiments provide simple mathematical iterations, not the environment simulating a real network. That is to say, numerical experiments are purely theoretical approaches without considering practical factors. As we know, opnet, omnet and ns2 are excellent network simulation software. They can well describe the behaviors and topologies of various networks. But to a large-scale network, they are not suitable to simulate it. Worms spread fast and thus cause many susceptible hosts to be infected. A discrete-time simulation method is thus proposed to simulate a network with numerous susceptible hosts. This paper is arranged like this: In next section, related work on simulation of worm propagation. Section 3 presents simulation of Kermack-Mckendrick model, one of pulse quarantine model is proposed in section 4. In section 5, we give the simulation algorithm. Section 6 gives the conclusion. 2. Related Work Over the past several years, plenty of worm propagation models [1-4] have been constructed. But most of them are been tested by numerical experiments. Scholars analyze the stability of their models and obtain corresponding numerical curves. But results from these experiments are absolutely separated from practice. In the actual network, certain randomness of worm propagation needs to be considered. In [5], Cliff Zou presents an experiment which is used to simulate the initial phase of Code Red Worm propagation. Only susceptible hosts and infected hosts are included in the experiment, which indicates that it is based on Simple Epidemic Model. On the basis of it, an expansion of it is made by us, which can be used to simulate worm propagation under pulse quarantine strategy. 3. Simulating Kermack-Mckendrick Model Kermack-Mckendrick model (KM model), the state transition diagram of which is shown in Fig.1(a), is firstly tested in the discrete-time simulation method. The model consists of three states: S (Susceptible), I (Infectious) and R (Removed). Some actual parameters is taken into consideration in the simulation experiment. To be closer to the practical environment, 1,000,000 hosts are selected as the population size. The scanning rate of Red Code worm η is 358 per minus [7], which is adopted in the experiment. The infection rate β is thus 358/232. Here recovery rate γ is 0.004 and the total number of hosts is 1,000,000. Fig.1(b) gives simulation curves with discrete-time simulation method and numerical curves.

S

β

I

γ

R

4163

4164

et al. / Procedia Engineering (2011) 4162 – 4167 Yu Yu YaoYao et al / Procedia Engineering 00 15 (2011) 000–000

Fig. 1. (a)State Transition Diagram of Kermack-Mckendrick Model; (b)Comparison between Numerical Curves and Simulation Ones under Kermack-Mckendrick Model

Comparisons between them show that numerical curves and simulation curves match very well. It indicates that discrete-time simulation method is effective and suitable for large-scale network. 4. Simulating Pulse Quarantine Model Pulse quarantine model is a worm propagation model with pulse quarantine strategy, which includes four states: susceptible (S), infectious (I), quarantined (Q) and vaccinated (V) [8]. Here V equates to R in the KM model. Fig.2(a) gives the state transition diagram of pulse quarantine model. The impulsive differential equations of pulse quarantine model are:

⎧ dS ⎫ ⎪ dt = pμ − β IS − μS − ωS ⎪ ⎪ ⎪ ⎪ dI = β IS − γI − μI − kI ⎪t ≠ nT ⎬ ⎪ dt ⎪ ⎪ (2) ⎪ dQ ⎪ = kI − ρ Q − μQ ⎨ ⎪ ⎭ ⎪ dt ⎪S (nT + ) = S (nT − ) − θ S (nT − ) ⎫ 1 ⎪ ⎪ + − − ⎪ I (nT ) = I (nT ) − θ 2 I (nT ) ⎬t = nT ⎪ + − − − ⎪ ⎪⎩Q (nT ) = Q (nT ) + θ1 S (nT ) + θ 2 I (nT )⎭ The pulse time T in the model is set to 10; birth/death rate is μ = 0.0005 ; quarantine vaccination rate is ρ = 0.5 and birth vaccination is ω = 0.00000006 ; constant quarantine rate is k = 0.003 ; in the pulse quarantine method, the false alarm rate θ1 = 0.01 and the true detection rate θ 2 = 0.02 . We assume I (0 ) = 10 , i.e., there are 10 infectious hosts while the rest of the hosts are vulnerable at the begnning. Other parameters are the same with that of KM model. Numerical curves and simulation curves are obtained with these parameters above and shown in the Fig.2(b). The good match between numerical curves and simulation ones indicates that discrete-time simulation method is effective in simulating worm propagation with pulse quarantine strategy.

pμ

ω

μ

(1 − p )μ

μ γ

β

θ2

k

θ1

ρ

μ

μ

3

4

Yu Yao et al. Procedia Engineering 15 00 (2011) 4162 – 4167 Yu Yao et /al/ Procedia Engineering (2011) 000–000

Fig. 2. (a)State Transition Diagram of Pulse Quarantine Model; (b)Comparison between Numerical Curves and Simulation Ones under Pulse Quarantine Model

5. Algorithm of Discrete-time Simulation Method The simulation method is based on discrete time. As long as computer processing ability allows, the total number of hosts in the simulation can be arbitrarily large. According to specific model, hosts can have various states, such as susceptible or infected. State transition of a host relies on the value of random number. Taking pulse quarantine model [8] for example, we state the algorithms of discrete-time simulation method. The algorithms can be classified into two parts: pulse quarantine algorithm and constant quarantine algorithm, which are given in Fig. 3. A minute or second can be defined as a unit time. In every unit time, the state of any host needs to be checked and a number from 0.0 to 1.0 is randomly selected to determinate whether the state of the host should be changed. When the value of random number is smaller than corresponding probability, the state of host will be changed. When a state can be changed into several other states, the scope of probability should be moved forward. For example, the immunity rate and death rate of a quarantined host is μ and ρ respectively. When the value of a random number is more than zero and less than μ, the state of the host is changed into dead. When the value of a random number is more than μ and less than μ + ρ, the host is immunized.

4165

4166

et al. / Procedia Engineering (2011) 4162 – 4167 Yu Yu YaoYao et al / Procedia Engineering 00 15 (2011) 000–000

Fig. 3. Simulation Algorithm for Quarantine Model

6. Conclusion The paper gives discrete-time simulation method, which is verified to be corrected by simulating KM model. Though simulation experiments for pulse quarantine model, it is found that such method is suitable for worm propagation model with pulse quarantine strategy. The method not only considers the randomness in the actual network and but also support simulation for large-scale network. It is closer to the reality and a good method for simulating worm propagation. 7. Acknowledgement This paper is supported by National Natural Science Foundation of China, NSFC No. 60803132; National 863 High-tech Program, No. 2007AA01Z181 and the Natural Science Foundation of Shandong Province of China, No. ZR2009GM037.

5

Yu Yao et al. Procedia Engineering 15 00 (2011) 4162 – 4167 Yu Yao et /al/ Procedia Engineering (2011) 000–000

6

8. Reference [1] G.Streftaris, G.J.Gibson. Statistical

inference for stochastic

epidemic models. The 17th International Workshop on

Statistical Modelling, p. 609~616, Chania, 2002. [2] J.C.Frauenthal. Mathematical Modeling in Epidemiology. Springer-Verlag, 1980. [3] Fangwei Wang, Yunkai Zhang, Changguang Wang, Jianfeng Ma, SangJae Moon. Stability analysis of a SEIQV epidemic model for rapid spreading worms. Computers & Security, In Press, Corrected Proof, Available online 13 October 2009. [4] Toutonji O, Yoo S. Passive benign worm propagation modeling with dynamic quarantine defense. KSII Transactions on Internet and Information Systems 2009; 3(1): 96-10. [6] Cliff C.Zou, Weibo Gong, Don Towsley. Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. ACM CCS Workshop on Rapid Malcode (WORM'03), p.51-60, Oct. 27, Washington DC, USA, 2003. [7] Cliff C. Zou, Weibo Gong, Don Towsley. Code Red Worm Propagation Modeling and Analysis. The 9th ACM Conference on Computer and Communication Security (CCS'02), p.138-147, Nov. 18-22, Washington DC, USA, 2002 [8] Yu Yao, Hao Guo, Fu-xiang Gao, Ge Yu. The Worm Propagation Model with Pulse Quarantine Strategy. The 2010 International Conference on Multimedia Information Networking and Security (MINES), p.269-273, 2010.

4167