Propagation Model of Active Worms in P2P Networks - Semantic Scholar

The 9th International Conference for Young Computer Scientists

Propagation Model of Active Worms in P2P Networks Chaosheng Feng, Zhiguang Qin School of Computer Science & Engineering University of Electronic Science and Technology of China Chengdu, China [email protected]

Laurence Cuthbet, Laurissa Tokarchuk Department of the Electronic Engineering Queen Mary, University of London London, UK

victims simply by following P2P neighbor information on infected hosts. They are different from the currently popular scanning worms, which probe addresses randomly for new victims, in three important ways. First, they spread much faster, since they do not waste time probing unused IP addresses. Second, they do not generate high rates of failed connections. Finally, they can blend into the normal traffic patterns of the P2P network. The lack of abnormal network behavior makes P2P worms a potentially more deadly threat because most existing defense mechanisms against scanning worms are no longer effective. Because the number of subscribers to a P2P network such as BitTorrent is estimated to be in the millions, P2P worms have the potential to compromise a significant fraction of the Internet population[4].

Abstract P2P worms pose heavy threatens to P2P networks. P2P worms exploit common vulnerabilities in member hosts of a P2P network and spread topologically in the P2P network, a potentially more effective strategy than random scanning for locating victims. Considering that the topology of P2P networks has important effect on P2P active worm spreading, it is very difficult to model propagation of P2P active worms. For this reason, so far few propagation models are proposed. In this paper, we propose a propagation model of active worms in P2P networks based the discrete-time method. The analysis on simulation results shows that there exists some threshold value during spreading of active worms and different infection strategies result in different infection results in P2P networks. Keywords: Active worms, simulation, P2P networks

model,

In this paper, we focus on studying unstructured P2P file-sharing networks such as BitTorrent and eDonkey. Most worms target these networks. Our purpose is to model the spreading of P2P active worms in P2P networks. In next section, we will introduce active worms in detail. This paper contributes as follows. 1) Propose a propagation model of P2P active worms based on the discrete-time method. 2) Use numerical simulating software, which is developed by us ourselves, to simulate. 3) Refer to the impact of varying initial infection strategies on worm spreading. The rest of this paper is organized as follows. We simply introduce the existing studies of worm propagation in Section 2. In Section 3, we present a propagation model of active worms. In Section 4, we analyze the properties of worm spreading with simulating experiments. Finally we conclude in Sections 5.

propagation,

1. Introduction Peer-to-peer (P2P) overlay networks enjoy enormous and ever increasing popularity in real-life deployment. Listed on the website of Kazaa, a popular P2P software, there have been almost 39 millions downloads in total and more than 0.8 millions downloads in a single week (November 14, 2005) [1]. The eDonkey2000 network alone typically has over 2 million users connected at any given time [2], while the number of users of the BitTorrent[3] , the most popular P2P file-transferring system, is more than 10 millions. The widely-deployed P2P systems used by end users, however, have strong security implications. P2P networks provide an ideal venue for new types of worms that prey on common vulnerabilities on the hosts in a P2P network. These worms identify new

978-0-7695-3398-8/08 $25.00 © 2008 IEEE DOI 10.1109/ICYCS.2008.237

2. Related work 2.1.

P2P Worm Classification

1908

Authorized licensed use limited to: Queen Mary University of London. Downloaded on April 10, 2009 at 06:09 from IEEE Xplore. Restrictions apply.

According to scanning strategies, Worms can be classified into two classes. one is called as scanning worms, and the other non-scanning worms. Many notorious Internet worms employ a random scanning strategy to find the potential victims. P2P worms tend to use neighbor list to find the potential victims instead of scanning, so P2P worms are non-scanning. According to different attacking ways, we identify three types of non-scanning worms that could leverage P2P networks: passive worms that hide themselves in malicious files and trick users into downloading and opening them; reactive worms that only propagate with legitimate network activities; and active worms that automatically connect to and infect known peers using topological information [5]. Note that the reactive and active worms are analogous to contagion and topological worms.

2.2.

models of Peer-to-Peer system-based worms in Internet[11,12,13]. Existing work on P2P networks shows that the P2P topologies approximately powerlaw distributions[14,15].

3. P2P active worm propagation model Studying worm propagation using the aggregated properties of P2P networks typically assumes a static topology, in which a node stores the addresses of all neighbors with which it had communicated. P2P networks are complex systems and it may not be feasible to use an analytical approach to model worm propagations without making overly simplified assumptions. Instead we present a unified simulation framework, driven by a P2P workload model, to study the active P2P worms. To model in the discrete-time method, it is necessary to explain these parameters and assumptions employed in the following model.

P2P Networks

A P2P networks is a group of Internet nodes that construct their own special-purpose networks on top of the Internet. Such a system performs application level routing on top of IP routing. There are two types of P2P networks: structured P2P and unstructured P2P networks. The structured P2P networks are systems in which nodes organize themselves in an orderly fashion, while unstructured P2P networks are ones in which nodes organize themselves randomly. Structured P2P networks boast an efficient lookup mechanism by means of DHTs (Distributed Hash Tables). In the structured P2P system, all P2P nodes maintain the same topology degree, which defines the number of neighbors for each P2P node. For example, one node in d-dimensional CAN maintains 2d neighbors [6]. Conversely, unstructured P2P networks use mostly broadcast search, like the BitTorrent system [7]. In this system, the topology degree is a variable for each P2P node. In this paper, we use BitTorrent system to represent the generalized unstructured P2P networks.

3.1.

Model Parameters and Assumptions

The intent of our modeling is to predict the propagation behaviors of a worm which spreads through a P2P network. We make the simplifying assumption as follows. 1) The topology of P2P networks is unchanged, including the number of peers and the degree distribution. This assumption is reasonable for the reason that P2P active worms spread very fast. 2) It takes a time unit that a peer transits from a state to another. Table 1. Parameters in models Parameters

Descriptive

S(t)

Proportion of susceptible peers at time unit t. Here, S(t)+I(t)=1 Proportion of infected hosts at time unit t. Proportion of susceptible peers among all peers(susceptible or infected) with degree k at time unit t. Here, Sk(t)+Ik(t)=1 Proportion of infected peers among all peers(susceptible or infected) with degree k at time unit t. Average infection probability, at which a susceptible peer is infected by an infected neighbor. Average recovery probability, at which an infected peer returns to be susceptible. Average degree of a P2P networks

I(t) Sk(t)

2.3.

Existing Modeling Work on Worms Ik(t)

Modeling and analysis of the propagation of worms have been studied for several years. Staniford et al. used the classical simple epidemic model to model the spread of Code Red worm [1,8]. They also concluded that P2P system is well suitable for contagion worm propagation, but they didn't give detailed modeling and analysis. Zou et al. presented two-factor worm model that considered human countermeasures and network congestion effect [9].Chen et al. presented discrete-time version worm model that considered patching and cleaning effect [10]. Yu et al. researched propagation

β γ ~ k P (k )

Proportion of peers with degree k among all peers.

1909

Authorized licensed use limited to: Queen Mary University of London. Downloaded on April 10, 2009 at 06:09 from IEEE Xplore. Restrictions apply.

Theorem 1 In a time unit, the rate at which the proportion of infected node among all nodes with degree k changes is I k (t＋1） − I k (t ) = β k (1 − I k (t ))Θ( I (t )) − γI k (t ) Proo f: According to Lemma 1, a susceptible node with degree k is infected by the probability of β kΘ( I (t )) . And at time unit t, the proportion of susceptible nodes among all nodes with degree k is (1 − I k (t )) . Hence,

In order to formally analyze attack strategies and epidemiological modeling of P2P worms, we list the most parameters in table 1, which will have an impact on worm attack effects.

3.2.

SIS Model

To address the effect of the topology of P2P networks in epidemic spreading we shall use the SIS epidemiological model. In this model, peers can only exist in two discrete states, namely, susceptible and infected. These states completely neglect the details of the infection mechanism within each individual. The P2P active worm transmission is also described in an effective way. At each time unit, each susceptible node is infected with probability β if it is connected to one infected nodes. At the same time, infected nodes are cured and become again susceptible with probability γ . Peers run stochastically through the

there are β k (1 − I k (t ))Θ( I (t )) susceptible nodes to become infected in a time unit. Meanwhile, there are γI k (t ) infected nodes returning to be susceptible. Therefore, the change rate of the proportion of infected nodes with degree k in a time unit is I k (t＋1） − I k (t ) = β k (1 − I k (t ))Θ( I (t )) − γI k (t ) Theorem 2 In a time unit, the change rate of the proportion of infected nodes in a P2P network is ~ I ( t + 1) − I ( t ) = β k (1 − Θ ( I ( t ))) Θ ( I ( t )) − γ I ( t )

Proof:

cycle susceptible → infected → susceptible, hence the name of the model. The SIS model does not take into account the possibility of peer removal due to death or acquired immunization.

I k (t＋1） − I k (t ) = βk (1 − I k (t ))Θ( I (t )) − γI k (t )

I k (t＋1） = βk (1 − I k (t ))Θ( I (t )) + (1 − γ ) I k (t ) p( k ) I k (t＋1） = βkp( k )(1 − I k (t ))Θ( I (t )) + (1 − γ ) p( k ) I k (t )

Lemma 1 In a P2P network with initial infected nodes, the probability that any susceptible node is infected is

∑ p(k ) I

p = βkΘ( I (t )),

where Θ( I (t )) =

kp( k ) I k (t )

∑ ∑ sP(s) k

s

~ = k −1

k

∑ kp(k ) I

k (t＋1）

⎛ = β ⎜⎜ ⎝

∑ kp(k ) −∑ kp(k ) I k

+ (1 − γ )

k (t )

k

∑

⎞ ⎟ ⎠

k (t ) ⎟Θ( I (t ))

p ( k ) I k (t )

k

k

~ ~ I (t + 1) − I (t ) = β ( k − k Θ( I (t )))Θ( I (t ) − γI (t ) ~ I (t + 1) − I (t ) = βk (1 − Θ( I (t )))Θ( I (t )) − γI (t )

Proof ： for any node with degree k , beacuse the ratio of the number of infected neighbor nodes to the one of all neighbor nodes is I k ( t ), there are kI k ( t ) nodes infected in all its neighbors. Thus, the average number of infected neighbors in the network is

∑ kp ( k ) I

k

( t ).

4. Simulation experiments

k

4.1.

Because the average number of neighbor nodes is

~ k =

∑

Simulation Description

In order to analyze and study on the propagation properties of P2P active worms, we implemented a kp ( k ) I k ( t ) simulation system based on the simulation platform neighborso f a node is or sP s ( ) Peersim. Simulating involves in two steps. First, we k s ~ −1 use the Brite ， a popular topology generator, to k kp ( k ) I k ( t ), which is denoted as Θ ( I (t )). generate a power-law topology. Second, we run the k simulation software with the topology to get simulation Because a node with degree k has kΘ ( I (t )) intected results. The simulator first initializes various neighbor node and the probabilit y ofa susceptibl e node components, such as infected probability and initial being infected by one of its infected neigbors β , therfore, infected peers. Almost all the peers are initialized to be susceptible and only quit a few nodes are initialized to the probabilit y that the node is infected attime t is be infected. To clearly compare theory values with p = β k Θ ( I (t )). simulation values, we put them on the same plots. To s

sP ( s ), the average infected proportati on of

∑

∑

∑

1910

Authorized licensed use limited to: Queen Mary University of London. Downloaded on April 10, 2009 at 06:09 from IEEE Xplore. Restrictions apply.

simplify simulation, the same assumptions are abided by in the simulator.

4.2.

Figure 4 examines the effect of initial infected peers with varying degrees on the propagation of active worms. Intuitively, for the initial infected peers with larger degrees, the active worm would spread faster and reach the steady state with larger stationary and constant value of prevalence of infected peers. Figure 4, however, shows that for initial infected peers with varying degrees, the values of prevalence are same. Indeed, initial infected peers with larger degrees will lead to faster spreading of active worms, which suggests that the propagation of active can be throttled by keeping those peers with larger degrees from worms.

Simulation Evaluation

Proportion of Infected Peers

Proportion of Infected Peers

According to Figure 1-3, no matter what the value of δ (= β / γ ) (called as valid infection rate) is, when it reaches or surpass some value(the threshold), the epidemic spreading of P2P active worms will reach an endemic state with stationary and constant value of the prevalence of infected peers. Moreover, when it reached or surpass some larger value, all peers will be infected(Figure 1). On the contrary, when it is smaller than the threshold, all peers will be susceptible in some time(Figure 3). 1.2 1 Delta=90 Delta=70 Delta=50

0.8 0.6 0.4 0.2 0 1

3

5

7

9 11 Time Units

13

15

17

Proportion of infected peers

Figure 4: Comparison of infectious prevalence with different infection strategies Selected infection(Max) refer to the case of initial infected peers with 10 maximum degrees, while Selected infection(Min) with 10 minimum degrees.

Delta=2/3 Delta=1 Delta=2

5. Conclutions 1

3

5

7

9

11 13 15 17 19 21 23 25 27 29 Time Units

In this paper, we aim at modeling P2P active worm propagation in the discrete-time method. Large scale simulations are done in P2P networks with scale-free topology. According to the simulation results, we analyze on the spreading properties of active worms in P2P networks. The analysis on simulation results shows that there exists some threshold value during spreading of active worms. When the valid propagation rate reaches or surpass the threshold value, the epidemic spreading of P2P active worms will reach an endemic state with constant value of the prevalence of infected peers. Or else the infection dies out fast. The simulation results also shows that different infection strategies result in different infection results, which is helpful for us to propose the methods of throttling spreading of worms.

Figure 2. The simulation results with varied values of δ (middle) Proportion of infected peers

Selected infection(Max) Random infection Selected infection(Min)

1 7 13 19 25 31 37 43 49 55 61 67 73 79 Time Units

Figure 1. The simulation results with varied values of δ (large) 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0

0.5 0.45 0.4 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0

0.18 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0

Delta=0.2 Delta=0.1 Delta=0.05

1

3

5

7

9 11 13 Time Units

15

17

19

21

Figure 3. The simulation results with varied values of δ (small)

Acknowledgment

1911

Authorized licensed use limited to: Queen Mary University of London. Downloaded on April 10, 2009 at 06:09 from IEEE Xplore. Restrictions apply.

The author would like to thank the anonymous reviewers for their valuable comments and suggestions that improve the presentation of this paper. This work is supported by the National Natural Science Foundation of China under Grant No.60473090 and the joint research project funded by the Royal Society in the UK and by the National Natural Science Foundation of China (NSFC) under Grant No.60711130232. This work is also supported by the important project of Sichuan Normal University of China under Grant No.07ZD018.

[7] M. Ripeanu, I. Foster, “Mapping the Gnutella Network: Macroscopic Properties of Large-Scale Peer-to-Peer Systems”, Proceedings of 1-thInternational Workshop on Peer-to-Peer Systems(IPTPS), 2002. [8] D. Moore, C. Shannon, and k claffy. Code-Red: a case study on the spread and victims of an Internet worm. In Proceedings of the Second ACM Internet Measurement Workshop, 2002. [9] C. C. Zou, W. Gong, and D.Towsley, "Code Red Worm Propagation Modeling and Analysis", In Proceedings of9-th ACM Conference on Computer and Communication Security(CCS), Washington DC, November 2002. [10] Z. Chen, L. Gao, and K. Kwiat, "Modeling the Spread of Active Worms", IEEE INFOCOM, 2003. [11] Wei Yu, "Analyze the Worm-Based Attack in Large Scale P2P Networks", In Proceedings of8th IEEE International Symposium on High Assurance Systems Engineering (HASE'04), 2004. [12] Wei Yu, "Analyzing the performance of Internet worm attack approaches", In Proceedings of 13th International Conference on Computer ommunications and Networks,2004. [13] Wei Yu, Corey Boyer, Sriram Chellappan and Dong Xuan, "Peer-to-Peer System-based Active Worm Attacks:Modeling and Analysis", In Proceedings ofIEEE International Conference on Communications (ICC), May 2005. [14] M. Ripeanu. Peer-to-peer architecture case study:Gnutella network. In Proceedings of the First International Conference on Peer-to-Peer Computing, Linkoping,Sweden, Aug. 2001. [15] S. Sen and J.Wang. Analyzing peer-to-peer traffic across large networks. IEEE/ACM Transactions on Networking,12(2), Apr. 2004.

References [1] S. Staniford, V. Paxson, and N.Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, Aug.2002. [2] “eDonkey2000 server list,” http://ocbmaurice.noip.org/slist/serverlist.html. [3] Bittorrent Protocol Specification v1.0, http://www.bitconjurer.org/BitTorrent/protocol.html [4] L. Zhou, L. Zhang, F. McSherry, N. immorlica,M. Costa, and S. Chien. A first look at peer-to-peer worms: Threats and defenses. In Proceedings of the 4thInternationalWorkshop on Peer-to-Peer Systems, Ithaca,NY, Feb. 2005. [5] Guanling Chen,Robert S. Gray. Simulating non-scanning worms on peer-to-peer networks. In Proceedings of the 1st international conference on Scalable information systems, Hong Kong, China, 2006. [6] S. Ratnasamy, “A Scalable Content Addressable Network”, Proceedings of ACM SigComm. , San Diego, 2001.

1912

Authorized licensed use limited to: Queen Mary University of London. Downloaded on April 10, 2009 at 06:09 from IEEE Xplore. Restrictions apply.