modeling and analyzing of the interaction between worms and antiworms during network worm...

Science in China Ser．F Information Sciences 2005 Vo1．48 No．1 91～106

Modeling and analyzing of the interaction

between．worms and antiworms during

network worm propagation

YANG Feng’．DUAN Haixin &LI Xing’

1．Department of Electronic Engineering，Tsinghua University,Beijing 1 00084，China；

2．Network Research Center,Tsinghua University,Beijing 1 00084，China

Correspondence should be addressed to Yang Feng(email：yang．feng00@mails．tsinghua．edu．cn)

Received May 1 7，2004

91

Abstract lnteraction of antiworms with a worm population of e．g．hosts of worm infected

and hosts of antiworm infected must be considered as a dynamic process．This study is

an attempt for the first time to understand how introduction of antiworm affects the

dynamic of network worm propagation．1n this paper．we create a mathematical model

(SIAR mode1)using ordinary differential equations to describe the interaction of worms

and antiworms．Although idealized．the mode J demonstrates how the combination of a

few proposed nonlinear interaction rules between antiworms and worms is able to

generate a considerable variety of different kinds of responses．Taking the Blaster and

Nachi worms as an example．we give a brief analysis for designing a practical antiworm

system．To the best of our knowledge．there is no model for the spread of an antiworm

that employs the passive scan and the finite Iiretime and we believe that this is the first

attempt on understandinq the interaction between worms and antiworms．

Keywords：SIAR model，ordinary differential equations，network wornl propagation，Blaster,Nachi．

DOI：10．1360／03yf0509

1 Introduction

The Internet is an open，complicated and huge system．Therefore，we need analyze

and handle the problem in it synthetically【lJ_Worms，autonomous programs which

spread through the network by searching，attacking，and infecting remote machines，have

been a serious issue since the development of the Morris internet worm【． Recently,

worms on the Internet have become a pressing issue following a series of events(such as

Slammer,Blaster and Nachi)t2__4 ．Such malwares Can carry arbitrarily malicious pay—

loads which are spread rapidly to every vulnerable machine．In order to build defenses

against future worm outbreaks，it is important to understand the properties of such

W 0rm S．

Copyright by Science in China Press 2005

维普资讯 http://www.cqvip.com

1．1 Background

Science in China Ser．F Information Sciences 2005 V01．48 No．1 9l—l06

Although general antiworms，worms which remove other worms， are not a produc—

tive idea，responses to worm probes can be a highly effective defense against some

worms．Two good examples are the anti—Code—Red worm and Nachi worm15-7 J． They

recently posted a notice on their site，www．incidents．org，about the availability of an

anti—Code Red worm called Code Green，which was created to patch vulnerable systems

and remove back doors left by Code Red II．The site also refers to“CRclean”as a worm

that spreads passively，namely it is only propagated to hosts that actively aRack the sys—

tem on which CRclean is running ．For anti—Code—Red worm．these web servers would

respond to a probe by Code Red II by counterattacking the infected web server,dis—

abring the server，and resetting the machine：halting the code red infection and prevent—

ing re—infection．This is because a worm broadcasts its presence in order to spread．ena—

bring active counter attacks if the worm creates or exposes a security hole on its host．

This suggests that any author who wants to increase the wornl’s staying power will sim—

ply not repeat the mistakes of Code Red II and other worms by simply closing the secu—

rity holes used by the worm to infect a machine and not creating any generally open se—

cudty holes．Such a worm would not be vulnerable to counter worlilS and antiworms．

Therefore we cannot assume that counter attacks and antiworms can form a viable de—

fense against a sophisticated worm．And we will carefully discuss the antiworm：

Nachi[6]．

During worms break，worms are likely to separate out the act of scanning and

probing by only probing machines which the scan suggests are actually vulnerable．Code

Red was indiscriminate in its probing，and thus it tried to infect many non一ⅧIncrable

web servers．This has two negative effects from the worm’s point of view：it plainly told

the recipient machine that the source machine was running the worm(resulting in sev-

eral anti Code Red web pagesp )and it slowed down the rate of infection since such

probes are a significant waste of effort．Th erefore，the design of antiworms could make

use ofthis feaRu-e．

The use of modeling techniques in the study of network worm propagation started a

long time ago【8- J．Both deterministic and stochastic models are used for epidemiologi—

cal modering．The deterministic models often lead to powerful qualitative results with

important threshold behaviour．They also lead to simpler mathematical problems than

the stochastic ones．Therefore most models were deterministic models，in which hosts

were ignored，and hosts within the Interact were presumed to act as a unit．An exam ple

of such a model is a differential equation，where the rate of change of the number in any

one group may depend on several factors，some of which may be static，and some may

vary with time．This approach has been widely used in the study of epidemic of human．

The stochastic model would be discussed in our next paper．

1．2 Contributions

The objective of this work is to build an effective and practical model that allows



Modeling and analyzing of the interaction between worms and antiworrns 93

the decision makers to understand the main properties of antiworms during network

worm propagation．In this study we foCUS mainly on the effect that antiworm has on

network worm propagation，and alSO comment on the resurgence of worms due to Nachi

worm 既 carry out extensive studies of antiworms and worms propagation．From these

experiments we derive a better understancling of the interaction between antiworms and

worlIls during the network worm propagation．

The most important part of this WOrk is to employ novel ordinary differential equa—

tions to model the effectiveness of the antiworm system and to guide its design and per—

formance evaluation accordingly 舱 proposed a novel antiworm model that accurately

models the performance of antiworm system between the worm system and the anti—

worm system．Wle perform ed a study to discuss the steady state analysis．The study also

exhibits the system dynamics under various system parameters and reaction time condi-

tions．

2 SLARmodel

In order to model the worm and the antiworm in the Internet，four groups of hosts

of distinct status are considered：

-- Susceptible：these are hosts which have not encountered the worms and have no

circulating antiworm s．

一 Infected：these are hosts which have encountered the worms in the Internet dur—

ingtheoutbreak．

-- Recovered：hosts that are not infectious and no longer susceptible to infection no

matter whether they are infected by the worm or antiworm before．

-- Antiworms：these are hosts which are infected by antiworm s and no longer SUS—

ceptible to infection．

Th e model presented here follows a different strategy．It demonstrates that consid—

erable plurality of phenomena Can be the result of very few and simple basic interactive

mechanisms．

2．1 System assumptions

We consider the relation between worms and antiworm s as a feedback loop．Th e

elimination of the worlYls as the result of the interaction with control strategies is con—

sidered to be proportional to the contact rate between worms and antiworm s．Fig．1 out—

lines the mechanisms assumed to be essential for the worm-antiworm interaction．

This process is described by the following assumptions and specifications：

一 In this work we ignore the effects of something by focusing mainly on the inter—

action of the worms and antiworms．In Our future work，we will extend Our model to a

more general model to assess the effects of separate compartments on the worm propa—

gation．

www ．．scichina com


Science in China Ser． F Information Sciences 2005 Vo1

．48 NO．1 9l— l06

Fig．1． A simplified representation of the flow of hosts between susceptible，infected，recovered and antiworm

groups used to formulate this SIAR mode1．

一

N is one constant independent of t

—

IIl the presence of WOrlTIS．the susceptible hosts can be infected by worins to be．

come infected hosts．

the presence of antiworms．the infected and susceptible hosts Can be infected

by antiworms to become antiworm infected hosts．Considering wornl propagation， the

uninfected hosts Can be infected by WOFITIS and become infected hosts． As far as anti—

worins are concerned，the WOrlTIS infected and susceptible hosts Can be infected by anti．

WOrlTIS and become antiworms infected hosts．For example。the Blaster hosts Can be iI1．

fected to become Nachi hosts．

一

肫 ignoretheinfectiontimes and removaltimes．

一 NO latent period．

-- Homogeneous mixing

--

Recovery rate，death rate，birth rate，patch rate and contact rate are constant．If a

host leaves the group because of some factors such as updating operating system or

some fault in the computer,we consider that this host was dead．Similarly，if a host joins in the group when it installs the related software，then we consider that a susceptible host

wasborn．

Generally，it is assumed that the population size N(t)satisfies the following popula-

tion dynamics equation：



Modeling and analyzing of the interaction between worms and antiworms

厂(Ⅳ)

95

The function fiN)satisfies some conditions．However,in view of the short duration of wornls break and the large population size，the population host size would not change

greatly during wornls break．And for the sake of simplicity，we set N(0 constant ex—

pected population size N．From the results later,we found this simplicity is practica1．

To derive differential equations for the model，we assume the population is large

enough to be modeled deterministically．

2．2 Model structure

The temporal change of the susceptible host size S is determined by the difference

between their birth，death，patching and elimination caused by wornls and antiworms．It

is assumed that the birth rate is proportional to the expected population size．Th e death

and patching rate are proportional to the susceptible rate．The elimination of the suscep—

tible hosts as the result of the interaction wim the wornls and antiworms is considered to

be proportional to the contact rate between the susceptible hosts and WOrlTIS．

Th us，the temporal change ofthe susceptible hosts is described by the differential

equation

_

dS(t)： Ⅳ一( +／15)S一届一fl3SA

dt

with non—negative rate constants届，屈， 1， and 1

Similarly，the temporal change of the infected wornl host size I is determined by the

difference between their death and elimination caused by antiworms．It is assumed that

the death rate is proportional to the infected host size．Th e elimination of the infected

hosts as the result ofthe interaction with the wornls and antiworms iS considered to be

proportional to the contact rate between the susceptible hosts and wornls．

Thus，the temporal change of the infected WOrlTI hosts is described by the differen—

tial equation

—

dI

_

(t)：届一flzAI一( 2+ )

f

(2．2)

with non—negative rate constants届，屈， and ．

We defme the amount of antiworms as the elimination capacity of the control sys—

tem with respect to that special worn1．Th e number of antiworms is supposed to be

constitutedbyfourdifferentfactors：

Th e worms trigger the process in the control and antiworm system leads to compe—

tence against them．For example，in the presence of wornls，the velocity of this stimula—

www．scichina．com


Science n China Ser．F Information Sciences 2005 V01．48 No．1 91—1o6

tion is described by a function which for specificity is given by

with positive constants屈

g(S， 4，尺)=屈AI ( ≥0，A≥0)

The patching reaction is additionally strengthened by cooperative reinforcement of

patching activation processes．The resulting increase rate of antiworms is modeled by

the function

As，I,A,R)=fl2AI ( ≥0，A≥0)

depending on the parameters 8

A term— A represents the finite lifetime of the antiworms，with a positive death

rate constant／．t4．

Finally— represents the removal of the anfiworms，with a positive removal rate

constan t啦．

—

dA—_(t)

： fl2AI+fl3SA一(／24+ )A． (2．3) dt

Subsequently，the temporal change of the recovered hosts is described by the differential

equation

—

dR—_(t)： + A+ 一尺

tit

(2．4)

A sunkrnary of the mathematical model for the interaction of the worm and the an—

tiworm is given by the following system of four ordinary differential equations：

—

dS_

(t)： Ⅳ一( 1+It5)S—ASI—fl3SA，

dt

_

dI(t)：届一fl2AI一( 2+o6)I，

dt

dA(t)

dt

dR(t)

dt

= AI+ SA一(It4+oe2)A，

= + A+ltsS—r3R

The system contains several nonlinear term s．It will be shown in the subsequent

discussion that the interaction of these factors is essential for the large variety of differ—

ent types of behavior tl1e model is admitting．There are already a considerable number of

epidemical models in tl1e literature．These models are more or less related to the model

presented here． lble 1 shows the param eters and their initial values involved in Our

SIAR mode1．



Modeling and analyzing of the interaction between Worals and antiworms 97

2．3 State analysis

To begin analysis of this system，we examine equilibria of the mode1．There are

several states for this system，some of which are not feasible．Hence，there are at least 4

states：an uninfected state，( ，0，0，RF,a WO1TI!一infected state，( ，0，0，尺) an anti． worm-infected state，( ，0，0，尺) and a co—infected state，( ，0，0，尺) where none ofthe

values are zero．

1)The uninfected state( ，0，0，尺) In this case，both，and A are zero．And the

steady state values are

：，

：．

( 1+ )

If we examine the roots of the characteristic equation from the Jacobean matrix of the

system(2．1)一(2．4)，the four eigenvalues are

= 一 (／-21+ )，

= 届S一( 2+ )，

= 屈S一( + )，

= 一 3．

For this steady state to be locally asymptotically stable，we require each of the eigenval—

ues to be negative．This is true only if

< ／rE+ 届 ana_<

arising as conditions from the eigenvalues and ．If either of these conditions is


98

置

0 工

0

0

E j

Z

Science in China Ser．F Information Sciences 2005 Vo1．48 No．1 9 l—l06

Time／0 l h Time／0．1 h

Fig．2． (a)The uninfected state．This is the numerical solution to eqs．(2．1)一(2．4)with，and A set tO zero；(b)the

worm—infected state．This is the numerical solution to eqs．(2．1)一(2．4)with A set to zero；(C)the antiworm-infected

state．This is the numerical solution tO eqs．(2．1)一(2．4)with，set tO zero；(d)the CO—infected state．This is the nu—

merical solution tO eqs．(2．1)一(2．4)with both the worms and antiworms present．All parameters and initial values

come ffomtable 1．

invalid，the steady state becomes a locally unstable saddle point．Fig．2(a)depicts the

numerical solutions of the uninfected state．

2)The worm—infected state( ， 0，尺) ：In this case，A is zero．This reduces to

solving

Ⅳ=( _+fll—SI，__ and__ I七 sS

Fig．2(b)depicts the numerical solutions of the worm—infected state．

3)The antiworm—infected state( ，0，A，尺) ：In this case， is zero．This reduces to

solving a two—equation algebraic．

Ⅳ_(It1+Its)-S+fl3一SI，__ and__ oc2I+ sS

Fig．2(c)depicts the numerical solutions of the antiworm—infected state．

4)The CO—infected state( ， A，尺) ：Here，both worms and antiworms are present．




In order to determine the equilibrium values ofS， R andA，denoted S， A and ，it

is necessary to solve the simultaneous equations：

dS

dt —

d—

I：

0．—dA—

dt dt _o， =。

“f

The differential equations for the deterministic version of the model Can be wriRen

as follows for these state variables．This system of differential equations has two critical

points．One of them is at(Ⅳ，0，0，O)，which corresponds to the absence of infection．The

other critical point corresponds to an endemic infection leve1．Its coordinates are

X=( ，I，A，尺)，given by

where

B=

S= ，

I=C—lB3B，

A=届B—D，

R= ( 一层 +届 )+(alC—o~2D)

Ⅳ

( + 5)+届( + )一fl3(a2+ )’ c=

In fig．2(d)，we explore the CO—infection state．When both worms and antiworms are introduced to the network system，the initial transient is present，but the worm—infected

hosts approach a lower level than worm infection alone．Comparing it with fig．2(b)，we

can see that the decrease of infected number of worms is much faster in the CO—infected

scenario than in worm alone．

3 Resuits

3．1 Effects ofreaction time delay

The model clearly shows this oscillatory behavior,which would Occur even under

much more general conditions on the parameter constants，ifthe model equations(2．1)，

(2．2)，(2-3)and(2．4)would be modified more realistically by including reaction time

delay effects．Such a reaction time delay model could be，e．g．

—

dS__

(t)： Ⅳ一( + ) 一届一fl3SA(t一 )，

dt

dI(t)= fltSI一 A(卜 ) 一( 2+ ) ，

—

dA—

(—

t

_

-

一

T)： fl2A(f—T)I+ (f一 )一( 4+ )A(f一 )，

at

—

dR

—-

(t)： +tZzA(f一 )+ltsS一 3尺

at


100 Science in China Ser．F Information Sciences 2005 Vo1．48 No．1 9 1— 1O6

The positive delay constants take into account times necessary．It is well known

from the theory of differential—delay equations that reaction time delays strongly support

oscillatory behavior in these systems．

A diagram showing the effects of time delay iS presented in fig．3．From fig．3。the

conclusion Can be drawn that the longer the reaction time delayed the longer the infec—

tion prolonged．A1SO we can see that．just because of the effect of antiworms，the worms

infection descends rapidly after antiworms burst out．Comparing with fig．7，me SL

model fits the Blaster and Nachi worm propagation very wel1．It is obvious that this

SL model Can explain the interaction between worms and antiworms from fig·，·

3．2 Effects ofparam eterchange

Th e values of the parameters and the initial values of the various components in

this model are uncertain and also expected to exhibit considerable variability am ongst

hosts．Hence we have systematically investigated the effects of changes in all these

quantities．These effects are interesting in themselves but also provide a check that the

magnitude of the random fluctuations is not a manifestation of the particular standard

丑

0 e-

0

矗 0

g

Z

丑

0 e-

0

矗 0

g

Z

Time／0 l h Time／0．1 h

Fi￡．3．The efiects of reaction time delay．This is the numerical solution tO eqs．(2·1卜<2·4)including the ti。“

ti e delay of antiwomls．All parameters and initial values come from table 1，except the time delay par锄。时 T

increasefrom 10tO 40h．




parameter set chosen

101

First we have found that these changes in届，the contact rate of infected hosts，al1

had major effects on the solutions．For example，from fig．6 we Find that increasing／(0)

to as much as 100 times the standard value had a major effect．This implies that in the

magnification of the worm propagation，the size of the initial infected population is of

great consequence in the subsequent growth of the infected population and thus in the

severity or time course of conditions．That is，infection by one or several infected hosts

leads to different results．So does (0)．The author of Nachi claimed that he put hundreds

Of high performance hosts which were Nachi—infected into the Internet on August 1 8．

This can explain why Nachi could propagate so fast．

The results of changes in the remaining parameters are shown in fig．4 and fig．5．In

fig．4 the effects are shown of changing届s，which are the rates of contact of worm—in— fected and susceptible hosts．In fig．5 the effects are shown ofchanging s，which is the

rate of loss of worm—infected and antiworm —infected hosts．

4 Case study

In this section，we discuss the issues involved in the implementation of the anti—

worm system．The proposed system requires the operations be perform ed at two com-

ponents of the system，nam ely,the scanning techniques and the lifetime．

4．1 Blaster worm

W32．Blaster．WorlTl is a worm that exploits the DCOM RPC vulnerability(de—

scribed in Microsoft Security Bulletin MS03—026)using TCP port 135 ．The worm tar—

gets only Windows 2o00 and Windows XP machines．啪 ile Windows NT and Windows

2003 Server machines are vulnerable to the aforementioned exploit(if not properly

patched)．the worm is not coded to replicate to those systems．This worm attempts to

download the msblast．exe file to the％ rinDir％＼system32 directory and then execute it．

The worm also attempts to perform a Denial of Service(DoS)on the Microsoft

Windows Update Web server(windowsupdate．com)．This is an attempt to prevent you

from applying a patch on your computer against the DCOM RPC vulnerability【7J_

4．2 Antiworm ：Nachi

The W32／Nachi．A is a worm currently spreading in the wild【6】_It attempts to exploit

hosts vulnerable to the RPC DCOM buffer overrun vulnerability．Once running，it will

attempt to remove W32／Msblast．A from that system，as well as attempting to update the

system with the security patch from Microsoft which addresses this vulnerability．It will

remove itself from infected system automatically if the year of the system is 2004．

Comparing fig．3 with fig．7，we can see that using SIAR model the interaction be—

tween worms and antiworm s can be described coincidently．At 22：00 1 1 August 2003，

Blaster worm propagated rapidly and came to the top in one hour．Then it fluctuated on

www．scichina．com


102

兽皇

矗

善 Z

兽皇

§ Z

兽

矗

雪 Z

Science in China Ser．F Information Sciences 2005 Vo1．48 No．1 9l—lO6

Time／0 l h Tjme／0．1 h

Fig．4． The effects of contact rate changes．Right figures show the results with a decreased value for a particular

parameter whereas left figures show the results for an increase in the sanqe param eter,All contact rates changes weFe

50％relativetothe standardvaluefromtable 1．

the top and descended slowly．At 14：00 1 8 August 2003，Nachi antiworm appeared in the

Intemet and propagated fast．At the same time，Blaster WOrlTI descended to zero．Nachi

antiworrn came to the top in one hour and fluctuated on the top．From fig．3 and fig．7，

we can conclude that our SIAR model is effective in describing the interaction between

Blaster worm and Nachi antiworm．

From the data collecting by CCERT from 1 1 August 2003 to 24 August 2003 this



Modeling and analyzing of the interaction between WOITflS and antiworms

盈

0

0

0

g j

Z

盈

0

0

0

g j

Z

兽呈

矗 0

雪 Z

Time／0．1 h

103

Time／0．1 h

Fig．5． The effects of removed rate and patching rate changes．Left figures show the results with a decreased value

for a particular parameter whereas right figures show the results for an increase in the same param eter．All removed

rates and patching rate changes were 50％relative tO the standard value from table 1．

year,we find that the scanning traffic caused by Blaster worm reduced to a very lOW

leve1．Therefore，we can conclude that the propagation of Blaster worm had been con—

trolled and the impact of antiworm Nachi on Blaster worm propagation iS effective．

However，after August l 8，the scanning tr狮 C caused by Nachi becomes a bigger prob—

lem．Which led to the new worm propagation．W_e Can conclude that the mechanism of

antiworm is not perfect，and we need to further study the techniques of scanning and life

contro1 of antiworms．


l04

×

3．O

2．5

菪2．0

；1．5 D

鲁1．0 Z

0．5

O

Scfence in China Ser— Information Sciences 2005 Vo1

．48 NO．1 9卜一l06

0 200 400 600 800

0 200 400 600 800

Time／0 1 h Time／0．1 h

Fig．6． The r，n

eff

、

ectS of initia1 Va1ues changes．As in fig． 8，except that here are shown the effects 0f varying the

i ni6al values，(O)andAf0】．

60

耋 4。0 0

Time(mm-dd-hh-lniTl1

In

n

oo

0

’寸 N

∞

0

Fig，7·CoUecting data about TCP and ICMP scan traffic caused by Blaster and Nachi worms from CCERT．These

results were obtained from August 1 1 tO August 24．

4．3 Techniques in scanning

Although a worrfl spreads exponentially during the early stages of infection， the

time needed to infect the first 10000 hosts dominates the infection time[15,16]． There is a

simple way for an active worm to overcome this obstacle：hitlist scanning[ 5， 61． Long

before the worm is released， the worm author collects a list of potentially vulnerable

machines with good network connections． The WOrlTI，when released onto an initial ma．


×如 0

嚣∞0￡ 0．IQ 量Z

寸 0Ic ∞0

’0_l ∞0

0 _1．_l ∞0

_l-￡_l-0 ∞0

=． _1．∞0

!．∞ ∞0

一一-80

0 _1．口_lI80

_1．∞_1．．∞0

_1．!．∞0

n．0 n_lI80

寸_l ．∞0

0 Il-80

00．00．I1．∞0


Modeling and analyzing of the interaction between worms and antiworms 105

chine on this hitlist，begins scanning down the list． This provides a great benefit in con—

structing a fast worm by speeding the initial infection．

Similarly,the scanning techniques of antiworm can follow this method． On the one

hand，constructing the hitlist is easy for the antiworm’s author．Since the hitlist is con—

structed long before an antiworm is released，the worm—infected hosts list would be Ob—

tained easily．As such a scan is iust to determine whether a machine is infected，it could

be completed long before the outbreak of the worm．On the other hand，passive surveys

could be used to get the worm-infected hosts list without requiring an active scan．

4．4 Controlling the antiworm lifetime and P2P

Antiworm，Nachi，will remove itself from infected system automatically if the year

of the system is 2oo4．It uses this technique to control its own lifetime．Unfortunately,

from fig．7，we can see that this technique cannot reduce the scanning traffic caused by

antiworms．There is a simple way for an active worm to overcome this obstacle：Finite

lifetime．Each antiworm has a constant lifetime when a worm—infected host is infected

by antiworm．Its lifetime begins from the time infected by antiworm．After a constant

period，this antiworm would die automatically．Moreover,we can learn from Slapper

worm’s P2P communications protoco1．Using this feature，we can control antiworms and

l(i11thematanytime．

5 Discussion and conclusion

Antiworms have been in practice，and the techniques described here and elsewhere

could easily be employed by worm authors．By analyzing the technique of antiworms，

the paper suggests that developing and installing effective defenses should be high prior—

ity,as the current systems are highly vulnerable to fast moving worms．

In this paper,we investigate the model of antiworms as a mechanism for mitigating

network epidemics．We explore a broad class of antiworm systems in terms of its prop—

erties of model：steady state analysis，effects of reaction time delay and effects of pa—

rameter change．Using a susceptible host population inferred from the Blaster worm and

Nachi antiworm propagation，we use simulation to analyze how worms spread under

antiworm defense．

From our simulation experiments，we make the following conclusions about vari-

ous aspects of antiworm systems for network worm propagation：steady state analysis，

effects of reaction time delay and effects of parameter change．Taking the Blaster and

Nachi worm as an example，we apply our model to describe the worm propagation．First，

from our model we assert that antiworm s are effective to mitigating network epidemics．

Secondlv’our antiworm model is used to evaluate the perform ance of antiworm system．

Antiworm s with a hitlist can detect the worm—infected hosts in a shorter period of time．

A simple passive detection antiworm system is the necessary step towards a practical

detection system that detects the worm—infected hosts through passive scanning．Wle plan

to apply our model to assess antiworm systems and compare the relative perform ance of


l06

different antiworm systems

Science in China Ser．F Information Sciences 2oo5 Vo1．48 No．1 9l— lo6

From these results．we conclude that it will be very interesting to build Internet an．

tiworms that prevent widespread infection from worlll epidemics．In particular,design．

ing and implementing a practical antiworm system that automatically eliminate the

worlll epidemics is a tough task．And the inevitable network仃afflc caused by the scan of

the antiworm further complicates the problem． Our analysis and simulation studv in—

dicates that such a system is feasible and effective，and poses many interesting research

issues．However,the scanning仃affic caused by Nachi antiworm was even larger than

mat caused by Blaster worm．Hence a more effective and secure antiworm system is

needed for further studv．Wle hope this paper would generate interest of discussion and

participation in this topic and eventually lead to an effective antiworm system．We will

also discuss this problem in the future work．

Acknowledgements The authors thank the guest editors for coordinating an expeditious review of their submis—

sion．They also thank the anonymous reviewers for their constructive suggestions that helped improve the quality

and readability of this paper．This work was supported in part by the National Namral Science Foundation of China

(Grant No．60203004)．

1． Dai Ruwei，Cao Longbing，Internet--An open complex giant system，Science in China(in Chinese)，Ser．E，

2003，33(4)：289—_296． 2． StaI1if0rd，S．。Paxson，V，Weaver，N．，How to own the Imemet in your spare time，in Proc．of the USENIX

Security Symposium，2002． 3． CERT Advisory CA一2001—23，Continued Threat of the“Code Red II”Worm，httrI：／／www．cert．org／adviso—

ries／CA一2001—23．html

4． Moore．D．．The spread of the code—red worm (CRv2)，http：Hwww．caida．org／analysis／security／一code—red／

coderedv2 analysis．xml，Nov 2001．

5．Das Bistro Project’s anti—code—red defaultIjda，http：／／www，dasbitro．com／default．ida 6． Knowles．D．，Perriot，F．，Szor,E，Symantec security response：W32／Nachi．A，http：／／www．f-prot·com／virus—

info／descriptions／nachi—

A．htm1．

7． Knowles。D．，Perriot，F．，Szor,P．，Symantec security response：W32．Blaster．Worm，http：／／securityresponse·

symantec．com／avcenter／venc／data／w32．blaster．worm ．htm1．

8． Zou．C．C．C．，Towsley，D．，Email virus propagation modeling and analysis，Umass ECE Technical Report

TR一03一CSE一04，May，2003．一．

9．Liljenstam，M．，A mixed abstraction level simulation model of large—scale internet worm intestations，in

Proceedings of the Tenth IEEE／ACM Symposium on Modeling，Analysis and Simulation of Computer and

TelecornInunication Systems(MASCOTS)，IEEE Computer Society Press，Fort Worth，TX，Oct 2002．

1 O． MOOre．D．。Code—Red：a case study on the spread and victims of an Internet wornl，Presented at the Inter—

net Measurement Workshop(IMW)in 2002． 1 1． Zou，C．C．C．，Gong，W．B．，Towsley，D．，Code Red I1 worm propagation modehng and analysis，in 9th ACM

Conference on Computer and Communication Security，Nov．1 8—22，Washington DC，USA，2002，http：／／ten—

nis．ecs．umass．edu／．-czou／research／codered．pdf．

12． Andersson，H．，Britton，T．，Stochastic Epidemic Models and Their Statistical Analysis，New York：

Springer-Verlag，2000．

13． Kephart，J．O．，White，S．R．，Directed—graph epidemiological models of computer viruses，in Proceedings of

me l99l IEEE Computer Society Symposium on Research in Security and Privacy，Oakland，California，May

l991．343—359．

14．Daley．D⋯J Gani，J．，Epidemic Modelling：An Introduction，Cambridge，UK：Cambridge University P陀ss，

l999． 15． Weaver，N．，Potential Strategies for High Speed Active Worm ：A Worst Case Analysis，TechnicalRelx~ 2002·

．

16． Weaver,N．．Warhol Worms：Th e potential for very fast intemet plagues，http：Hwww·cs·berkeley·edu／一

nweaver／warho1．html，August 200 1．



modeling and analyzing of the interaction between worms and antiworms during network worm...

Documents