Embed Size (px)
Citation preview
February 2012, 19(1): 112–118 www.sciencedirect.com/science/journal/10058885 http://jcupt.xsw.bupt.cn
The Journal of China Universities of Posts and Telecommunications
Modeling and analysis of anti-worm in P2P networks TANG Xin1, WANG Ru-chuan1,2,3 (�), SHAO Xing1
1. College of Computer, Nanjing University of Posts and Telecommunications, Nanjing 210003, China 2. Jiangsu High Technology Research Key Laboratory for Wireless Sensor Networks, Nanjing 210003, China
3. Key Lab of Broadband Wireless Communication and Sensor Network Technology, Nanjing University of Posts and Telecommunications, Ministry of Education, Nanjing 210003, China
Abstract
Anti-worm is an effective way to fight against malicious worm and has been followed closely by malicious worm researchers recently. However, active and passive confronting technologies in peer-to-peer (P2P) networks have not been studied in depth. This paper introduces both of them to fight against malicious worm in P2P networks. To study their effectiveness in P2P networks, this paper takes the topology degree in P2P networks into consideration and puts forward a four-state propagation model for active anti-worm and a five-state propagation model for passive anti-worm respectively. Both of the models are simplified in the case that size of a P2P network is large enough. The simulation results have not only validated the effectiveness of our propagation models but also evaluated the excellent performance of both active anti-worm and passive anti-worm.
Keywords P2P network, anti-worm, worm, propagation model
1 Introduction �
P2P overlay network is a resource- sharing network and it is suitable for the propagation of various types of worms that prey on common vulnerabilities of hosts for its outstanding communication ability [1]. A computer worm is a program that run independently and can propagate a fully working version of itself to other machines. It is derived from the word tapeworm, a parasitic organism that lives inside a host and uses its resources to maintain itself [2–3]. The propagation of worms threats thousands of hosts in P2P networks in the way such as accessing confidential information, destroying or modifying valuable data, congesting the network and controlling large amount of hosts by launching distributed denial of service attacks [4]. So it is necessary to take measures to resist worms in P2P networks.
A lot of work has been taken to resist malicious worms.
Received date: 17-07-2011 Corresponding author: WANG Ru-chuan, E-mail: [email protected] DOI: 10.1016/S1005-8885(11)60235-5
Ref. [5] proposes a defense strategy of Internet email worm, Ref. [6] studies the propagation of Internet worm and Ref. [7] proposes early detection and response mechanism for Internet worm. Take the P2P overlay topology into consideration, Ref. [8] presents an ET+ based vaccine strategy in P2P networks, Refs. [9–10] model the propagation of worms in unstructured P2P network and Ref. [11] researches on epidemic models of P2P worm in structured P2P network. However, there exist some limitations in these works. Ref. [5] just focuses on propagation and defense of Internet email worm. Unlike scanning worms, email worms spread over a logical network defined by email address relationship, making modeling the propagation of email worms different from traditional scanning worms. Refs. [6–7] study the propagation of Internet worm, however, P2P overlay topology is not considered. Ref. [8] uses anti-virus central peers to spread the vaccine, which are easy to result failure of single point. Refs. [9–11] model propagation of worm in unstructured and structured P2P networks respectively, they provide a theoretical basis for our models.
Anti-worm [12] is proposed recently as an effective way
Issue 1 TANG Xin, et al. / Modeling and analysis of anti-worm in P2P networks 113
to resist worms, whose idea is to transform a malicious worm into an anti-worm which propagates using the same vulnerability of hosts as the original malicious worm. Generally speaking, anti-worm is more infectious than malicious worm because it could be supported by official technology and it often starts to propagate later than malicious worm for it takes some time to prepare. The aim of this paper is to give the propagation model of anti-worm in P2P networks and to analyze different schemes of anti-worm. At last we give the performance analysis to validate the effectiveness of anti-worm in P2P networks.
2 Modeling of anti-worm in P2P networks
2.1 Model parameters and assumptions
We list the notations used in this paper as follows: 1) N: Total number of hosts in a P2P network,
N=S(t)+I1(t)+I2(t)+P(t)+R(t), initial value is 40 000. 2) S(t): Number of susceptible hosts at time t, initial
value is 39 590. 3) I1(t): Number of infectious hosts at time t, initial
value is 400. 4) I2(t): Number of benignly infectious hosts at time t,
initial value is 10. 5) P(t): Number of passively infectious hosts at time t,
initial value is 0. 6) R1(t): Number of hosts removed from infectious hosts
from time t to t+1, initial value is 40. 7) R2(t): Number of hosts removed from benignly
infectious hosts from time t to t+1, initial value is 2. 8) R(t): Number of removed hosts by time t, initial value
is 0. 9) �1: Average rate of removal of infectious hosts, initial
value is 0.1. 10) �2: Average rate of removal of benignly infectious
hosts, initial value is 0.2. 11) �1: Probability of a malicious worm infects a
vulnerable host, initial value is 0.1 in propagation model of active anti-worm and 0.02 in propagation model of passive anti-worm.
12) �2: Probability of an anti-worm infects a vulnerable host, initial value is 0.21 in propagation model of active anti-worm and 0.03 in propagation model of passive anti-worm.
13) �: Average degree of hosts in P2P networks, initial value is 10.
In a P2P network, we should take the following parameters into consideration: topology degree of hosts, size of a P2P network and number of infectious hosts. Topology degree defines the number of P2P neighbors maintained by a P2P host locally [4]. The topology degree is a constant in a structured P2P network while in an unstructured P2P network, topology degree of each hosts is actually a variable. Generally speaking, larger topology degree in a P2P network means higher probability a worm or an anti-worm successfully propagates itself. For simplicity, we define � as average degree of hosts to denote the number of P2P neighbors. Size of a P2P network is also known as total number of hosts N, the probability of each host scanned by a worm is 1/N. So 1 (1 1 )N �� � denotes the probability of a host been scanned at least once. Suppose number of infectious hosts at time t is ( )I t , so the probability of a host been scanned by at least one worm is ( )1 (1 1 ) I tN �� � .
We assume the states of hosts can be classified into five types: susceptible, passively infectious, infectious, benignly infectious and removed. Susceptible hosts have no anti-virus ability. They are not infected yet but vulnerable to infectious hosts, passively infectious hosts and benignly infectious hosts. Passively infectious hosts are those infected by passive anti-worm, which are only infectious to the hosts attacked them. Infectious hosts are hosts infected by malicious worm, they are able to infect both susceptible hosts and passively infectious hosts and change their states to infectious. If an infectious host compromised a passively infectious host, it would be infected by passive anti-worm immediately with a probability 2� and its state will be changed to benignly infectious later. Hosts in benignly infectious state are those infected by anti-worm. Benignly infectious hosts can infect both susceptible hosts and infectious hosts and transform their states to benignly infectious. Removed hosts have been infected by malicious worm but healed for they were infected by anti-worm again or have already killed malicious worm by patching or repairing the vulnerabilities. If a host is in removed state, it would not change its state again.
We make the following assumptions before obtaining our model: the total number of hosts N in the P2P network is very large so the fluctuation of N can be neglected, we assume N is a constant and N is limit of positive infinity; malicious worm can infect both susceptible hosts and
114 The Journal of China Universities of Posts and Telecommunications 2012
passively infectious hosts; anti-worm has the ability of infecting both susceptible hosts and infectious hosts; the anti-virus capacity is the same among each hosts in P2P networks; both the malicious worm and the anti-worm can infect a host in a time unit; hosts in removed state have permanent immunity.
2.2 Propagation model of active anti-worm
An active anti-worm first infects a vulnerable host and then it can quickly identify new vulnerable hosts by following the list of neighbors of the infected host [1]. It transfers itself to those compromised or vulnerable hosts for disinfection and immunization. Anti-worms propagate fast in P2P networks so that they can resist the original malicious worms quickly. According to the model assumptions in Sect. 2.1, there are four states in our propagation model of active anti-worm: susceptible, infectious, benignly infectious and removed. Transition of these four states is shown in Fig. 1.
Fig. 1 States transition of the active anti-worm propagation model
Strictly speaking, the propagation of worm is a discrete event. We use continuous model to model the propagation of anti-worm because it is a large scale event and the process of infection of each individual is independent to each other. The same way is used in Refs. [13–15]. The propagation of malicious worm is affected by two factors: for one thing, human counter-measures such as cleaning compromised hosts, patching or updating vulnerable systems and disconnecting infected hosts from the P2P network, which is similar to code red worm propagation model [13]; for another, anti-worm infects infectious hosts to clear malicious worm and then patches them. According to the analysis above, changes of infectious hosts can be expressed as
1 ( )1
1 2 1d ( ) 1( ) 1 1 ( )
d
I tI t S t I tt N
�
� �� �� � � � �� � �
� �� � � 2 ( )
11 1 1 ( )
I t
R tN
�� �� � � �� � �� �� � �
(1)
In Eq. (1), 1 ( )1 ( )[1 (1 1 ) ]I tS t N �� � �
is the number of
hosts transformed from the susceptible hosts and 2 ( )
2 1( )[1 (1 1 ) ]I tI t N �� � � denotes the number of hosts transformed to benignly infectious hosts. We give the concise proof as follows.
Proof Since there are N hosts in a P2P network, the probability of a host scanned by a given attack is 1 N . There are 1( )I t� malicious attacks and 2 ( )I t� benign attacks at time t, so the probability of a susceptible host attacked by at least one malicious attack is
1 ( )1 (1 1 ) I tN �� � , the probability of an infectious host attacked by at least one benign attack is 2 ( )1 (1 1 ) I tN �� � .
Since there are ( )S t susceptible hosts at time t and the probability of a malicious worm infecting a vulnerable host is 1� , we consider the number of hosts transformed from the susceptible hosts is 1 ( )
1 ( )[1 (1 1 ) ]I tS t N �� � � . Similarly, the number of hosts transformed to benignly infectious hosts is 2 ( )
2 1( )[1 (1 1 ) ]I tI t N �� � � . Hosts infected by anti-worm come from either
susceptible hosts or infectious ones. Some of the benignly infectious hosts are removed due to they are cleared of the malicious worm and patched by the anti-worm. So the changes of benignly infectious hosts is
2 ( )2
2 1 2d ( ) 1[ ( ) ( )] 1 1 ( )
d
I tI t S t I t R tt N
�
�� �� � � � �� � �
� �� � � (2)
The susceptible population is changed by both the infecting process and the immunizing process. So d ( ) dS t t can be expressed as
1 2( ) ( )
1 2d ( ) 1 1( ) 1 1 1 1
d
I t I tS t S tt N N
� �
� �� �� � � �� �� � � � � � � �� � � �� � � �
� � � �� � � �� � � �� �
(3)
We also give the changes of removed population which is removed from both infectious hosts and benignly infectious hosts:
1 2d ( ) ( ) ( )
dR t R t R t
t �
(4)
As there are only four types of hosts in propagation model of active anti-worm, ( ) 0P t , so
1 2( ) ( ) ( ) ( )N S t I t I t R t � � � (5) For the number of hosts N in a P2P network is very large,
we have assumed that N is limit of positive infinity. So ( )1 (1 1 ) I tN �� �
is equivalent to ( )I t N� . Then we
obtain the simplified differential equations of the active anti-worm propagation model:
Issue 1 TANG Xin, et al. / Modeling and analysis of anti-worm in P2P networks 115
11 1 2 2 1 1
22 2 1 2
1 1 2 2
1 2
1 1 1
2 2 2
1 2
d ( ) 1 1( ) ( ) ( ) ( ) ( )d
d ( ) 1 ( )[ ( ) ( )] ( )d
d ( ) 1 ( )[ ( ) ( )]d
d ( ) ( ) ( )d( ) ( )( ) ( )
( ) ( ) ( ) ( )
I t I t S t I t I t R tt N N
I t I t S t I t R tt N
S t S t I t I tt N
R t R t R tt
R t I tR t I tN S t I t I t R t
� � � �
� �
� � �
��
� � � ��� � � ��� � � ���
� ��
�� �� � � � �
(6)
2.3 Propagation model of passive anti-worm
A passive anti-worm listens on a host and waits for attacks from the malicious worm. It only spreads itself to an attacking worm [12]. Compared with the propagation model of active anti-worm, here is another state for passive anti-worm propagation model. We call this state ‘passively infectious’. The passive anti-worm compromises susceptible hosts but does not scan the lists of their neighbors. These compromised hosts are waiting for attacks from malicious worm. They are only infectious to the hosts attacked them. In other words, they are passively infectious. There are five states in our propagation model of passive anti-worm: susceptible, infectious, passively infectious, benignly infectious and removed. States transition of the passive anti-worm propagation model is shown in Fig. 2.
Fig. 2 States transition of the passive anti-worm propagation model
As we described above, an infectious host could be infected by passively infectious hosts which it attacks. In P2P networks, the probability of a passively infectious host been attacked is ( )P t N , and the probability of an infectious host infected by an anti-worm is 2� . There are
� �2 1( )( ) I tP t N�
infectious hosts changed their state to
benignly infectious in a time unit. One part of the benignly infectious hosts are removed, the others are transformed to passively infectious. Changes of benignly infectious hosts
is depicted as follows: 2
2 1 2 2 2d ( ) ( ) ( ) (1 ) ( ) ( )
dI t P t I t I t R t
t N� � � � �
(7)
The changes of passively infectious hosts could be expressed as:
( )
2 2 2d ( ) 1( ) (1 ) ( )1 1d
P tP t S t I tt N
�
� �� �� � � �� �� � �
� �� � 1 ( )
11 ( ) 1 1
I t
P tN
�
�� �� � �� � �
� �� � (8)
In the propagation model of passive anti-worm, infectious hosts could infect not only susceptible hosts but also passively infectious hosts, which is different from the model of active anti-worm. And the changes of 1( )I t is:
1 ( )1
1d ( ) 1( ( ) ( )) 1 1d
I tI t S t P tt N
�
�� �� � �� �� � �
� �� �
2 1 1( ) ( ) ( )P t I t R tN
� �
(9)
According to our analysis above, the differential equation reflects the number change of susceptible hosts is:
1 ( ) ( )
1 2d ( ) 1 1( ) ( )1 11 1d
I t P tS t S t S tt N N
� �
� �� � � �� � � �� �� �� � � � � �
� � � �� � � � (10)
For N is very large, we simplify our model as the previous one we mentioned above, so we obtain the simplified differential equations of the passive anti-worm propagation model:
11 1 2 1 1
22 1 2 2 2
2 2 2 1 1
1 1 2
1 2
1 1 1
d ( ) 1 1( )[ ( ) ( )] ( ) ( ) ( )d
d ( ) 1 ( ) ( ) (1 ) ( ) ( )d
d ( ) 1 1( ) ( ) (1 ) ( ) ( ) ( )d
d ( ) 1 ( )[ ( ) ( )]d
d ( ) ( ) ( )d( ) (
I t I t S t P t P t I t R tt N N
I t P t I t I t R tt N
P t P t S t I t I t P tt N N
S t S t I t P tt N
R t R t R tt
R t I
� � �
� �
� � � � �
� � �
�
� � �
� � �
� � �
� �
�
2 2 2
1 2
)( ) ( )
( ) ( ) ( ) ( ) ( )
tR t I tN S t P t I t I t R t
�
����������������
�� � � � � �
(11)
3 Performance analysis
In order to show how anti-worm and malicious worm affect each other and test the effectiveness of our
116 The Journal of China Universities of Posts and Telecommunications 2012
propagation models, we focus on the performance analysis here. In this section, we design several experiments to further study the propagation models of both active anti-worm and passive anti-worm. Since our goal is to evaluate anti-worm propagation, our simulation can serve well for the purpose.
As is mentioned above, we set the initial value of 1( )I t larger than 2 ( )I t , because it takes time to develop an anti-worm, by which time the malicious worm must have compromised some of the vulnerable hosts already [12].
2� is set larger than 1� because anti-worm may be supported by official technology so it is more powerful than malicious worm [16]. We also set the removal rate
2� larger than 1� because anti-worm has the ability of patching and immunizing infected hosts and the immunization rate of anti-worm is larger than human counter-measures.
Fig. 3 and Fig. 4 illustrate the changes of hosts in propagation models of active anti-worm and passive anti-worm. In Fig. 3, the two curves represent infectious hosts and benignly infectious hosts respectively. It takes more time to develop an anti-worm than that of a malicious worm at the beginning. That’s because the number of infectious hosts is larger than that of benignly infectious ones at the beginning. But then active anti-worms spread faster than malicious worms for they compromise both susceptible and infectious hosts. A large number of infectious hosts change their state to benignly infectious. The number of benignly infectious hosts decrease from time unit 6 and it decreases to nearly zero at last.
Fig. 3 Propagation of Active anti-worm
In Fig. 4, the two curves distinguish between infectious hosts and passively infectious hosts. Similar to Fig. 3, it takes more time to develop an anti-worm than to develop a
malicious worm and then anti-worms spread faster than malicious worms. In propagation model of passive anti-worm, the passively infectious hosts could only be infected by malicious worms and the number of infectious hosts decreases to approximately zero at last. At the same time, a part of benignly infectious hosts change their state to passive infectious, so the number of passively infectious hosts decreases to approximately 11 000 instead of zero at last.
Fig. 4 Propagation of Passive anti-worm
Fig. 5 and Fig. 6 demonstrate anti-attack performance sensitivity to different average degrees with active anti-worm and passive anti-worm. Clearly, propagation of active anti-worm gets faster and the number of benignly infectious hosts increases dramatically with rising in the average degree of hosts. However, the situation is not exactly the same to passive anti-worm. Propagation of passive anti-worm gets faster at the beginning with larger � and then the number of passively infectious hosts drops slightly. At last, for each � , ( )P t tends to be a constant and the larger � , the smaller ( )P t . Experiment results conform to our expectation: larger average degree of hosts in P2P networks means more malicious attacks and benign attacks. In the propagation model of active anti-worm, benignly infectious hosts come from both infectious hosts and susceptible hosts. According to Eq. (1), the number of susceptible hosts and infectious hosts transformed to benignly infectious hosts increases with � . Now we focus on passive anti-worm. According to Eq. (8), sharply rise of passively infectious hosts at the beginning comes from susceptible hosts which are in the majority in P2P networks at the beginning and ( )
2 ( )[1 (1 1 ) ]P tS t N �� � � in Eq. (8) is increasing with larger � , so the propagation of passive anti-worm gets faster at the beginning with increasing in the average degree. According to Eq. (10), the number of susceptible hosts goes down significantly
Issue 1 TANG Xin, et al. / Modeling and analysis of anti-worm in P2P networks 117
when � increases. The number of passively infectious hosts decreases accordingly.
Fig. 5 Active anti-attack performance sensitivity to different average degrees
Fig. 6 Passive anti-attack performance sensitivity to different average degrees
Fig. 7 and Fig. 8 show the sensitivity of performance on initial number of active anti-worm and passive anti-worm respectively. In the following two figures, we can see that the number of infectious hosts decreases greatly with the increase of anti-worm’s initial number. So in a real P2P network, we could control the spread of malicious worm by increasing the initial number of anti-worm.
Fig. 7 The sensitivity of initial number of active anti-worm
Fig. 8 The sensitivity of initial number of passive anti-worm
From the above simulations and analysis, we can find that our models are effective in P2P networks since we take topology degree and size of P2P networks into consideration. Compare to AW-A and AW-P models in Ref. [15], anti-worm is more suitable in our models because each P2P host could provide a list of neighbors which helps anti-worm to propagate. Also, our models are simplified when size of a P2P network is large enough. This is not considered in other propagation models in P2P networks such as Refs. [4,16].
4 Conclusions
This paper integrates active and passive worm confronting technologies into P2P networks and mainly focus on modeling propagation of two kinds of anti-worms. We propose a four states propagation model for active anti-worm and a five states propagation model for passive anti-worm respectively. Experiment results show that both kinds of anti-worms spread over the P2P network rapidly and could slow down the propagation of malicious worm quickly. Still, there are a lot of issues to be studied and more robust anti-worm strategies need to be introduced into P2P networks. Future work will focus on introducing hybrid confronting technology into P2P networks to minimize the network traffic caused by anti-worm.
Acknowledgements
The work was supported by the National Natural Science Foundation of China (60973139, 60773041, 61003039, 61003236), Scientific & Technological Support Project (Industry) of Jiangsu Province (BE2010197, BE2010198), Jiangsu Provincial Research Scheme of Natural Science for Higher Education Institutions (10KJB520013, 10KJB520014), Scientific Research & Industry
118 The Journal of China Universities of Posts and Telecommunications 2012
Promotion Project for Higher Education Institutions (JH10-14), Science & Technology Innovation Fund for Higher Education Institutions of Jiangsu Province (CX10B-196Z), the Six Kinds of Top Talent of Jiangsu Province (2008118), Doctoral Fund of Ministry of Education of China (20103223120007), Key Laboratory Foundation of Information Technology Processing of Jiangsu Province (KJS1022), the Priority Academic Program Development of Jiangsu Higher Education Institutions (PAPD).
References
1. Zhou L D, Zhang L T, McSherry F, et al. A first look at peer-to-peer worms: threats and defenses. Proceedings of the 4th International Workshop on Peer-to-Peer Systems (IPTPS’05), Feb 24�25, 2005, Ithaca, NY, USA. LNCS 3640. Berlin, Germany: Springer-Verlag, 2005: 24�35
2. Eichin M W, Rochlis J A. With microscope and tweezers: an analysis of the Internet virus of November 1988. Proceedings of the 1989 IEEE Symposium on Security and Privacy (S&P’89), May 1�3, 1989, Oakland, CA, USA. Los Alamitos, CA, USA: IEEE Computer Society, 1989: 326�343
3. Weaver N, Paxson V, Staniford S, et al. A taxonomy of computer worms. Proceedings of the 1st ACM Workshop on Rapid Malcode (WORM'03), Oct 27, 2003, Washington, DC, USA. New York, NY, USA: ACM, 2003: 11�18
4. Wei Y, Chellappan S, Wang X, et al. Peer-to-peer system-based active worm attacks: modeling, analysis and defense. Computer Communications, 2008, 31(17): 4005�4017
5. Zou C C, Towsley D, Gong W B. Modeling and simulation study of the propagation and defense of Internet Email worm, IEEE Transactions on Dependable and Secure Computing, 2007, 4(2): 105�118
6. Su F, Lin Z W, Ma Y. Modeling and analysis of Internet worm propagation. The Journal of China Universities of Posts and Telecommunications, 2010, 17(4): 63�68
7. Wang J, Liu Y H, Tian D X. Internet worm early detection and response mechanism. The Journal of China Universities of Posts and Telecom- munications, 2007, 14(3): 79�84
8. Xu X L, Wang R C, Xiao F. Malicious code passive propagation model and vaccine distribution model of P2P networks. Journal of Systems Engineering and Electronics, 2010, 21(1): 161�167
9. Zhang X S, Chen T, Zheng J, et al. Proactive worm propagation modeling and analysis in unstructured peer-to-peer networks. Journal of Zhejiang University, Science C: Computers & Electronics, 2010, 11(2): 119�129
10. Wang F W, Zhang Y K, Ma J F. Modeling and analyzing passive worms over unstructured peer-to-peer networks. International Journal of Network Security, 2010, 11(1): 39�45
11. Xia C H, Shi Y P, Li X J. Research on epidemic models of P2P worm in structured peer-to-peer networks. Chinese Journal of Computers, 2006, 29(6): 952�959 (in Chinese)
12. Castaneda F, Sezer E C, Xu J. WORM vs. WORM: preliminary study of an active counter-attack mechanism. Proceedings of the 2nd ACM Workshop on Rapid Malcode (WORM’04), Oct 29, 2003, Washington, DC, USA. New York, NY, USA: ACM, 2004: 83�93
13. Zou C C, Gong W B, Towsley D. Code red worm propagation modeling and analysis. Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS’02), Nov 18�22, 2002, Washington DC, USA. New York, NY, USA: ACM, 2002: 138�147
14. Serazzi G, Zanero S. Computer virus propagation models. Proceedings of the 11th IEEE /ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems (MASCOTS’03), Oct 12�15, 2003, Orlando, FL, USA. LNCS 2965. Berlin, Germany: Springer-Verlag, 2004: 26�50
15. Wang C, Qin S H, He J B. Anti-worm based on hybrid confronting technology. Journal on Communications, 2007, 28(1): 28�34 (in Chinese)
16. Wang B, Ding P, Sheng J F. P2P anti-worm: modeling and analysis of a new worm counter-measurement strategy. Proceedings of the 9th International Conference for Young Computer Scientists (ICYCS’08), Nov 18�21, Zhangjiajie, China. 2008, 1553�1558
(Editor: ZHANG Ying)
