Comparative study between analytical models and packet-level worm simulations

The threat of Internet worms has been, and continues to be, one of the most important issues faced by networking researchers and network users. The need for accurate and efficient modeling and analysis methods cannot be understated. Models that accurately reflect the behavior of existing and yet-to-be deployed worms is critical to understanding how to deal with this ongoing threat. Recently developed analytical models, have been used to generate propagation trends that match with historic worm outbreaks. However in this effort, the values used for some of the parameters are different from empirically measured information, such as probe rate per unit IP address space. Although not found in simpler models, new analytical models are under development that can take into account various network and worm characteristics. But in order to build and test them accurately real world data has been used. In our work, we have focused on packet-level detail in the simulation models, which can take into account realistic network characteristics that include, queuing delay, packet-loss, link delays and also realistic worm characteristics at the expense of additional computational complexity. Using our simulator we show how it can be a useful tool in analyzing and evaluating analytical worm models. We study the worm propagation pattern predicted by one particular analytical model and compare it to our packet-level simulations.

[1]  Cliff Changchun Zou,et al.  Information warfare : Monitoring and early warning for internet worms , 2003 .

[2]  Daniel P. W. Ellis,et al.  Worm anatomy and model , 2003, WORM '03.

[3]  Mostafa H. Ammar,et al.  Stateless routing in network simulations , 2000, Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No.PR00728).

[4]  James Cowie Hongbo Liu Jason Liu David Nicol Andy Ogielski Towards Realistic Million-Node Internet Simulations , 1999 .

[5]  Mostafa Ammar,et al.  Efficient routing using NIx-Vectors , 2001, 2001 IEEE Workshop on High Performance Switching and Routing (IEEE Cat. No.01TH8552).

[6]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[7]  George F. Riley,et al.  The Georgia Tech Network Simulator , 2003, MoMeTools '03.

[8]  G. Riley,et al.  Quality of service analysis using the Georgia Tech network simulator , 2005, MILCOM 2005 - 2005 IEEE Military Communications Conference.

[9]  Hao Wu,et al.  Large-scale network simulation: how big? how fast? , 2003, 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems, 2003. MASCOTS 2003..

[10]  Bernhard Plattner,et al.  Experiences with worm propagation simulations , 2003, WORM '03.

[11]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[12]  David M. Nicol,et al.  Simulation of network traffic at coarse time-scales , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[13]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[14]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[15]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[16]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[17]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[18]  David M. Nicol,et al.  Towards Realistic Million-Node Internet Simulation , 1999, PDPTA.

[19]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[20]  Wenke Lee,et al.  Simulating Internet worms , 2004, The IEEE Computer Society's 12th Annual International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, 2004. (MASCOTS 2004). Proceedings..

[21]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[22]  J.H. Cowie,et al.  Modeling the global Internet , 1999, Comput. Sci. Eng..

[23]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).