Research On Modeling And Simulation Of Passive Worm Propagation

One of the most prevalent security problems in network is the rampant propagation of computer worms. Earlier studies has focused on modeling and detecting the active computer worms. Researches indicate that the spreading of active computer worms can be well controlled by patching their systems in time and updating the anti-virus softwares frequently.Along with the increasing number of internet users and rapid development of social networks, recent years have seen a significant rise in the number of internet passive worms. Unlike random scanning active worms, passive worm requires user intervention to spread from one machine to another. For this reason, the passive worms are more sophisticated and hard to detected. Meanwhile, because of the weakness of network users and administrators passive worms can infect computer systems much easier and survive even longer.Computer worms have been studied for a long time on detecting method and propagation modeling. The initial researches just considered the similarity between computer worm and biological virus, and introduced the classical SIS and SIR model to simulate the spreading of computer worms. After all, the computer worms that rely on network are essentially different, some factors including network topology, bandwidth and user countermeasures affect the worms propagation. Up to date, some novel computer worms propagation models have been proposed such as two-factors moodel and BCM, etc.It is necessary to deeply research on propagation mechanisms and modeling methods of passive worm propagation. Unlike random scanning active worms, passive worms require user intervention to spread from one machine to another. Human factors play important roles in the email worm propagation and the incorporation of the human factor into the propagation models is essential. For this reason human factors should be taken into account in modeling the email worm propagation. Game theory has frequently been used to predict human behavior in areas such as economics and social science. In recent years, it has also attracted widely attention to illustrate the behavior of the attacker and defender in security area.In this study we use a game theoretic approach to model the expected behavior of email users in the process of email worm propagation.In the paper, the passive internet worm propagation is discussed from the viewpoint of social engineering, and a human behavior model based on game theory is presented for predicting the expected actions of network user encountered with worm files. By analyzing network users' diurnal activity behaviors, a discrete social network accessing model is proposed to characterize the general human habit of accessing certain social network. Finally, we present a propagation simulation model accounting for user's personal habits, including time regularity of checking emails, communication frequency between users and user's security consciousness. And impact of human factors on worm propagation is investigated and discussed by running simulations.The work that has been done in this paper is as following:(1) It summarizes advance in Researches of correlated studies of internet worm propagation, analyzes existing worm propagation models' advantages and shortcomings and elaborates the value for passive worm propagation research.(2) Impact of human behaviors on email worm propagation is investigated and discussed, such as time regularity of checking emails, communication frequency between users and user's security consciousness, etc. Practical simulation environments are constructed respectively based on Enron-Email-Dataset and BBV topology model reflecting the real relationship among users.(3) The game theory is suggested as a method for modeling and computing the probabilities of expected behaviors of email users in the email worm propagation process. The game situation models the actions of the email users under the condition that at the time they open an attachment, the system may be infected. This work modeled the interactions between email user and worm as a two-player zero-sum game and defined the entries of payoff matrix corresponding to user's social relationship and communication frequency. The infection probability was gained by solving mixed strategy Nash equilibrium of our email user-worm game.(4) A discrete social network accessing model is proposed to characterize the general human habit of accessing certain social network by analyzing network users' diurnal activity behaviors. With the accessing model, passive worm's infection range is determined which is one of the most factors in the passive worm propagation model.(5) Finally, with simulation experiments on different social networks and hybrid network, the impacts of factors including network topology, frequency of accessing social network, anti-worm software release time and users' security consciousness on passive internet worm propagation are analyzed and verified. Also four different Protection Strategies are proposed and experimented, and results shows that the imposed protections on key-node can slower the worm propagation.Our work in this paper has mainly focused on modeling email worm propagation combined with human factors. In the future we need to develop a passive worm detection method based on analysis on human factors and worm behavior. The ideas considered here may also be applicable to other worms based on user's behaviors. And prediction by our email-worm propagation model can be useful as a guide for worm early detection and response.