This package models the spread of a worm in a network using a macroscopic epidemic model. Since the epidemic may encompass hundreds of thousands of hosts, the idea is to partially decouple the worm spread from the packet-level network model. Thus, we model the "whole Internet" at a coarse macroscopic level (for the worm spread) and some part of it in more detail (the "microscopic" or network level) using SSFNet entities such as routers and hosts. This is illustrated in Figure 1.

Figure 1: Mixed abstraction level model.

The rationale behind this mixed abstraction level model and the benefits and trade-offs involved are described in the paper [Liljenstam et al., 2002].

Package Specification

Version 0.4 supports the following features:

• Deterministic epidemic model (time stepped) based on well known differential equation system ("general epidemic model" or "SIR-model") derived from result by Kermack-McKendrick. The model assumes a worm spreading by uniform random scanning, such as the Code Red v2 worm or the Sapphire/Slammer worm.
• Homogeneous population model (modeling the whole Internet),
  where parameters such as
  • Total susceptible population (s_0)
  • Initially infected population (i_0)
  • Infection parameter (beta)
  can be set through DML keywords.
• Example model of a campus network with vulnerable machines operating during the Code Red v2 attack.

The link between the network and epidemic models is provided by the WormProtocolSession pseudo-protocol-session. The first instance created of this session will create the global epidemic model entity and a timer object to drive it forward. All session instances will register with the epidemic model to signal that they represent a vulnerable host. As the infection progresses the epidemic model will pick hosts at random for infection and may thus pick hosts that are modeled at the network level. When this happens it will call the method WormProtocolSession.becomeInfected() which is an empty placeholder for events to happen when a host has become infected.

See the config() method of WormProtocolSession (and examples) for more information on how to configure the parameters for the epidemic model.

Installation:
Unpack the package tar-ball in the src/SSF/App directory.

Examples:
The example provided here requires a system with Perl and gnuplot installed.

Go to the test subdirectory.
The perl-script testplot.pl will run the campusUnderAttack.dml, and extract data on host infections from the debug output and plot the results using gnuplot. The scenario is the exact same network as the campus2.dml network in the littleComboDemo SSFNet example, with the difference that all hosts (clients and servers) are vulnerable to the worm. Thus, the only difference in configuration is that the WormProtocolSession has been added to the hosts' protocol stacks.

The example (approximately) models the spread of the Code Red v2 worm and infections occurring on the campus network.

The resulting graph should look like Figure 2.

Figure 2: Example graph: CampusUnderAttack scenario. Shows global infection spread (number of hosts infected in the whole Internet), and time-points for local infections in the studied campus network

For a minimal example in the same vein, see singleHost.dml which models a single home user during an ongoing worm attack (parameters for Code Red v2). In this example the network model does nothing except start up the epidemic and wait for something to happen. If the epidemic runs long enough, the user's host will eventually become infected.

The infection will show up in the debug output (as shown in this output clip), but otherwise will have no effect on the model, since no action is coded into the the host.

Revision History

• v 0.4: First external release.

Related Documentation

• A Mixed Abstraction Level Simulation Model of Large-Scale Internet Worm Infestations,
  Michael Liljenstam, Yougu Yuan, BJ Premore, David Nicol,
  in Proceedings of the Tenth IEEE/ACM Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS), IEEE Computer Society Press, Fort Worth, TX, Oct 2002.

• Contributed package home page
• Author's page on worms and worm modeling

Author