Changwang Zhang1, Shi Zhou2, Benjamin M Chain3. 1. Department of Computer Science, University College London, London, United Kingdom; Security Science Doctoral Research Training Centre, University College London, London, United Kingdom. 2. Department of Computer Science, University College London, London, United Kingdom. 3. Division of Infection and Immunity, University College London, London, United Kingdom.
Abstract
Conficker is a computer worm that erupted on the Internet in 2008. It is unique in combining three different spreading strategies: local probing, neighbourhood probing, and global probing. We propose a mathematical model that combines three modes of spreading: local, neighbourhood, and global, to capture the worm's spreading behaviour. The parameters of the model are inferred directly from network data obtained during the first day of the Conficker epidemic. The model is then used to explore the tradeoff between spreading modes in determining the worm's effectiveness. Our results show that the Conficker epidemic is an example of a critically hybrid epidemic, in which the different modes of spreading in isolation do not lead to successful epidemics. Such hybrid spreading strategies may be used beneficially to provide the most effective strategies for promulgating information across a large population. When used maliciously, however, they can present a dangerous challenge to current internet security protocols.
Conficker is a computer worm that erupted on the Internet in 2008. It is unique in combining three different spreading strategies: local probing, neighbourhood probing, and global probing. We propose a mathematical model that combines three modes of spreading: local, neighbourhood, and global, to capture the worm's spreading behaviour. The parameters of the model are inferred directly from network data obtained during the first day of the Conficker epidemic. The model is then used to explore the tradeoff between spreading modes in determining the worm's effectiveness. Our results show that the Conficker epidemic is an example of a critically hybrid epidemic, in which the different modes of spreading in isolation do not lead to successful epidemics. Such hybrid spreading strategies may be used beneficially to provide the most effective strategies for promulgating information across a large population. When used maliciously, however, they can present a dangerous challenge to current internet security protocols.
Epidemic spreading phenomena exist in a wide range of domains [1, 2]. Well-known examples include disease spreading [3-5], computer worm proliferation [6-8], and information propagation [9-11]. Modelling and understanding of such phenomena can have important practical values to predict and control real world epidemics [3–5, 12–15].Some typical spreading mechanisms have been extensively studied, such as the fully-mixed spreading model and the network spreading model. Many epidemics are hybrid as they spread via two or more different mechanisms simultaneously. Previous work on hybrid epidemics has focused on what we call the non-critically hybrid epidemic, where at least one of the spreading mechanisms alone is able to cause an epidemic outbreak, and a mixture of mechanisms brings no advantage.We are interested in the critically hybrid epidemic, where each spreading mechanism alone is unable to cause any significant spreading whereas the mixture of such mechanisms leads to a huge epidemic outbreak. Recently we proposed a model that explains the behaviour of critically hybrid epidemics, which incorporates two spreading mechanisms in the setting of a metopopulation [16]. We demonstrated that it is indeed possible to have a highly contagious epidemic by mixing simple, ineffective spreading mechanisms. The properties of such epidemics are critically determined by the ratio at which the different spreading mechanisms are mixed, and usually there is an optimal ratio that leads to a maximal outbreak size.In this paper we present a detailed analysis of a real hybrid epidemic—the Internet worm Conficker, which erupted on the Internet in 2008 and infected millions of computers. The worm is a hybrid epidemic as the code analysis [17] has revealed the worm applied three distinct spreading mechanisms: (1) global random spreading, (2) local network spreading, and (3) neighbourhood spreading. It is a critically hybrid epidemic because the first and second spreading mechanisms are highly ineffective if used alone, and the third mechanism, as we will show later, is most effective when mixed with the other two.We introduce a mathematical model to describe the spreading behaviour of Conficker. Our study was based on measurement data provided by Center for Applied Internet Data Analysis (CAIDA)’s Network Telescope project [18, 19], which monitors Internet traffic anomalies. We proposed algorithms to extract Conficker–related features from the CAIDA data. Then we infer the values of our model’s parameters that characterise the worm.We evaluated our inference results by comparing theoretical predictions with the actual measurement results. Our predictions closely reproduced the outbreak process of Conficker. We then explored possible spreading scenarios based on simulations using different values of parameters. One of the interesting results was that we showed the worm could spread faster, reach a larger outbreak size or survive for longer time by just revising the ratios at which the worm allocated its time on each of the spreading mechanisms (while keeping everything else the same), which can be easily achieved by changing a few lines in its coding.This paper’s contributions are two fold. Firstly, we present the first study on a real-life critically hybrid epidemic, where the epidemic’s parameter values are inferred from measurement data. Secondly, we analyse the complex interactions among Conficker’s three spreading mechanisms, and show that the worm can be more contagious if it mixes its three spreading mechanisms in an optimal way.
Background
Epidemic spreading mechanisms
A number of epidemic spreading mechanisms have been extensively studied [20, 21]. For example, in the fully-mixed spreading models [20, 22], a node is connected to all other nodes in a population, thus an epidemic can potentially spread between any two nodes according to a probability. Whereas in the network spreading models [1, 2, 20, 23], nodes are connected to their neighbours via a network structure, therefore an epidemic can only spread along the connections among nodes. Recent network-based models considered additional physical properties such as location-specific contact patterns [24, 25], human mobility patterns [26-29] and spatial effects [30-33].
Hybrid epidemics
Many epidemics are hybrid in the sense that they spread via two or more spreading mechanisms simultaneously. A hybrid epidemic can use fully-mixed spreading and network spreading, or use fully-mixed spreading but at two or more different levels, e.g. at the global level covering the whole population or at the local level consisting of only a part of the population.There are many real examples. Mobile phone viruses can spread via Bluetooth communication with any nearby devises (local, fully-mixed spreading) and Multimedia Messaging Service with remote contacts (global, network spreading) [27]. A computer that is infected by the worm Red Code II spends 1/8 of its time probing any computers on the Internet at random (global, fully-mixed spreading) and the rest of the time probing computers located in local area networks (local, fully-mixed spreading) [34]. Today information is propagated in society via mass media (TV, newspaper, posters) as well as online social media (Facebook, Twitter and emails). Mass media (global, fully-mixed spreading) can potentially deliver the information to a big audience, but the effectiveness of information transmission at an individual level may be small (for example, its ability to alter the target individuals behaviour). In contrast, social media (local, network spreading) may have little or no access to the majority of people who are not connected to the local group, but they provide rapid penetration of a selected target group with higher effectiveness.It is clear that hybrid epidemics are much more complex than simple epidemics. Their behaviour is affected not only by multiple spreading mechanisms that they use, but also by the population’s overlaid structure on which they spread. Studying hybrid epidemics may provide crucial clues for better understanding of many real epidemics.
Previous works on hybrid epidemics
Hybrid epidemics were initially studied as two levels of mixing in a population where nodes are mixed at both local and global levels [35]. Recently hybrid epidemics were studied as two levels of mixing in a network [36-38], in structured populations [39], in structured households [40-42], and in a meta-population which consists of a number of weakly connected sub-populations[43-48]. Studies of epidemics in clustered networks [49-51] are also relevant to the hybrid epidemics.These previous works focused on analysing how a network’s structure affects hybrid spreading. And most of them studied the non-critically hybrid epidemics, where at least one of the two spreading mechanisms alone can cause an infection outbreak and therefore the mix of two mechanisms is not a necessary condition for an epidemic outbreak. In this case, a hybrid epidemic using two spreading mechanisms is often less contagious than an epidemic using only one of the mechanisms. [36, 52].
Our recent study on critically hybrid epidemics
We are interested in the critically hybrid epidemics, where each of the spreading mechanisms alone is not able to cause any significant infection whereas a combination of the mechanisms can cause an epidemic outbreak. In this case, the mix of different spreading mechanisms is a critically condition for an outbreak (see Fig 1).
Fig 1
Hybrid epidemics, where two spreading mechanisms A and B are mixed at the ratio of α to (1 − α), where 0 ≤ α ≤ 1.
(a) Non-critically hybrid epidemic, where at least one of the two mechanisms can cause an outbreak by its own (i.e. when α = 1 or α = 0). (b) critically hybrid epidemics, where each mechanism alone cannot cause any significant infection whereas a mix of them produces an epidemic outbreak. There exists an optimal α that produces the maximum outbreak.
Hybrid epidemics, where two spreading mechanisms A and B are mixed at the ratio of α to (1 − α), where 0 ≤ α ≤ 1.
(a) Non-critically hybrid epidemic, where at least one of the two mechanisms can cause an outbreak by its own (i.e. when α = 1 or α = 0). (b) critically hybrid epidemics, where each mechanism alone cannot cause any significant infection whereas a mix of them produces an epidemic outbreak. There exists an optimal α that produces the maximum outbreak.Recently we proposed a generic model to study the critically hybrid epidemics [16]. We considered an epidemic which spreads in a meta-population (consisting of many weakly connected sub-populations) using a mix of the following two typical spreading mechanisms. (1) Fully-mixed spreading on the global level, i.e. infection between any two nodes in the meta-population. (2) Network (or fully-mixed) spreading on the local level, i.e. infection between nodes within a sub-population where the internal topology of a sub-population is a network (or a fully-connected mesh). Each spreading mechanism has its own infection rate and an infected node recovers at a recovery rate. We define a parameter called the hybrid trade-off, α, as the proportion of time that the epidemic devotes to the first spreading mechanism (or the probability of using the first spreading mechanism in a time unit). Thus the proportion of time spent on the second mechanism is (1 − α).Our mathematical analysis and numerical simulations based on the model highlight the following two results. Firstly, it is possible to mix two ineffective spreading mechanisms to produce a highly contagious epidemic, because the mix of the mechanisms can help to overcome the weakness of each mechanisms. Secondly, the threshold and the size of outbreak is critically determined by the hybrid trade-off α. We also provided an analytical prediction of the optimal trade-off for the maximum outbreak size.
Computer Worm Conficker
In this paper we will analyse a critically hybrid epidemic, the computer worm Conficker, based on real measurement data. It is one of the most contagious computer worms on record. It erupted on the Internet on 21 November 2008 and infected millions of computers in just a few days [7]. The worm’s ability to spread to such a large number of computers in so short a time and the fact [53] that it is still active on the Internet has caused serious concern.Each computer on the Internet is associated with an Internet Protocol (IP) address. Conficker views the Internet as a meta-population, where computers are located in sub-populations, i.e. Local Area Network (LAN) consisting of computers whose IP addresses share the same prefix. According to the computer security company Symantec [17], Conficker uses three spreading mechanisms (see Fig 2):
Fig 2
Conficker’s three probing strategies.
(1) global spreading, where it probes any computer on the Internet at random; (2) local spreading, where it probes computers in the same local network; (3) neighbourhood spreading, where it probes computers in ten neighbouring local networks.
Global spreading, where the worm probes computers with random IP addresses on the Internet;Local spreading, where the worm on an infected computer probes computers in the same Local Area Network (LAN) with the same IP address prefix;Neighbourhood spreading, where it probes computers in ten neighbouring LANs (with smaller consecutive IP address prefixes).
Conficker’s three probing strategies.
(1) global spreading, where it probes any computer on the Internet at random; (2) local spreading, where it probes computers in the same local network; (3) neighbourhood spreading, where it probes computers in ten neighbouring local networks.Previous research on Conficker has studied the geographical distribution of infected IP addresses, the distribution of probing packet size [7, 54, 55], and properties of the worm’s global probing [56, 57]. The parameters of Conficker’s hybrid spreading and how they affect the epidemic dynamics of the worm can help explain why the worm is so contagious. But they have been hitherto little studied.
Our Model of Conficker
Here we use the notion of node to represent an IP address at which a computer (or computers) connects to the Internet. For convenience, we call a sub-population (or a LAN) a subnet. A node must be in one of three states: susceptible, infected, and recovered[20]. Initially only a small number of nodes are infected and all others are susceptible. At each time step, an infected node attempts to spread the worm to susceptible nodes using one of the three probing strategies:
The mixing probabilities satisfy α
+α
+α
= 1.Global spreading with probability α
, where the worm probes nodes on the Internet at random with the global infection rate β
∈ [0, 1].Local spreading with probability α
, where it probes nodes in the local subnet with the local infection rate β
∈ [0, 1];Neighbourhood spreading with the probability α
, where it probes nodes in ten neighbouring subnets with the neighbourhood infection rate β
∈ [0, 1];An infected node is recovered with recovery rate γ ∈ [0, 1]. A recovered node remains recovered and cannot be infected again. Note that for mathematical analysis, the mixing probabilities could be incorporated into the infection rates. But we have treated them as separate parameters, considering that an infection rate reflects inherent properties of a computer worm in the context of a specific target population, whereas mixing probabilities are settings that can be easily modified in the worm’s code. This is also the reason we use the mixing probabilities as controlling parameters in our study below and keep other parameters the same.Only nodes that can potentially be infected by Conficker are relevant to our study. We call them the relevant nodes. A subnet is relevant if it contains at least one relevant node. Irrelevant nodes include unused IP addresses and those computers that do not have the vulnerabilities that the worm can exploit. Note that although the irrelevant nodes and subnets do not participate in the spreading of Conficker, they will be probed by the worm as the worm does not have the priori knowledge about which nodes are vulnerable.Let n represent the total number of relevant nodes and N the number of relevant subnets. The average number of relevant nodes in a subnet is n
= n/N. Let N
+ represent the average number of relevant subnets in ten neighbouring subnets.At time t, the total number of susceptible, infected, and recovered nodes are S(t), I(t), and R(t), respectively. Then the average number of infected nodes in a subnet is I
(t) = I(t)/N, and the average number of infected nodes in ten neighbouring subnets is I
+(t) = I
(t)N
+. Hence on average a susceptible node can be infected via (1) global probing by I(t) infected nodes in the Internet; (2) local probing by I
(t) infected nodes in the local subnet; (3) neighbourhood probing by I
+(t) infected nodes in the neighbouring subnets.The average probabilities that a susceptible node is not infected by the global, local and neighbourhood probing, respectively, are:
The average probability of not being infected by any probing is P(t) = P
(t)P
(t)P
(t). Thus the discrete evolution of Conficker spreading can be described as:
where S(t)[1 − P(t)] is the number of new infections at t.
Inferring Conficker Parameters From Data
We infer the parameter values of our Conficker model from the Internet measurement data [18, 19] collected by the Center for Applied Internet Data Analysis (CAIDA) in 2008. This is the only publicly available dataset that has captured the initial outbreak process of the worm. The CAIDA Network Telescope project [18, 19] monitors Internet traffic sent to a large set of unusable IP addresses, which account for around 1/256 of all addresses. No legitimate traffic should be sent to these monitored addresses because they are not allocated for normal usage [58]. Thus the traffic data captured by this project provides a good view on various abnormal behaviours on the Internet.When Conficker spreads on the Internet, its global spreading mechanism sends out probing packets to randomly generated IP addresses, some of which are unused IP addresses and therefore are monitored by the Network Telescope project. Conficke’s probing packets are characterised by the Transmission Control Protocol (TCP) with destination port number 445. This feature can be used to distinguish Conficker packets from other packets in the Network Telescope data.For each record of Conficker’s probing packet, we are interested in two things: (1) the time when the packet is monitored by the Network Telescope project, and (2) the packet’s source IP address, which gives the location of a Conficker-infected node. We ignore the destination address, as it is a randomly-generated, unused IP address.We study the Network Telescope project’s daily dataset collected on November 21, 2008, the day when Conficker broke out on the Internet. We use two earlier datasets collected on November 12 and 19, 2008 to filter out background ‘noise’ that has been happening before the outbreak. That is, in the outbreak dataset, we discard packets that were sent from any source address that had already sent packets to any of the unusable addresses in the two earlier datasets. We use the prefix of /24 (i.e. IP address mask of 255.255.255.0) to distinguish different subnets [7]. Our analysis uses a 10-minute window.
Step One: Inferring node status at a given time
We first infer the status of each node at time t from the CAIDA data. On the day of Conficker outbreak, all relevant nodes were initially susceptible. In the analysis, we assume a node is just infected by the worm when we observe the first Conficker probing packet coming from it; and the node is recovered when we observe its last probing packet before the end of the day. Fig 3 shows the number of susceptible, infected and recovered nodes as observed in a 10-minute window.
Fig 3
Numbers of susceptible nodes S(t), infected nodes I(t) and recovered nodes R(t) as a function of time t, as inferred from CAIDA’s dataset on 21/Nov/2008, the day of Conficker’s outbreak.
Numbers of susceptible nodes S(t), infected nodes I(t) and recovered nodes R(t) as a function of time t, as inferred from CAIDA’s dataset on 21/Nov/2008, the day of Conficker’s outbreak.
Step Two: Inferring new infections caused by each spreading mechanism
Let dI
(t), dI
(t) and dI
(t) represent the numbers of nodes that are newly infected through local, neighbourhood and global spreading, respectively, at time step t. Our analysis on the data shows that 84% of new infections occurred within already infected subnets or their neighbourhood subnets, i.e. only 16% of new infections appeared outside the reach of local and neighbourhood probing. This agrees with our understanding that local and neighbourhood probing are significantly more effective than global probing [7]. And 73% of those new infections within the reach of local and neighbourhood probing (i.e. 73%×84% of all new infections) occurred in already infected subnets. This indicates the local probing is more effective than neighbourhood probing. Based on the above analysis we can then approximately identify the probing mechanism that is responsible for a newly infected node by analysing the states of other relevant nodes at the time when the new infection happens.IF there is an infected node already in the same subnet, the new infection is caused by that infected node via local spreading.ELSE IF there is an infected node in the ten neighbouring subnets, then the new infection is via neighbourhood spreading.OTHERWISE, the newly infected node is infected via global spreading.Fig 4 shows the inferred results, plotting the number of new infections caused by each spreading mechanism as a function of time.
Fig 4
Numbers of nodes newly infected by Conficker via each of the three spreading mechanisms in 10-minute windows on the day of Conficker’s outbreak, as inferred from CAIDA’s dataset on 21/Nov/2008.
Numbers of nodes newly infected by Conficker via each of the three spreading mechanisms in 10-minute windows on the day of Conficker’s outbreak, as inferred from CAIDA’s dataset on 21/Nov/2008.
Step Three: Inferring parameters of the Conficker model
From the above result, we can calculate I
(t) and I
+(t) according to their definitions. Then we calculate the average probabilities that a susceptible node at time t is not infected by the local, neighbourhood and global probing, respectively, as:
We define the effective infection rate as b
= α
β
, b
= α
β
and b
= α
β
. Then we can use Eq 1 and Eq 3 to calculate b
b
and b
.Let λ denote the average total number of probes an infected node conducts during each time step. Then the average number of local, neighbourhood, and global probes in a time step are respectively α
λ, α
λ, and α
λ. The number of nodes (relevant and irrelevant) probed by the local, neighbourhood and global probing are 256, 10×256 and 230 (it is not 232 due to a bug in the worm’s random number generation algorithm [17]). We can express the effective infection rates as:
By solving Eq 4 together with α
+α
+α
= 1, we can obtain λ, α
, α
and α
. Then we can obtain the infection rates of three spreading mechanisms as β
= b
/α
, β
= b
/α
, and β
= b
/α
. The recovery rate can be calculated as γ = dR(t)/I(t), where dR(t) = R(t + 1) − R(t).
Inference results and evaluation
The inferred values of the Conficker model parameters are shown in Table 1, including the mixing probability α and the infection rate β for three spreading mechanisms, the recover rate γ, the recovery time τ = 1/γ which is the average time it takes for an infected node to recover, and the probing frequency λ. The parameter values are averaged over time windows between 4:00 and 16:00 when the spreading behaviour was stable. Computers are online and offline on a daily basis following a diurnal pattern [59]. We find that this factor only has a marginal impact on our results.
Table 1
Conficker parameters inferred from data[1].
Global spreading
αg = 89.1%
βg = 7.7×10−8
Local spreading
αl = 5.3%
βl = 0.32
Neighbourhood spreading
αn = 5.6%
βn = 0.032
Recovery rate
γ = 0.064
Recovery time
τ = 156 mins
Probing frequency
λ = 82.5
1 All parameters are measured in a 10-minute window.
1 All parameters are measured in a 10-minute window.We observe in the data that the worm had infected in total n = 430,135 nodes, which were located in N = 92,267 subnets. On average, each subnet has n
= 4.7 relevant nodes, and N
+ = 4.3 of ten neighbouring subnets are relevant.With these parameter values, we can use our Conficker model (see Eq 2) to theoretically predict the worm’s outbreak process. As measured from the data, the number of nodes in the three statuses were S = 423,899, I = 3,945, and R = 2,291 at 4:00am. Our prediction starts from 4.00am and uses these numbers as the initial condition. As shown in Fig 5, our model’s predictions closely match the measurement data.
Fig 5
The outbreak of computer worm Conficker.
Points are measured from Network Telescope’s dataset collected on the outbreak day. Curve is theoretical prediction from our Conficker model using the inferred parameters.
The outbreak of computer worm Conficker.
Points are measured from Network Telescope’s dataset collected on the outbreak day. Curve is theoretical prediction from our Conficker model using the inferred parameters.The inferred parameters are in agreement with our expectations. For example the local spreading has a high infection rate because if a computer is already infected, then other computers in the same subnet are likely to have a similar computer system and thus are also likely to be vulnerable to the worm. By comparison, global spreading has an extremely low infection rate. On average, more than 10 million global probings will produce only a single new infection. On average an infected node retains its status for 2.5 hours (156 mins) before it recovers (e.g. switched off or updated with new anti-virus database). The worm only sends out 8 probing packets per minute. Such a deliberately low probing rate helps the worm to evade a computer’s or network’s security systems.
Analysis on Conficker’s Hybrid Spreading
Mix of TWO spreading mechanisms
We run simulations using our Conficker model with the parameter values inferred above. The simulation network has 100k subnets. Each subnet contains 5 relevant nodes and has 4 relevant adjacent subnets. This topology setting resembles Conficker’s spreading network observed in the data. Initially two random nodes are infected. The only controlling parameter is the mixing probabilities of the spreading mechanisms. Simulation results on mix of two spreading mechanisms are shown in Fig 6.
Fig 6
Simulation results for the mix of Conficker’s two spreading mechanisms with different mixing probabilities.
(a) Mix of global (α
) and local (1 − α
) mechanisms; (b) Mix of global (α
) and neighbourhood (1-α
) mechanisms; (c) Mix of local (α
) and neighbourhood (1-α
) mechanisms. In each case we measure the outbreak size, the total duration of the spreading, and the speed of spreading. The outbreak results include both the final outbreak size (square) and the outbreak size at time step 100 (filled circle). Each data point is averaged over 100 runs of a simulation. Note the y axes are all logarithmic.
Simulation results for the mix of Conficker’s two spreading mechanisms with different mixing probabilities.
(a) Mix of global (α
) and local (1 − α
) mechanisms; (b) Mix of global (α
) and neighbourhood (1-α
) mechanisms; (c) Mix of local (α
) and neighbourhood (1-α
) mechanisms. In each case we measure the outbreak size, the total duration of the spreading, and the speed of spreading. The outbreak results include both the final outbreak size (square) and the outbreak size at time step 100 (filled circle). Each data point is averaged over 100 runs of a simulation. Note the y axes are all logarithmic.Fig 6a shows that as explained above, global spreading or local spreading alone cannot cause an outbreak, whereas a mixture at a ratio of 0.8 to 0.2 produces a large and rapid outbreak. Fig 6b shows that the neighbourhood spreading alone (α
= 0) can cause a large, but very slow outbreak, whereas the mix of neighbourhood spreading with just a small amount of global spreading can dramatically accelerate the spreading process. Fig 6c shows that adding local spreading to neighbourhood spreading slows down the spreading process considerably. When they are mixed at the ratio of 0.8 to 0.2, the spreading reaches the same final outbreak size but the whole process lasts for the longest time.
Mix of THREE spreading mechanisms
Simulation results on mixing three spreading mechanisms are shown in Fig 7. Fig 7a shows it is not difficult to achieve a large final outbreak size when the three mechanisms are all present and neither local spreading nor global spreading is dominant. Fig 7b shows spreading will last for longer time if there is less global probing. Fig 7c shows that the most contagious variation of the worm is a mix of global, local and neighbourhood spreading at the probabilities of 0.4, 0.2 and 0.4 (see circle on the plot), which causes the largest final outbreak with the highest spreading speed.
Fig 7
Simulation results when three of Conficker’s spreading mechanisms are mixed at different probabilities.
Spreading properties shown include the final outbreak size, the survival time and the spreading speed (see colour maps) as functions of the mixing probabilities of global spreading α
(x axis) and local spreading α
(y axis), where the mixing probability of neighbourhood spreading is α
= 1 − α
− α
.
Simulation results when three of Conficker’s spreading mechanisms are mixed at different probabilities.
Spreading properties shown include the final outbreak size, the survival time and the spreading speed (see colour maps) as functions of the mixing probabilities of global spreading α
(x axis) and local spreading α
(y axis), where the mixing probability of neighbourhood spreading is α
= 1 − α
− α
.
Discussion
In this study, we infer the epidemic spreading parameters of the Conficker worm from observed data collected during the first few hours of the epidemic. Simulations of worm spreading, based on these parameters, allow us to reach some important conclusions about the worm’s use of hybrid spreading mechanisms.
Advantage of mixing hybrid spreading mechanism
Conficker’s global probing is extremely ineffective. The infection rate of global probing is many orders of magnitude smaller than the recovery rate. This means, if Conficker used only the global probing, it would not have caused any significant infection on the Internet at all.Local probing has a remarkably high infection rate, β
= 0.32, which means when an infected node conducts only local spreading, a susceptible node in the same subnet has an 1/3 chance of being infected in a step (10-mins). However, local probing is confined within a subnet. If the worm used only the local probing, it would not have infected any other subnet apart from those initially containing infected nodes.Neighbourhood probing is constrained to a neighbourhood of ten subnets. It has a high infection rate because computers in adjacent IP address blocks often belong to the same organisation and they use similar computer systems and therefore have similar vulnerabilities that can be exploited by the worm. Since different nodes’ neighbourhoods can partially overlap with each other, it is in theory possible for the worm to reach any node in the whole meta-population by using only the neighbourhood probing. Such process, however, would be extraordinarily slow as we have shown in Fig 6b.In summary, if Conficker used only a single spreading mechanism, it would have vanished on the Internet without causing any significant impact.Thus the enormous outbreak of the worm lies in its ability to do two things. Firstly it needs to devote great efforts to explore every corner of the Internet to find a new vulnerable computer. Every new victim will open a new colony full of similar vulnerable computers. Secondly it needs to make the most out of each new colony.This is exactly what Conficker does. It allocates most of its time on global probing with a mixing probability of α = 89%. This in a degree compensates the ineffectiveness of global probing. Although the worm allocates small amounts of time on local and neighbouring probing, their high infection rates allow them to exploit all possible victims in the subnets with efficiency. And all newly infected nodes will join the collective effort to flood the Internet with more global random probes.In short, the Conficker worm is an example of a critically hybrid epidemic. It can cause an enormous outbreak not because it has an advanced ability to exploit weaknesses of a computer, but because it has remarkable capability to discover all potentially vulnerable computers in the Internet, i.e. it is not the infectivity, but the hybrid spreading that makes Conficker one of the most infectious worms on record.
Implication of critically hybrid epidemics
The analysis of critically hybrid epidemics such as Conficker has important general implications. Firstly, it demonstrates that it is possible to design a high impact epidemic based on mechanisms, each of relatively low efficiency. Indeed our result in Fig 7 suggests that Conficker could have had a larger outbreak with higher speed if it had used a different set of mixing probabilities, which requires change of only a few lines of Conficker’s program code. Hybrid mechanisms may therefore be ideal for rapid efficient penetration of a network, for example in the context of an advertising campaign or in order to promulgate important public health or security information. An interesting example might be the use of media campaigns (global spreading) where the reader or viewer is specifically requested to pass on a message via Twitter or Facebook to their “local” group contacts.Conversely, malicious hybrid epidemics can be extremely difficult to defend against, and many existing defence strategies may not be effective. For example immunising a selected portion of a local population in order to isolate and hence protect the vulnerable nodes will not be effective, because the vulnerable nodes can still be found by the worm through random global spreading.Another possible measure is to reduce the average time it takes for an infected node to recover, for example to speed up the release of anti-virus software updates or increase the frequency of security scanning on computers. Our theoretical predictions (using Eq 2) in Fig 8 show that the final outbreak size (in terms of total recovered nodes) does not change significantly when the recovery time is reduced from 156 minutes to 140 or 120 minutes. In practice, even achieving such reductions represents a remarkable technical challenge. It is clear from the discussion above that epidemics can spread with extremely low global infection rates (far below individual recovery rates), provided there is efficient local infection. The extremely efficient spreading achieved once a given subnet or set of subnets has been penetrated is therefore obviously a key determinant of the worm’s outbreak [7]. Thus, defence strategies that focus on security co-operation between nodes with a local network neighbourhood (a “neighbourhood watch” strategy [7]) may be the key to future prevention of similar outbreaks.
Fig 8
Predicted numbers of susceptible, infected and recovered nodes at 16:00 on the outbreak day as a function of the recovery time τ, which is the average time for an infected node to recover.
Conficker’s recovery time is 156 minutes.
Predicted numbers of susceptible, infected and recovered nodes at 16:00 on the outbreak day as a function of the recovery time τ, which is the average time for an infected node to recover.
Conficker’s recovery time is 156 minutes.
Our Conficker model
The Conficker worm can be described as a discrete model or a continuous model. The two modelling approaches should give the same prediction results of the spreading dynamics of the worm. In this work we used a discrete approach to model the Conficker worm for three reasons. Firstly the model’s parameters can be defined with clear physical meanings. Secondly we can directly calculate the parameters’ values from the CAIDA measurement data. Lastly it is more convenient to run simulations with a discrete model. If a continuous model were used, the model parameters would be defined differently with less clear physical meanings, and their values would have to be obtained through iterative data fitting.In our Conficker model, we set the local and global population as fully mixed, because this is how the Conficker worm perceives the structure of the Internet. We considered more complex network structures in a separate work [16] where we studied hybrid epidemics in general.
Conclusion
Our study uses data collected during the first day of the Conficker epidemic to parametrise a hybrid model to capture the worm’s spreading behaviour. The study highlights the importance of mixing different modes of spreading in order to achieve large, rapid and sustained epidemics, and suggests that the trade-off between the different modes of spreading will be critical in determining the epidemic outcome.
Authors: Duygu Balcan; Vittoria Colizza; Bruno Gonçalves; Hao Hu; José J Ramasco; Alessandro Vespignani Journal: Proc Natl Acad Sci U S A Date: 2009-12-14 Impact factor: 11.205
Fig 1
Fig 2
Fig 3
Fig 4
Fig 5
Fig 6
Fig 7
Fig 8