Hybrid Epidemics - A Case Study on Computer Worm Conficker

TL;DR

This work proposes a mathematical model that combines three modes of spreading: local, neighbourhood, and global, to capture the worm’s spreading behaviour and shows that the Conficker epidemic is an example of a critically hybrid epidemic.

Abstract

Conficker is a computer worm that erupted on the Internet in 2008. It is unique in combining three different spreading strategies: local probing, neighbourhood probing, and global probing. We propose a mathematical model that combines three modes of spreading, local, neighbourhood and global to capture the worm's spreading behaviour. The parameters of the model are inferred directly from network data obtained during the first day of the Conifcker epidemic. The model is then used to explore the trade-off between spreading modes in determining the worm's effectiveness. Our results show that the Conficker epidemic is an example of a critically hybrid epidemic, in which the different modes of spreading in isolation do not lead to successful epidemics. Such hybrid spreading strategies may be used beneficially to provide the most effective strategies for promulgating information across a large population. When used maliciously, however, they can present a dangerous challenge to current internet security protocols.

Figures (8)

• Figure 1: Hybrid epidemics, where two spreading mechanisms A and B are mixed at the ratio of $\alpha$ to $(1-\alpha)$, where $0\leqslant\alpha \leqslant1$. (a) Non-critically hybrid epidemic, where at least one of the two mechanisms can cause an outbreak by its own (i.e. when $\alpha=1$ or $\alpha=0$). (b) critically hybrid epidemics, where each mechanism alone cannot cause any significant infection whereas a mix of them produces an epidemic outbreak. There exists an optimal $\alpha$ that produces the maximum outbreak.
• Figure 2: Conficker's three probing strategies: (1) global spreading, where it probes any computer on the Internet at random; (2) local spreading, where it probes computers in the same local network; (3) neighbourhood spreading, where it probes computers in ten neighbouring local networks.
• Figure 3: Numbers of susceptible nodes $S(t)$, infected nodes $I(t)$ and recovered nodes $R(t)$ as a function of time $t$, as inferred from CAIDA's dataset on 21/Nov/2008, the day of Conficker's outbreak.
• Figure 4: Numbers of nodes newly infected by Conficker via each of the three spreading mechanisms in 10-minute windows on the day of Conficker's outbreak, as inferred from CAIDA's dataset on 21/Nov/2008.
• Figure 5: The outbreak of computer worm Conficker. Points are measured from Network Telescope's dataset collected on the outbreak day. Curve is theoretical prediction from our Conficker model using the inferred parameters.